JANUS SRVSOCK: Difference between revisions
m (misc formatting) |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
<span class="pageSubtitle">Define JANUS SRVSOCK rules</span> | <span class="pageSubtitle">Define JANUS SRVSOCK rules</span> | ||
The JANUS SRVSOCK command defines the rules for a | The <var>JANUS SRVSOCK</var> command defines the rules for a [[Janus Sockets]] server running on a <var>SRVSOCK</var> port. These rules control access to the port. | ||
The <var>JANUS SRVSOCK</var> command is slightly different from most Janus commands in that it usually takes a set of commands to fully specify the rules for a port. For instance, it may take a number of commands to specify the various host names and ranges of IP addresses that may connect. The order in which <var>JANUS SRVSOCK</var> commands are specified also affects how they are processed. | |||
==Syntax== | ==Syntax== | ||
<p class="syntax"> JANUS SRVSOCK portname rule_type [optional parameters] | <p class="syntax">JANUS SRVSOCK <span class="term">portname rule_type</span> [<span class="term">optional parameters</span>] | ||
</p> | </p> | ||
The first two parameters are positional and are required: | The first two parameters are positional and are required: | ||
<table> | |||
<table | |||
<tr><th>portname</th> | <tr><th>portname</th> | ||
<td>A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed.</td></tr> | <td>A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed.</td></tr> | ||
<tr><th>rule_type</th> | <tr><th>rule_type</th> | ||
<td>The | <td>The sort of rule that is being specified for the port or ports. Valid types are: | ||
<table | <table> | ||
<tr><th>ALLOW</th> | <tr><th><var>ALLOW</var></th> | ||
<td>Assigns access permission.</td></tr> | <td>Assigns access permission.</td></tr> | ||
<tr><th>DISALLOW</th> | |||
<tr><th><var>DISALLOW</var></th> | |||
<td>Removes access permission.</td></tr> | <td>Removes access permission.</td></tr> | ||
</table> | </table></td></tr> | ||
</td></tr> | |||
<tr><th>optional_parameters</th> | |||
<td>These parameters vary with the <var class="term">rule_type</var> value. See [[#JANUS SRVSOCK ALLOW|JANUS SRVSOCK ALLOW]] and [[#JANUS SRVSOCK DISALLOW|JANUS SRVSOCK DISALLOW]], below. </td></tr> | |||
</table> | </table> | ||
The ALLOW and DISALLOW rules are processed together, from most recent to oldest. | ==Usage notes== | ||
<ul> | |||
<li>The <var>ALLOW</var> and <var>DISALLOW</var> rules are processed together, from most recent to oldest. | |||
The optional parameters allowed for | <li>The optional parameters allowed for <var>JANUS SRVSOCK</var> depend on the rule type that is specified. The various types are shown in the following sections, followed by a section giving examples and showing the interaction of <var>JANUS SRVSOCK</var> commands ([[#Rule matching order and examples|Rule matching order and examples]]). | ||
The <var>[[JANUS WEB]]</var> command is used by <var class="product">[[Janus Web Server]]</var> to establish rules for WEBSERV ports. Note that the JANUS CLSOCK and JANUS SRVSOCK commands differ from the corresponding rules available with the <var>JANUS WEB</var> command in the following ways: | <li>The <var>[[JANUS WEB]]</var> command is used by <var class="product">[[Janus Web Server]]</var> to establish rules for <var>WEBSERV</var> ports. Note that the <var>JANUS CLSOCK</var> and <var>JANUS SRVSOCK</var> commands differ from the corresponding rules available with the <var>JANUS WEB</var> command in the following ways: | ||
<ul> | <ul> | ||
<li><var>JANUS WEB</var> does not allow any optional parameters (for example, USGROUP) on the DISALLOW rule. | <li><var>JANUS WEB</var> does not allow any optional parameters (for example, USGROUP) on the <var>DISALLOW</var> rule. </li> | ||
<li>The default access for WEBSERV non-SSL ports and SRVSOCK ports is ALLOW | |||
