THANK YOU. Yes, PASSIVEIGNOREADDR is the key (and BTW you can then eliminate CCC with its security exposure).
Shows what a kludge FTP is. The client says "Let's go into passive mode. Tell me what IP address to use, and I will ignore it. Thank you. Because after all, I already know your IP address." BTW, with EPSV4 I do *not* see 227 response would be (, , , ,8,106). Instead I see a 229 response: EZA1701I >>> EPSV SC3311 getReply: entered SC4479 getNextReply: entered with waitForData = TRUE 229 Entering Extended Passive Mode (|||2158|) SC5291 epsvReply: entered SC5209 parseEPSVreply: entered SC5221 parseEPSVreply: tmpreply 229 Entering Extended Passive Mode (|||2158|) SC5240 parseEPSVreply: i 9 tmpstr (|||2158|) SC5249 parseEPSVReply: delimiter is |/4f But no matter. EPSV4 seems to be a nice-to-have. PASSIVEIGNOREADDR is the key. For anyone following this thread who is wondering what the heck I have been talking about there is a good (non-mainframe, but it is the same issue) explanation here: https://bit.ly/2Yv0BOp > My cruddy email application (Outlook) doesn't do the >-style quoting Yeah, I always just do it by hand in Outlook. I have a > key. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jackson, Rob Sent: Saturday, June 13, 2020 6:17 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How is Passive FTP with TLS and NAT supposed to work? My cruddy email application (Outlook) doesn't do the >-style quoting (or at least I don't know how to make it), so let me try below with tabs; it will probably be ugly. First Horizon Bank Mainframe Technical Support -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Charles Mills Thanks all! Thanks much! Let me try to do one reply here to hold down the noise. > active mode is the one using PORT; passive mode uses PASV Thank you! It's a detail but I want to have the details right. Details are of the essence here. What *exactly* does the server send? On the client end I see SC1373 initDsConnection: entered SC2848 sendCmd: entered EZA1701I >>> PASV SC3311 getReply: entered SC4479 getNextReply: entered with waitForData = TRUE 227 Entering Passive Mode (10,200,40,20,8,106) Where *exactly* did the client get that 10.200.40.20 from? What *does* the serve send to convey "open your data connection on this address"? Correct, the 227 is the server response. The first four comma-delimited bytes-in-decimal are the server IP; the second two are the port: 256*8+106. In other news: - "Switching to another type of FTP" is non-trivial because the use of FTP is embedded in another product that builds control files on the fly. It would be a development project to use "a different FTP." Not out of the question, but a development project nonetheless. - Both ends are z/OS FWIW. There is a mix of "legacy" and zFS. That is all under control presently. Perfect; that should make it easier. In SYSFTPD on the client side, the first of the below sets PASV; you have that. The second tells the client to ignore the returned IP and stick with the one it opened; the third tells the server to use EPSV and not to respond with one in the first place (227 response would be (, , , ,8,106)) FWFRIENDLY TRUE; PASSIVEIGNOREADDR TRUE; EPSV4 TRUE; ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN