Forum Discussion
dsiesussi_24829
Nimbostratus
NimbostratusFTP Command PORT : Content Modification
Hi,
I just need some help to create a very simple irule (simple except for me who doesn't know the code). I have created a virtual server to loadbalance a couple of FTP servers.
And I noticed that I have a problem with the PORT Command, I explain myself with an exemple :
Client IP = 10.1.1.1
BigIP IP = 192.168.1.1
FTP Proxy = 192.168.10.1
FTP.Debian = 193.219.61.67
Everything is OK until the PASV request (Yes, I'm in a passive mode but that's not important).
So The PASV request is made from the Client IP to the BigIP which forward to the FTP Proxy.
The FTP proxy answers to the BigIP "Response: 227 Entering Passive mode (192,168,10,1,199,156)". The BigIP forwards the response to the client.
Problem is that the FW between the Client IP and the BigIP/Proxy blocks this PORT Command (I understand that Entering passive mode is the PORT FTP Command for FTP passive mode). The Inspection service detects a difference between the flow (10.1.1.1-> 192.168.1.1) and the content of the Entering passive mode command.
So I would like to know how to replace the IP Address of the FTP Proxy by the BigIP Address in the Entering passive mode command.
Ex :
Response from the FTP Proxy "Response: 227 Entering Passive mode (192,168,10,1,199,156)"
Would become
"Response: 227 Entering Passive mode (192,168,1,1,199,156)" from the bigIP to the Client.
Thank you for your help and excuse my poor english !
Julien
6 Replies
hoolioCirrostratus
Hi Julien,
Have you tried adding an FTP profile to the virtual server? LTM should then rewrite the port commands on responses to the client. Here is a Solution Guide list for passive FTP load balancing:
Load Balancing Passive Mode FTP Traffic
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_sol_guide_943/sol_ftp_passive.html?sr=11182389
Aaron
dsiesussi_24829Hi Aaron,
First of all, thanks for your reply.
But yes, i've already tried that but it doesn't work. I add that the problem doesn't come from Passive or Active mode. It's really the content of the PORT command which is blocked by the inspection of my FW. That's why, if I knew how to pick up the entering passive mode command and change the IP Address by the good one, it would be perfect. I've been said this is the kind of thing that irule can handle.
Julien- hoolioI would expect the FTP profile would dictate that LTM rewrite the IP address in responses to the virtual server address. If that's not working, you could open a support case with F5.
Another option would be to reconfigure the FTP proxy or servers to reference themselves using the LTM virtual server IP.
Aaron - dsiesussi_24829Yes I would have thought that the LTM would do it (rewrite the IP address). But it doesn't !
You don't think it could be solved thanks to an irule ?
It's weird that nobody have had the problem on this forum but I haven't found a post about it !
Julien 
L4L7_53191I think Aaron is right: the FTP server (or proxy or whatever) needs to have an idea that there's an upstream device handling a VIP address.
But I am confused: from what I know, PORT is used only for *active* ftp, as opposed to PASV. It specifies which port the client is supposed to expect traffic on. For example, see the (very good) description of the differences here: http://www.troubleshootingnetworks.com/ftpinfo.html
So if this is the case, it's likely that this is simply a flow issue: active FTP is challenging for firewall setups. The LTM ftp profile accommodates both active/passive FTP, so I actually doubt that this is the issue. I don't know how the proxy may or may not be affecting these flows though, so that could be complicating things!
Good luck,
-Matt- dsiesussi_24829Hi Matt,
You're absolutly right about the command PORT being only used for the active FTP. But as I said on my first Post : "Entering passive mode is the PORT FTP Command for FTP passive mode". Your Internet link is very good though and confirm that.
Both of them give the IP Address and the port from the client is supposed to expect traffic on.
So when I talked about the PORT Command, that was just because I don't want you to think it was a passive FTP Problem.
I keep the idea that the FTP server or whatever needs to have an idea that there's an upstream device handling a VIP address. Even if I think an irule would have been simple and more logical because this is F5's bonus.