<li>ALLOW and DISALLOW are the only rule types for JANUS CLSOCK and JANUS SRVSOCK; there are a number of other rule types for <var>JANUS WEB</var>.</li> | <li>The default access for <var>WEBSERV</var> non-SSL ports and <var>SRVSOCK</var> ports is <var>ALLOW</var>. The default access for <var>WEBSERV</var> SSL ports, <var>CLSOCK</var>, and <var>DEBUGGERCLIENT</var> ports is <var>DISALLOW</var>. </li> | ||
<li><var>ALLOW</var> and <var>DISALLOW</var> are the only rule types for <var>JANUS CLSOCK</var> and <var>JANUS SRVSOCK</var>; there are a number of other rule types for <var>JANUS WEB</var>.</li> | |||
</ul> | |||
</ul> | </ul> | ||
==JANUS SRVSOCK ALLOW== | ===JANUS SRVSOCK ALLOW=== | ||
<p class="syntax">JANUS SRVSOCK <span class="term">portname</span> ALLOW - | |||
<p class="syntax"> JANUS SRVSOCK portname ALLOW - | [NONE] | [IPADDR <span class="term">ipaddr</span> | IPGROUP <span class="term">ipgroup</span>] | ||
</ | |||
< | |||
</p> | </p> | ||
The JANUS SRVSOCK ALLOW command indicates that a particular remote host or set of hosts have access to the SRVSOCK ports that match pattern <var class="term">portname</var>. | The <var>JANUS SRVSOCK ALLOW</var> command indicates that a particular remote host or set of hosts have access to the <var>SRVSOCK</var> ports that match pattern <var class="term">portname</var>. | ||
The default access for SRVSOCK ports is to allow all remote hosts. For an incoming request, access to a SRVSOCK port depends on the most recent rule for that port that matches the conditions of the request: | The default access for <var>SRVSOCK</var> ports is to allow all remote hosts. For an incoming request, access to a <var>SRVSOCK</var> port depends on the most recent rule for that port that matches the conditions of the request: | ||
<ul> | <ul> | ||
<li>If the conditions match | <li>If the conditions match ''all'' clauses on a <var>JANUS SRVSOCK ALLOW</var> rule, access to the port is allowed.</li> | ||
<li>If the conditions match | |||
<li>If the conditions match neither an ALLOW nor a DISALLOW rule, access to the port is allowed.</li> | <li>If the conditions match ''all'' clauses on a <var>JANUS SRVSOCK DISALLOW</var> rule, access to the port is not allowed.</li> | ||
<li>If the conditions match neither an <var>ALLOW</var> nor a <var>DISALLOW</var> rule, access to the port is allowed.</li> | |||
</ul> | </ul> | ||
If a JANUS SRVSOCK ALLOW command is specified with | If a <var>JANUS SRVSOCK ALLOW</var> command is specified with ''no'' optional parameters, ''all'' hosts can access the <var>SRVSOCK</var> ports that match the pattern in <var class="term">portname</var>. | ||
The optional parameters for the JANUS SRVSOCK ALLOW | The optional parameters for the <var>JANUS SRVSOCK ALLOW</var> command are: | ||
< | <table> | ||
<tr><th><var>NONE</var></th> | |||
<td>Indicates that no remote hosts are allowed access to <var class="term">portname</var>. If <var>NONE</var> is specified, no other optional parameters may be specified.</td></tr> | |||
<td>Indicates that a user on a machine with an IP address that matches one of the entries in <var class="term">ipgroup</var> is allowed access to <var class="term">portname</var>. IP groups are defined with the <var>[[JANUS DEFINEIPGROUP]]</var> command. The IPGROUP parameter cannot be specified if the IPADDR parameter is specified. | <tr><th nowrap><var>IPADDR</var> ipaddr</th> | ||
</td></tr> | <td>Indicates that a request from a machine with an IP address that matches <var class="term">ipaddr</var> is allowed access to <var class="term">portname</var>. <var class="term">ipaddr</var> can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet. | ||
<ul> | |||
<li>IPV4 subnets are indicated by an IP address followed by one of these: | |||
<ul> | |||
<li>A forward slash (<tt>/</tt>) followed by a netmask (with no intervening blanks)</li> | |||
<li>A hyphen (<tt>-</tt>) followed by the number of bits in the subnet mask (with no intervening blanks)</li> | |||
</ul> | |||
<p> | |||
For example, <code>198.242.244.97</code> is a simple IP address that must be matched exactly. <code>.198.242.244.0/255.255.255.0</code>, which is equivalent to <code>198.242.244.0-24</code>, indicates that any machine on subnet 198.242.244.0 is to be allowed access to <var class="term">portname</var>. </p> | |||
