On 02/22/2009 10:28:30 PM, Chris Smith wrote:
Was hoping I could more easily apply your example to my problem. I
have multiple ISP connections, not doing load balancing, and using
route-to to send groups of systems out different interfaces. The only
glitch seems to be with the clients doing ftp. I'm tagging the packets
with ftp-proxy (separate instances for each interface) but not sure
how to use these tags in the ruleset.
Any assistance is appreciated.
Tagging does not (necessarily) enter into ftp, if I understand
your setup. You run different instances of ftp-proxy on different
ports, so the rdr takes care of that. Then you use
the -a argument to ftp-proxy to so that the "right"
nic is used for each ftp-proxy running, where "right"
means the interface that the passive mode data connection
is natt-ed to or otherwise transits so that passive mode f
tp works.
The only other issue is that you can't binat the clients
(for all ports)
and still do passive ftp because binat is evaulated
before nat so the ftp-proxy nat anchor is not seen.
The workaround is to split each binat rule into a
rdr and a nat rule.
Then again, maybe I'm guessing wrong as to your ruleset.
You'd have to post detail.
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
