Is there a way to limit which ephemeral ports are used for FTP client and server in Passive mode?

When running FTP in passive mode, you can use the PASSIVEDATAPORTS option on your z/OS FTP server to specify the range of ephemeral ports that can be used for the data connection.

As per the z/OS Communications Server IP Configuration Reference, section: PASSIVEDATAPORTS (FTP server) statement:

"By default, the FTP server allows the stack to select a port number from its entire range of ephemeral ports for listening data sockets. PASSIVEDATAPORTS affects ports selected for the data connection only; the control connection ports are not affected. PASSIVEDATAPORTS is useful in conjunction with firewalls that restrict the range of port numbers allowed to FTP.

Guideline: Code a PORTRANGE AUTHPORT statement in PROFILE.TCPIP to reserve the ports you have specified with PASSIVEDATAPORTS. If you are using a sysplex DVIPA to distribute the FTP server workload with sysplex ports, code the same PORTRANGE AUTHPORT statement for each participating stack in the sysplex.

Restriction: If you have PORTRANGE statements in PROFILE.TCPIP that reserve ports for a different application, and those reserved ports intersect with the PASSIVEDATAPORTS ports, the FTP server is never able to obtain those ports.

Examples To restrict the server's choice of ports for listening data sockets to ports from 50000 to 50099, code the following statement in FTP.DATA: . PASSIVEDATAPORTS (50000,50099) . To prevent other applications from consuming ports in the range 50000 - 50099, code the following statement in PROFILE.TCPIP: . PORTRANGE 50000 100 TCP AUTHPORT" .