Networking on z/OS
Previous topic | Next topic | Contents | Glossary | Contact z/OS | PDF


More port control

Networking on z/OS

Port control is a big topic in the world of network security. Within an organization, an individual or group responsible for a boundary device firewall might have strict rules as to which ports can be used. And, even within the z/OS host, keeping a tight control on which ports are available is a key to a healthy and secure system.

With respect to a firewall, one of the most difficult areas is ephemeral port usage of an FTP server.

Reminder: An ephemeral port is one that is required to complete a connection between endpoints, but the actual port number required is unimportant. Ephemeral ports are assigned by the TCP/IP stack in a (roughly) sequential pattern. An application that needs an ephemeral port asks for the port (implicitly), and it is provided by the TCP/IP stack. Ephemeral port numbers are always greater than 1 024.

The FTP server may request an ephemeral port for performing a data transfer. By default, this port number could be anywhere in the range from 1 024 to 65 535. However, it is not desirable to open up such a wide range of ports to a firewall. Using the PORTRANGE statement in the FTP.DATA configuration file, FTP ephemeral port usage can be limited to a low port and high port range. This same range would be reflected in the appropriate port filtering firewall(s).

Access to ports below 1 024 should normally be restricted. This is controlled by the RESTRICTLOWPORTS option on the TCPCONFIG and UDPCONFIG statements in the TCP/IP profile; see Figure 1.

Figure 1. Controlling low number ports
 TCPCONFIG
  RESTRICTLOWPORTS
 IPCONFIG
  RESTRICTLOWPORTS
 PORT
  20 TCP * NOAUTOLOG                   ; FTP Server
  21 TCP FTPD1                         ; FTP Server
  23 TCP TN3270D                       ; Telnet 3270 Server
  23 TCP INETD1 BIND 201.2.10.199      ; z/OS UNIX Telnet server
  25 TCP SMTP                          ; SMTP Server
  53 TCP NAMED1                        ; Domain Name Server
  53 UDP NAMED1                        ; Domain Name Server

If RESTRICTLOWPORTS has been coded, how can an application such as a web server or a FTP access their normal ports? The answer is in the PORT statement shown in Figure 1. A PORT statement entry is required for any application that wants to use a port below 1 024 when RESTRICTLOWPORTS is in effect. The TCP/IP stack reserves ports for the started task (server) name listed on the PORT statement.

The PORT statement is a rudimentary form of control: only an application with the assigned task name is allowed to use that port number.

The FTP application has the unusual characteristic of using a second connection for the data transfer. It also allows a user to "hop" to a secondary FTP, a process called proxy. Consequently, the FTP environment has some further restrictions possible. Obviously, such controls would be effected using the FTP.DATA configuration data set.

For example, the FTP sub-command PORT can be disabled in a proxy environment by using the PORTCOMMAND statement. Or, the IP address of a PORT or PASV command (see RFC 959) can be forced to match the IP address for the remote end of the control session. This is accomplished using the PORTCOMMANDIPADDR and PASSIVEDATACONN statements, respectively.

Parent topic: TCP/IP on z/OS security features

Go to the previous page   |   Go to the next page

Notices | Terms of use | Support | Contact z/OS



Copyright IBM Corporation 1990, 2010