Chris Robertson wrote:
Matus UHLAR - fantomas wrote:
On 04.12.07 10:54, Chris Robertson wrote:
To make the server set up the data connection, passive FTP is the
correct choice (http://en.wikipedia.org/wiki/FTP#Connection_Methods).
Whether that makes the remote server any happier about the data
connection originating from a different IP from the control, I can't
say.
I'm think you have misread it. the data connection is opened by the
server
in active/PORT connection. with passive connection, client opens both
connections (control and data) and in this case the server can reject
data connection, if client makes if from different IP.
I guess it all comes down to definitions. I interpret "In passive mode,
the FTP server opens a random port..." as the server setting up the data
connection (considering the server controls what port is used), but I
can see the other angle, with the client then initiating a connection to
that port.
With active mode FTP, the server would also be able to refuse to
initiate a connection to a different host than was sending the
commands. Passive, or active, a client specifying a different IP for
data than that used for the control is FXP
(http://en.wikipedia.org/wiki/File_eXchange_Protocol), and is disabled
by default on many FTP servers (original poster's included).
In any case, to help with the original issue...
acl FTP proto FTP
tcp_outgoing_address 192.168.32.15 FTP
...will assure that all FTP data use the listed IP address on a multi-IP
machine. The proto FTP acl could also be used to send all FTP transfers
to a specific parent proxy outside of the load balancing setup with
cache_peer_access.
Chris
Well ...
To 'initiate' passive data mode is to send a PASV or PORT control
message. To do that the _sender_ must already have a data listening port
open and ready to 'passively' receive the response.
To my mind that makes the side which is capable of receiving anonymous
FTP connects in passive. If your squid is connecting _out_ badly, _it_
must be in passive and accept requests from clients.
This it show squid behaves with "ftp_passive on". It just opens a
listening socket (on port 20 I believe) and issues a number of
PORT/EPRT/PASV/EPSV controls to tell the client where to connect to.
Back to the initial problem;
was with _squid_ outgoing data traffic going through the wrong ADSL
link. Which to me means the passive was OFF, or the client incoming
request came _in_ through that second ADSL.
I considered the possibility squid might be sending the wrong IP in
PASV. BUT, found that its looking up the dst-IP of the control
connection to generates the PASV. That means it sends out the IP the
client is connecting to.
There is only a small possibility of this going wrong if in transparent
mode.
Amos
