Re: FTP SSL ports used?

[Scott Klement <midrange-l@xxxxxxxxxxxxxxxx>]

FTP's data connections (used to transfer files or directories) are 
always taken from the "ephemeral port range". This is not only true of 
FTP over SSL, but is also true of 'normal' FTP, and also a few other 
protocols.

It's a bigger problem with SSL than it would be with non-SSL because the 
data is always encrypted, so devices like firewalls and NAT gateways 
cannot see which port you've navigated by reading the command channel as 
they would do with regular FTP.  Many people will circumvent this 
problem by only using SSL for the password exchange, and then turning 
off SSL using FTP's "clear channel" command -- but then security suffers 
a bit since the commands you're sending are now in plain text.

While the ephemeral port range is configurable on some OSes, I do not 
think that it is configurable on IBM i.  (Or, at least, I haven't heard 
that it is.)

My personal recommendation is not to use FTP over SSL.  Use the sftp 
tool from SSH instead, which does not have these problems.




On 10/29/2013 10:02 AM, David Gibbs wrote:
> Folks:
>
> I'm trying to get my head wrapped around SSL FTP and it's firewall implications.
>
> Based on my research, there is a problem when using SSL FTP in that it uses a dynammic secondary port for the data channel.  (http://en.wikipedia.org/wiki/FTPS#Firewall_incompatibilities)
>
> A workaround has been suggested by configuring the FTP server to use a limited range of ports for data ... but how would you configure the IBM i FTP server to use a limited port range?
>
> Thanks!
>
> david