Hal > As was noted, I believe the EPSV is not supported on the vast majority of clients out there.
Actually I didn't see that in any of the thread traffic so far. However, what Alan did note was that there is a sort of "migration option" which allows the FTP client to propose the "extended passive mode" command (RFC 2428) and, if the FTP server performs the FTP equivalent of shrugging its shoulders, the FTP client can then revert to the older "passive mode" command (RFC 959). Note that RFC 2428 is dated 1998. Thus, while casual users may have antediluvian FTP client implementations, I would expect FTP client implementations used for important business applications to be those where the developers had made good use of the intervening 13 years to become current - but that's just my guess! > Any idea what command or configuration parameter that might be? It's not clear what you are asking here. In the z/OS Communications Server (CS) IP Configuration Reference manual, there are 3 relevant FTP *client* statements: EPSV4, FWFRIENDLY and PASSIVEIGNOREADDR.[1] Note that PASSIVEIGNOREADDR is new in z/OS V1R11 CS. See the following for more helpful advice: http://publibz.boulder.ibm.com/cgi- bin/bookmgr_OS390/BOOKS/f1a1f250/3.3.2.3 Thus, if your FTP clients are other than the z/OS CS implementation, this information is no good for you. You are going to need to look for similar FTP client commands - or parameter settings or whatever - in the FTP client implementations of interest. There CS FTP client commands may be helpful as indications of what the commands might be in another implementation. If you are looking for FTP server commands relevant to a z/OS CS FTP server, I expect you may assume that it can handle any of the combinations of "active"/"passive" protocol sequences which a z/OS CS FTP client can adopt. >...> One of my network guys says that some servers allow the coding of a different IP address to be used in the handshake. >...> Normally, FTP in passive mode sends the host IP address and port number for the client to use. This is useless if there is a NAT'ing firewall in the path. My guy claims that you can change that to specify any address you want, specifically the NAT'ed address. >...> Anyone know what he is talking about? Perhaps you should go back to first principles and read up on how FTP works. A good starting point is the following: http://en.wikipedia.org/wiki/File_Transfer_Protocol and then maybe the references in this Wikipedia article. I'm not sure the "any address you want, specifically the NAT'ed address." is a good idea. The Wikipedia article talks about "Application-level gateway" - and there's another Wikipedia article which covers this function: http://en.wikipedia.org/wiki/Application-level_gateway - [1] EPSV4 (FTP client) statement Use the EPSV4 statement to direct the FTP client to use EPSV and EPRT commands on IPv4 sessions. The locsite subcommand is also available to set this parameter. Syntax EPSV4 FALSE|TRUE Parameters FALSE Prevents the client from using EPRT and EPSV commands on IPv4 sessions. This is the default. TRUE Directs the client to use EPRT and EPSV commands on IPv4 sessions. Usage notes EPRT and EPSV commands are described in RFC 2428. If the server rejects an EPRT or EPSV command during the session, the client stops sending EPRT and EPSV to that server regardless of how you have set EPSV4. Guideline: If your client has trouble establishing a data connection on an IPv4 security protected, encrypted session through an NAT firewall, coding EPSV4 TRUE in the clientÂ’s FTP.DATA can help. Restrictions: - The FTP server ignores this statement. - Socksified sessions use PASV or PORT commands to establish data connections, as specified by the FWFRIENDLY setting. When EPSV4 is TRUE, the client attempts EPSV but never EPRT to establish a socksified data connection. - Some FTP servers support EPRT and EPSV commands, but do not reply as described in RFC 2428. If the FTP server reply to EPSV or EPRT does not conform to RFC 2428, the client reacts as if the server has rejected the command. - RFC 2428 stipulates EPSV is the preferred command to establish data connections. Therefore, when EPSV4 is TRUE, the client tries EPSV regardless of how you have set FWFRIENDLY. The client uses EPRT only to set up a data connection for proxy transfer. Examples To direct the client to use EPSV and EPRT commands on IPv4 FTP sessions, code the following: EPSV4 TRUE <Comment: I would have preferred the word "may" or "might" - as used by PASSIVEIGNOREADDR - rather than "can" before "help.> . FWFRIENDLY (FTP client) statement Use the FWFRIENDLY statement to specify how data connections are to be set up between the client and the server. Syntax FWFRIENDLY FALSE|TRUE Parameters TRUE Specifies that the FTP client is firewall-friendly. This means that data connections are set up from the FTP client to the FTP server. FALSE Specifies that the FTP client is not firewall-friendly. This means that data connections are set up from the FTP server to the FTP client. This is the default. Examples FWFRIENDLY TRUE ; FTP client is firewall-friendly Usage notes When the connection to the server is IPv6, data connections are set up from client to the server regardless of the FWFRIENDLY setting. . PASSIVEIGNOREADDR (FTP client) statement Use the PASSIVEIGNOREADDR statement to direct the FTP client to ignore the IP address returned from the server on the PASV reply on IPv4 sessions. You can also use the locsite subcommand to set this parameter. Restrictions: - The FTP server ignores this statement. - When EPSV4 and PASSIVEIGNOREADDR are TRUE, the client tries the EPSV command first. If the EPSV command does not succeed, and FRIENDLY is TRUE, then the client tries the PASV command. The PASSIVEIGNOREADDR value determines how the FTP client uses the IP address that is returned by the PASV command. Syntax PASSIVEIGNOREADDR FALSE|TRUE Parameters FALSE For passive mode FTP, specifies that the FTP client uses the IP address and port number from the PASV command reply that is returned by the FTP server for the data connection. This is the default value. TRUE For passive mode FTP, specifies that the FTP client uses the port number from the PASV command reply, and the IP address used to log into the FTP server, for the data connection. Guideline: If your client has trouble establishing a data connection on an IPv4 encrypted session through a NAT firewall, and the FTP server does not support extended passive mode, coding PASSIVEIGNOREADDR TRUE might help. Requirement: FWFRIENDLY must also be set to TRUE to enable this function. Examples To direct the client to ignore the IP address on the FTP serverÂ’s PASV reply, code the following: PASSIVEIGNOREADDR TRUE - Chris Mason On Thu, 2 Jun 2011 11:22:47 -0500, Hal Merritt <[email protected]> wrote: > Any idea what command or configuration parameter that might be? > >As was noted, I believe the EPSV is not supported on the vast majority of clients out there. > > > >-----Original Message----- >From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Alan Altmark >Sent: Thursday, June 02, 2011 9:07 AM >To: [email protected] >Subject: Re: Z/os FTP Server Configurartion > >On Wed, 1 Jun 2011 15:30:13 -0700, Starr, Alan <[email protected]> >wrote: > >..snip >An FTP client may have the capability to ignore (or may ignore by default) the IP address provided on PASV, simply connecting back to the same IP as used on the control connection. > >Alan Altmark ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
