Re: How to require all secure FTP except to one subnet?

Mon, 28 Aug 2017 10:45:01 -0700 

        It is certainly possible with one TCP/IP stack.........We do it!!!

        However, we do use two separate FTP tasks, one is secure (FTPS) and one 
is NOT (FTPD). You could then code a FTCHKIP exit for the non-secure FTP task 
to only allow login from the hipersocket address range.
        If the two FTP tasks run on the same LPAR, then they will need 
different ports!!

        Hth
        Tony 
 

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf 
Of SUBSCRIBE IBM-MAIN Mary Vollmer
Sent: Monday, August 28, 2017 12:50 PM
To: [email protected]
Subject: How to require all secure FTP except to one subnet?

I am implementing TLS 1.2 via AT-TLS and have a requirement to secure all FTPs 
using this protocol except for the exchanges occurring via the hipersocket.

I am manually coding the policy since I don't have zOSMF configured.  In my 
policy I have a rule for my unsecure connections, coding both LocalAddr and 
RemoteAddr with that of our hipersocket subnet.  It has a priority of 100 and 
is first in the policy.  I also have a rule for secure connections with no 
LocalAddr or RemoteAddr with a priority of 10.

In my FTPDATA:
   When I specify SECURE_FTP REQUIRED, all unsecure attempts (inbound and 
outbound) fail - including those via the hipersocket.


   When I specify SECURE_FTP ALLOWED, all unsecure attempts (inbound and 
outbound) are successful - even those NOT using the hipersocket.  

I turned on tracing and see the rules selected are as I would have expected but 
it appears the SECURE_FTP parm in FTP data rules, regardless of what's in the 
policy.  

Does anyone know if it's possible to do what I am trying do to with one TCPIP 
stack?

Thanks,
Mary Vollmer 
 

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
[email protected] with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to