Bug 70986 - RFE: docs, passive ftp needs server config
RFE: docs, passive ftp needs server config
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: piranha (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: John Ha
Brian Brock
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2002-08-07 12:30 EDT by Patrick C. F. Ernzer
Modified: 2014-08-04 18:14 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-08-24 18:13:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Patrick C. F. Ernzer 2002-08-07 12:30:07 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020408

Description of problem:
The documentation for setting up LVS for passive ftp is incomplete. The ftp
server needs to be configured to report the IP of the service and not the IP of
the real server in order for passive ftp connections to work

Version-Release number of selected component (if applicable):
rhl-ig-as-x86(EN)-2.1-HTML-RHI (2002-03-22T11:09-0400) 

How reproducible:

Steps to Reproduce:
1. configure ftp as described in chapter 8
2. connect to the service
3. switch to passive mode
4. issue an ls command

Actual Results:  unable to connect to IP of real server

Expected Results:  passive connection to the floating IP for the FTP virtual server

Additional info:

this setting needs to be done on the ftp server. for wu-ftpd one needs to add
the following lines to /etc/ftpaccess:

  passive address <real IP> <localnet>
  passive address
  passive address <virtual IP>

e.g. floating IP is and virtual IP is netmask for both
networks is

  passive address
  passive address
  passive address

this reads as:
clients from are told to connect to
clients from are told to connect to
clients from anywhere else are told to connect to
Comment 1 Johnray Fuller 2002-08-07 12:57:32 EDT
What topography are you using? NAT routing, right? 

I'll comment further on this later today after some testing.

Comment 2 Patrick C. F. Ernzer 2002-08-07 13:16:28 EDT
My bad, should have stated this.

I'm using NAT.
Comment 3 Johnray Fuller 2002-08-07 13:34:22 EDT
It's okay. I figured so because that's usually when this problem crops up.

I am not sure how I managed to *not* mention this. I believe we were trying to
figure out a way to do it for all backend FTP servers (instead of just wu-ftp)
using /proc/sys/net/ipv4/ip_conntrack_ftp.

Unfortunately, during those very hectic days, it didn't happened and I somehow
managed to forget to tell the user *at all* about how to assign the proper
"return address" to the real FTP servers :-(

Today I am working with QA to get an ipv4 workaround up and running. Failing
that, I will post your comments and a general overview of the issue as an errata.

Thank you so much for the catch!


p.s. We did not ship vsftpd w/ AS, but there is now a way to do this in the
vsftp config file as well, thanks to a patch by Mike McClean (a.k.a. super-genius)
Comment 4 Johnray Fuller 2002-08-07 17:58:47 EDT
Okay, so we found an even better way of doing FTP that makes the whole process
embarassingly simple (embarassing for me at least, since I wrote the docs).

I will have to post it tommorrow as QA is testing it now, but I'll leave you
with this tidbit:

insmod /lib/modules/KERNEL-VERSION/kernel/net/ipv4/ipvs/ip_vs_ftp.o

This module may obsolete the arcane iptables approach outlined in the manual. It
also frees you to use whatever type of FTP server you want and whatever platform
you want on the backend w/ no extra configuration.

K, more tomorrow.

Comment 5 Johnray Fuller 2002-08-07 18:00:57 EDT
I am adding Mike M to this bug as he will have some great feedback :-)

Comment 6 Johnray Fuller 2002-08-18 15:51:43 EDT
okay, so the beta cycle wooped our butts.

It looks like detailed documentation on the best procedure  is about two weeks out.

I am leaving this open until then.

However, for now you should be able to 

insmod /lib/modules/KERNEL-VERSION/kernel/net/ipv4/ipvs/ip_vs_ftp.o

And flush iptables rules and things should work. Let me know if they don't. This
will help with our testing.

Thanks for the feedback and I will let you know when we post the final docs on this.

Comment 7 Mike McLean 2002-08-19 17:02:27 EDT
insmod generally finds the right module:
% insmod ip_vs_ftp
Comment 8 Johnray Fuller 2003-03-14 19:48:13 EST
Okay, so I posted an errata on the following Web page in regards to this bug:


I leaving the bug open, however as a reminder for the next revision of the docs.

Thanks again,
Comment 9 Mike McLean 2004-08-24 17:38:51 EDT
John -- It looks like Johnray left this bug open to as a reminder to
propagate this change into a later release.  If this has been done,
then this bug can be closed.
Comment 10 John Ha 2004-08-24 18:13:54 EDT
Looks like this has been covered in the errata for 2.1AS.

Note You need to log in before you can comment on or make changes to this bug.