<li>IPV6 addresses are 128-bit integers, represented with eight, colon-separated, 16-bit (four hex-digit) groups, which may be abbreviated and represented with fewer groups. For example, | |||
<code>fe80:0000:0000:0000:0200:0000:0300:0016</code> or <code>fe80::200:0:300:16</code>. | |||
<p> | |||
An IPV6 subnet is indicated by the first address in the range, followed by a forward slash, and a decimal value equal to the number of bits in the network prefix. A subnet that includes the example address above is: <code>fe80::200:0/48</code>. </p></li> | |||
</ul> | |||
The <var>IPADDR</var> parameter cannot be specified if the <var>IPGROUP</var> parameter is specified.</td></tr> | |||
<tr><th nowrap><var>IPGROUP</var> ipgroup</th> | |||
<td>A user on a machine with an IP address that matches one of the entries in <var class="term">ipgroup</var> is allowed access to <var class="term">portname</var>. | |||
<p> | |||
IP groups are defined with the <var>[[JANUS DEFINEIPGROUP]]</var> command. </p> | |||
<p> | |||
The <var>IPGROUP</var> parameter cannot be specified if the <var>IPADDR</var> parameter is specified.</p></td></tr> | |||
</table> | </table> | ||
==JANUS SRVSOCK DISALLOW== | ===JANUS SRVSOCK DISALLOW=== | ||
<p class="syntax">JANUS SRVSOCK <span class="term">portname</span> DISALLOW - | |||
<p class="syntax"> JANUS SRVSOCK portname DISALLOW - | [IPADDR <span class="term">ipaddr</span>| IPGROUP <span class="term">ipgroup</span>] | ||
</ | |||
< | |||
</p> | </p> | ||
The JANUS SRVSOCK DISALLOW command indicates that a particular remote host or set of hosts does '''not''' have access to the SRVSOCK ports that match pattern <var class="term">portname</var>. | The <var>JANUS SRVSOCK DISALLOW</var> command indicates that a particular remote host or set of hosts does '''not''' have access to the <var>SRVSOCK</var> ports that match pattern <var class="term">portname</var>. | ||
The default access for all SRVSOCK ports is to allow all remote hosts. For an incoming request, access to a SRVSOCK port depends on the most recent rule for that port that matches the conditions of the request: | The default access for all <var>SRVSOCK</var> ports is to allow all remote hosts. For an incoming request, access to a <var>SRVSOCK</var> port depends on the most recent rule for that port that matches the conditions of the request: | ||
<ul> | <ul> | ||
<li>If the conditions match | <li>If the conditions match ''all'' clauses on a <var>JANUS SRVSOCK DISALLOW</var> rule, access to the port is not allowed.</li> | ||
<li>If the conditions match | |||
<li>If the conditions match neither an ALLOW nor a DISALLOW rule, access to the port is allowed.</li> | <li>If the conditions match ''all'' clauses on a <var>JANUS SRVSOCK ALLOW</var> rule, access to the port is allowed. </li> | ||
<li>If the conditions match neither an <var>ALLOW</var> nor a <var>DISALLOW</var> rule, access to the port is allowed.</li> | |||
</ul> | </ul> | ||
If a JANUS SRVSOCK DISALLOW command is specified with | If a <var>JANUS SRVSOCK DISALLOW</var> command is specified with ''no'' optional parameters, ''no'' hosts can access the <var>SRVSOCK</var> ports that match the pattern in <var class="term">portname</var>. | ||
The optional parameters for the JANUS SRVSOCK DISALLOW command are: | The optional parameters for the <var>JANUS SRVSOCK DISALLOW</var> command are: | ||
<table | <table> | ||
<tr><th>IPADDR ipaddr</th> | <tr><th nowrap><var>IPADDR</var> ipaddr</th> | ||
<td>Indicates that a request from a machine with an IP address that matches <var class="term">ipaddr</var> is not allowed access to <var class="term">portname</var>. <var class="term">ipaddr</var> can be | <td>Indicates that a request from a machine with an IP address that matches <var class="term">ipaddr</var> is not allowed access to <var class="term">portname</var>. | ||
<p> | |||
<var class="term">ipaddr</var> can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet. </p> | |||
