A yeah, my bad, that looks right. Details do count. I was going from faulty memory. :) Thanks!
First Horizon Bank Mainframe Technical Support -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Charles Mills Sent: Saturday, June 13, 2020 12:28 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How is Passive FTP with TLS and NAT supposed to work? [External Email. Exercise caution when clicking links or opening attachments.] THANK YOU. Yes, PASSIVEIGNOREADDR is the key (and BTW you can then eliminate CCC with its security exposure). Shows what a kludge FTP is. The client says "Let's go into passive mode. Tell me what IP address to use, and I will ignore it. Thank you. Because after all, I already know your IP address." BTW, with EPSV4 I do *not* see 227 response would be (, , , ,8,106). Instead I see a 229 response: EZA1701I >>> EPSV SC3311 getReply: entered SC4479 getNextReply: entered with waitForData = TRUE 229 Entering Extended Passive Mode (|||2158|) SC5291 epsvReply: entered SC5209 parseEPSVreply: entered SC5221 parseEPSVreply: tmpreply 229 Entering Extended Passive Mode (|||2158|) SC5240 parseEPSVreply: i 9 tmpstr (|||2158|) SC5249 parseEPSVReply: delimiter is |/4f But no matter. EPSV4 seems to be a nice-to-have. PASSIVEIGNOREADDR is the key. For anyone following this thread who is wondering what the heck I have been talking about there is a good (non-mainframe, but it is the same issue) explanation here: https://bit.ly/2Yv0BOp > My cruddy email application (Outlook) doesn't do the >-style quoting Yeah, I always just do it by hand in Outlook. I have a > key. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jackson, Rob Sent: Saturday, June 13, 2020 6:17 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How is Passive FTP with TLS and NAT supposed to work? My cruddy email application (Outlook) doesn't do the >-style quoting (or at least I don't know how to make it), so let me try below with tabs; it will probably be ugly. First Horizon Bank Mainframe Technical Support -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Charles Mills Thanks all! Thanks much! Let me try to do one reply here to hold down the noise. > active mode is the one using PORT; passive mode uses PASV Thank you! It's a detail but I want to have the details right. Details are of the essence here. What *exactly* does the server send? On the client end I see SC1373 initDsConnection: entered SC2848 sendCmd: entered EZA1701I >>> PASV SC3311 getReply: entered SC4479 getNextReply: entered with waitForData = TRUE 227 Entering Passive Mode (10,200,40,20,8,106) Where *exactly* did the client get that 10.200.40.20 from? What *does* the serve send to convey "open your data connection on this address"? Correct, the 227 is the server response. The first four comma-delimited bytes-in-decimal are the server IP; the second two are the port: 256*8+106. In other news: - "Switching to another type of FTP" is non-trivial because the use of FTP is embedded in another product that builds control files on the fly. It would be a development project to use "a different FTP." Not out of the question, but a development project nonetheless. - Both ends are z/OS FWIW. There is a mix of "legacy" and zFS. That is all under control presently. Perfect; that should make it easier. In SYSFTPD on the client side, the first of the below sets PASV; you have that. The second tells the client to ignore the returned IP and stick with the one it opened; the third tells the server to use EPSV and not to respond with one in the first place (227 response would be (, , , ,8,106)) FWFRIENDLY TRUE; PASSIVEIGNOREADDR TRUE; EPSV4 TRUE; ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
