SECTCP home | Easy400 | IBM i home
Public-Source
 
Introduction
FTP settings
Quick start
Securing FTP
WRK user profiles
WRK directories
WRK IP addresses
Active Defense
Logging
VLDL vs USRPRF
User exit pgm
TELNET settings
Access-Reject Messages
HTTP logs
 
Download
 
 

 
previous page page 5 out of 16 next page
FTP settings (4/7)
5. Work with IP addresses

Option 5 (Work with IP addresses) from the "Secured Tcp" Menu (see Figure 2) displays the following screen (Figure 6):

Figure 6 - Work with IP addresses

Before discussing the three options in Figure 6, we must anticipate that in all options the screen used to define an IP address is the following:

Figure 7 - Adding an IP address
  • IP address (from) or *ANY
    Do one of the following:
    • Enter *ANY to mean that any IP address belongs to this category (Allowed, Privileged, or Excluded) of IP addresses.
      If the entry *ANY is available, any other entry is ignored in the same category.
    • Enter an IP address, even partial. All the IP addresses matching the initial characters of this IP address will be treated as belonging to the same category (Allowed, Privileged, or Excluded)
  • IP address (to) or blank
    Enter an IP address, even partial, if an IP address was entered in the IP address (from) or *ANY. This will end the range of IP addresses starting with that other entry.
  • Description
    Optionally enter a description for the *ANY, for the (generic) IP address or for the range of IP addresses defined in this entry.

We can now discuss the three options in Figure 6.

A. Work with Allowed IP Addresses
Use this option to specify which IP addresses are allowed to access the FTP server. Generally we recommend to have a single entry, specifying the *ANY IP address.
However, you may decide to specify one or more entries specifying ranges of IP addresses, and / or single entries specifying given or generic IP addresses.

B. Work with Privileged IP Addresses
IP addresses in this category are not subject to any rule (except the OS/400 security rules):
- it is allowed to login with user profiles not in the list of authorized user profiles
- it is allowed to perform any type of FTP operation
- it is allowed to access any directory

C. Work with Excluded IP Addresses
IP addresses in this category cannot even login to FTP.

How the client IP address category is established at FTP run time

  1. The client full IP address is tried to be retrieved from the SECTCP IP addresses file. If found, it is assigned its own category. If not found, ...
  2. The SECTCP IP addresses file is searched for generic IP addresses matching the client one. If one is found, its category is assigned to the client IP address. If no matches, ...
  3. If IP address *ANY was defined for the "Excluded" category, the client is assigned this category. Otherwise, ...
  4. If IP address *ANY was defined for the "Privileged" category, the client is assigned this category. Otherwise, ...
  5. If IP address *ANY was defined for the "Allowed" category, the client is assigned this category. In no category assigned so far, ...
  6. The client IP address is assigned the "Undefined" category and will be managed as an "Excluded" one.
previous page next page
    Contact