[log in to unmask] wrote:
>If the data address is explicitly configured as I described in my other
>message, it will _always_ use it in response to a PASV command, because
>the server cannot predict if the address is going to be used for a local
>transfer (WN --> SE) or a remote 3rd party transfer (remote SE --> SE).
>
>This means that a WN _must_ have a routing entry to the public address
>of the site's own SE. I suppose some clever NAT/iptables configuration
>can get the public address translated into the private address when it
>happens to be used on the private network (WN --> SE)?
>
>
That's right, the correct approach was to reply to PASV always with the
public IP (because of the 3rd party transfer).
In the case of a single wire for ALL nodes, private WNs would need
OUTPUT chain nat rules to redirect traffic addressed to public SE (CE,
RB) to the private SE (CE, RB) (ip) address. Or they might leave it for
the central NAT (PREROUTING chain, nat) with the penalty of an extra hop.
In the case of a private network exclusively dedicated to WNs (without
SE, CE, RB, etc) there would be NO need to use a new edg-gridftpd. Just
mangle (source address) the traffic addressed to world and leave the
private WN source address untouched when destination is public SE (CE,
RB, etc).
(A particular case, also possible, would be to use SE as NAT for WNs)
|