Firewall does not permit FTP client to establish a data connection
You might be able to log in to an FTP server through a firewall, but find you cannot transfer files using a passive data connection. The reason is that the ephemeral ports chosen for the data connection are outside the range of ports permitted by the firewall.
If the client sends EPSV or PASV to the server to start the data
connection, FTP is establishing a passive data connection, or is operating
in passive mode. In passive mode, the server chooses the ephemeral
port for the data connection. Ephemeral port numbers are part of EPSV
and PASV replies the server sends to the client. You can configure
the z/OS® FTP server to use
only a specific range of ephemeral ports for the data connection that
are compatible with what you have configured for your firewall by
coding the PASSIVEDATAPORTS statement in FTP.DATA. See z/OS Communications Server: IP Configuration Reference for information about the PASSIVEDATAPORTS
statement. Alternatively, you can restrict the range of ephemeral
ports that are available to TCP/IP by coding the EPHEMERALPORTS parameter
on the TCPCONFIG configuration statement. See the description of the
EPHEMERALPORTS parameter in the TCPCONFIG configuration
statement section in z/OS Communications Server: IP Configuration Reference for more
information about the EPHEMERALPORTS parameter.
Result: Both FTP and non-FTP applications
use ephemeral ports that are within the EPHEMERALPORTS range.
If the client sends PORT or EPRT to the server to start the data connection, the client is said to be establishing an active data connection, or operating in active mode. Active mode FTP is not recommended for sessions through firewalls. Use the locsite subcommand with the FWFRIENDLY parameter, or code FWFRIENDLY TRUE in FTP.DATA, to direct the client to operate in passive mode.