I'm not sure what benefit you think you're getting from forcing the ftp to come from the carp address. If the machines swap state (master fails), the ftp will fail also as it's relying on a userland process to facilitate it. You might want to check out ftpsesame (http://www.sentia.org/projects/ftpsesame/) - it might work a little better for you.
--Bill On Sun, 17 Oct 2004 20:21:56 -0700, Yuri <[EMAIL PROTECTED]> wrote: > Heyo > > I have a failover firewall setup with 2 boxes using CARP. Everything > works ok, but i have a question about ftp-proxy... > > Box #1 has external ip: 100.100.100.2 and internal ip: 10.0.0.2 > Box #2 has external ip: 100.100.100.3 and internal ip: 10.0.0.3 > They both share external CARP address 100.100.100.1 and internal CARP: > 10.0.0.1 > > All requests that come from internal network, go out on CARP address so > from outside you see that all requests are coming from 100.100.100.1: > nat on $ext_if from $internal_net to any -> $external_carp > > All active ftp requests that use ftp-proxy are taken care of by this: > 1) rdr on $carp_int proto tcp from any to any port 21 -> 127.0.0.1 port > 8021 > 2) pass in on $ext_if inet proto tcp from any to $carp_ext user proxy > keep state > > But when i do that, the ftp requests are coming from Box's #1 external > interface ( 100.100.100.2) and not the CARP address ( 100.100.100.1 ), > and when the second box takes over they're coming from 100.100.100.3 > > Is there any ways i can force all the outgoing active ftp requests come > from CARP address (100.100.100.1) instead? If so, what changes to i need > to make in pf/carp/ftp-proxy setup...? > > Thanky in advance :) > > P.S. > Assignments are: > internal_net="10.0.0.0/24" > external_addr="100.100.100.2" > external_carp="100.100.100.1" > carp_int="carp0" (10.0.0.1) > carp_ext="carp1" (100.100.100.1) >
