On 02/22/2009 10:28:30 PM, Chris Smith wrote:
Was hoping I could more easily apply your example to my problem. I have multiple ISP connections, not doing load balancing, and using route-to to send groups of systems out different interfaces. The only glitch seems to be with the clients doing ftp. I'm tagging the packets with ftp-proxy (separate instances for each interface) but not sure how to use these tags in the ruleset. Any assistance is appreciated.
Tagging does not (necessarily) enter into ftp, if I understand your setup. You run different instances of ftp-proxy on different ports, so the rdr takes care of that. Then you use the -a argument to ftp-proxy to so that the "right" nic is used for each ftp-proxy running, where "right" means the interface that the passive mode data connection is natt-ed to or otherwise transits so that passive mode f tp works. The only other issue is that you can't binat the clients (for all ports) and still do passive ftp because binat is evaulated before nat so the ftp-proxy nat anchor is not seen. The workaround is to split each binat rule into a rdr and a nat rule. Then again, maybe I'm guessing wrong as to your ruleset. You'd have to post detail. Karl <[email protected]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
