Setting up FTP Server on z/OS

FTP 1 Minute

I had problems using the FTP server on z/OS once I had configured IP Filtering (any IP addresses and ports which are not in the configuration are dropped).

Once an FTP client has established contact using port 21, the transfer switches to a different port. You can control which port range is used.

Setting up the FTP server.

If you start the FTP Daemon (S FTPD) it starts up another procedure (FTPD1) and the initial job ends.

You need to configure the SYSLOGD daemon to capture any output from the FTP task.

In /etc/syslog.conf I set up

*.FTPD*.*.*         /var/log/FTPD.%Y.%m.%d

so any output from jobs with a name FTPD* will go into the specified file.

In my file I had

EZYFT46E Error in dd:SYSFTPD=TCPIP.SEZAINST(FTPSDATA) file: line 1283 near column 1.
EZY2642E Unknown keyword: PASSIVEDATAPORTS(8000,8100)

Configuring ports

To limit which ports FTP uses you need to specify PASSIVEDATAPORTS

PASSIVEDATAPORTS (8000,8100)

with a blank between the keyword and the (.

You also need to tell TCPIP that the port range is reserved for TCPIP’s use for example

PORTRANGE
... 50000 100 TCP AUTHPORT

Where AUTHPORT Indicates that all ports in the port range are not available for use by any user except FTP, and only when FTP is configured to use PASSIVEDATAPORTS. AUTHPORT is valid only with the TCP protocol.

When you try to transfer a file you get a message

ftp> get ‘…’ … local: …: ‘…’
229 Entering Extended Passive Mode (|||8061|)

where 8061 is the port which was used.

IPSEC definitons for IP Filtering

For my very restrictive access from my laptop to z/OS (and no other devices) I used

IpFilterRule FTPnI21 
{ 
  IpSourceAddrGroupRef     zGroup 
  IpSourceAddr   10.1.0.2 
  IpDestAddr     10.1.1.2 
  IpGenericFilterActionRef permitlog 
 IpService 
 { 
    Protocol Tcp 
    DestinationPortRange 21 
    Direction inbound 
    Routing local 
 } 
 IpService 
 { 
    Protocol Tcp 
    DestinationPortRange 8000-8100 
    Direction inbound 
    Routing local 
 } 
}

and

IpFilterRule FTPO21 
{ 
  IpSourceAddr   10.1.1.2 
  IpDestAddr     10.1.0.2 
  IpGenericFilterActionRef permitlog 
 IpService 
 { 
    Protocol Tcp 
    SourcePortRange  21 
    Direction outbound 
    Routing local 
 } 
 IpService 
 { 
    Protocol Tcp 
    SourcePortRange  8000-8100 
    Direction outbound 
    Routing local 
 } 
}
Unknown's avatar

Published by Colin Paice

I retired from IBM where I worked on MQ on z/OS, and did customer stuff. I retired, and keep my hand in with MQ, by playing with it! I'm now an #IBMChampion from my work trying to make z/OS product more usable.

Published

One thought on “Setting up FTP Server on z/OS

  1. Pingback: CS IP Filtering: Tying to use FTP – ColinPaice

Leave a comment