5. Work with IP addresses
Option 5 (Work with IP addresses) from the "Secured Tcp" Menu (see Figure 2)
displays the following screen (Figure 6):
|Figure 6 - Work with IP addresses|
Before discussing the three options in Figure 6, we must anticipate that in all options
the screen used to define an IP address is the following:
|Figure 7 - Adding an IP address|
- IP address (from) or *ANY
Do one of the following:
- Enter *ANY to mean that any IP address belongs to this category (Allowed, Privileged, or Excluded) of IP addresses.
If the entry *ANY is available, any other entry is ignored in the same category.
- Enter an IP address, even partial. All the IP addresses matching the initial characters of this IP address will be
treated as belonging to the same category (Allowed, Privileged, or Excluded)
- IP address (to) or blank
Enter an IP address, even partial, if an IP address was entered in the IP address (from) or *ANY. This will end the range of
IP addresses starting with that other entry.
Optionally enter a description for the *ANY, for the (generic) IP address or for the range of IP addresses defined in this entry.
We can now discuss the three options in Figure 6.
A. Work with Allowed IP Addresses
Use this option to specify which IP addresses are allowed to access the FTP server.
Generally we recommend to have a single entry, specifying the *ANY IP address.
However, you may decide to specify one or more entries specifying ranges of IP addresses, and / or
single entries specifying given or generic IP addresses.
B. Work with Privileged IP Addresses
IP addresses in this category are not subject to any rule (except the OS/400 security rules):
- it is allowed to login with user profiles not in the list of authorized user profiles
- it is allowed to perform any type of FTP operation
- it is allowed to access any directory
C. Work with Excluded IP Addresses
IP addresses in this category cannot even login to FTP.
How the client IP address category is established at FTP run time
- The client full IP address is tried to be retrieved from the SECTCP IP addresses file. If found, it is assigned its own category. If not found, ...
- The SECTCP IP addresses file is searched for generic IP addresses matching the client one. If one is found, its category is assigned to the client IP address. If no matches, ...
- If IP address *ANY was defined for the "Excluded" category, the client is assigned this category. Otherwise, ...
- If IP address *ANY was defined for the "Privileged" category, the client is assigned this category. Otherwise, ...
- If IP address *ANY was defined for the "Allowed" category, the client is assigned this category. In no category assigned so far, ...
- The client IP address is assigned the "Undefined" category and will be managed as an "Excluded" one.