Joe, We have used a CARP firewall (two machines in failover and not load balancing) in front of a dozen ftp servers. We use 12 different ip addresses in total. One ftp-proxy for each CARP interface and forwarding the traffic to one of the 12 backend ftp server. This works fine.
Ftp-Proxy (forward and reverse proxy) https://calomel.org/ftp_proxy.html If you use one external ip and thus one CARP virtual device, you might be able to use different external ports redirected to each ftp-proxy daemon. This might cause a bit of confusion depending on your users and what clients they use. Clients normally expect ftp to be on port 21 of course. vhosts would definitely be a welcome addition, but I am not sure how this would be implemented. Some problems you may see is when the CARP firewalls failover. The ftp-proxy anchors are not inherited by the second BACKUP firewall. Clients can just reconnect after the BACKUP firewall comes up. You may also want to see if you can limit ftp connection to passive mode only. This seems to help with some of the broken windows clients, though you can use the "-r" argument in ftp-proxy to suit ancient clients. If anyone has any other solutions I would also be interested in hearing about them. -- Calomel @ https://calomel.org Open Source Research and Reference On Wed, Jun 04, 2008 at 05:02:45PM +0100, Joe Warren-Meeks wrote: >Hey guys, > >I have a a pair of OpenBSD firewalls, using carp+pf protecting all >our services. > >Now, we are going to end up in a situation where we need to have >multiple separate ftp servers behind these firewalls (one per project). >Currently I'm thinking of creating a new CARP interface on the external >interface with a unique IP and a separate ftp-proxy per back-end server > >My question is basically has anyone done this already and does it work? > >Are there any problems with having multiple CARP interfaces using the >same physical one? > >Is there a better, easier solution? It's times like these that I wish >the ftp protocol included vhosts. > >Cheers chaps. > > -- joe. > >I don't like Annika. She's so pretentious.