<ul> | |||
<li>IPV4 subnets are indicated by an IP address followed by one of these: | |||
<ul> | |||
<li>A forward slash (<tt>/</tt>) followed by a netmask (with no intervening blanks)</li> | |||
<tr><th>IPGROUP ipgroup</th> | <li>A hyphen (<tt>-</tt>) followed by the number of bits in the subnet mask (with no intervening blanks)</li> | ||
<td>Indicates that a user on a machine with an IP address that matches one of the entries in <var class="term">ipgroup</var> is not allowed access to <var class="term">portname</var>. IP groups are defined with the <var>JANUS DEFINEIPGROUP</var> command. The IPGROUP parameter cannot be specified if the IPADDR parameter is specified. | </ul> | ||
</td></tr> | <p> | ||
For example, <code>198.242.244.97</code> is a simple IP address that must be matched exactly. <code>.198.242.244.0/255.255.255.0</code>, which is equivalent to <code>198.242.244.0-24</code>, indicates that any machine on subnet 198.242.244.0 is to be allowed access to <var class="term">portname</var>. </p> | |||
<li>IPV6 addresses are 128-bit integers, represented with eight, colon-separated, 16-bit (four hex-digit) groups, which may be abbreviated and represented with fewer groups. For example, | |||
<code>fe80:0000:0000:0000:0200:0000:0300:0016</code> or <code>fe80::200:0:300:16</code>. | |||
<p> | |||
An IPV6 subnet is indicated by the first address in the range, followed by a forward slash, and a decimal value equal to the number of bits in the network prefix. A subnet that includes the example address above is: <code>fe80::200:0/48</code>. </p></li> | |||
</ul> | |||
<p> | |||
The <var>IPADDR</var> parameter cannot be specified if the <var>IPGROUP</var> parameter is specified.</p></td></tr> | |||
<tr><th nowrap><var>IPGROUP</var> ipgroup</th> | |||
<td>Indicates that a user on a machine with an IP address that matches one of the entries in <var class="term">ipgroup</var> is not allowed access to <var class="term">portname</var>. | |||
<p> | |||
IP groups are defined with the <var>JANUS DEFINEIPGROUP</var> command. </p> | |||
<p> | |||
The <var>IPGROUP</var> parameter cannot be specified if the <var>IPADDR</var> parameter is specified. </p></td></tr> | |||
</table> | </table> | ||
==Rule matching order and examples== | ==Rule matching order and examples== | ||
Each execution of a JANUS SRVSOCK subcommand adds to the set of rules for the specified SRVSOCK port. Individual rules cannot be deleted nor modified. All rules can be deleted only by stopping and deleting the port definition. Deleting a port definition, however, should not be necessary, as long as you follow the two golden rules: | Each execution of a <var>JANUS SRVSOCK</var> subcommand adds to the set of rules for the specified <var>SRVSOCK</var> port. Individual rules cannot be deleted nor modified. All rules can be deleted only by stopping and deleting the port definition. Deleting a port definition, however, should not be necessary, as long as you follow the two golden rules: | ||
<ol> | <ol> | ||
<li>Specify the most general rules first and the most specific last. | <li>Specify the most general rules first and the most specific last. </li> | ||
<li>Specify an initial rule that "clears | |||
<li>Specify an initial rule that "clears" all related rules. </li> | |||
</ol> | </ol> | ||
Line 118: | Line 167: | ||
</p> | </p> | ||
In this example, any previously specified ALLOW rules on port TEST21 are made obsolete by the first DISALLOW rule. Once the TEST21 access rules are cleared, two subnets are given access permission, and then a single specific IP address within one of those subnets has its access revoked. | In this example, any previously specified <var>ALLOW</var> rules on port <code>TEST21</code> are made obsolete by the first <var>DISALLOW</var> rule. Once the <code>TEST21</code> access rules are cleared, two subnets are given access permission, and then a single specific IP address within one of those subnets has its access revoked. | ||
==See also== | ==See also== |
Latest revision as of 20:34, 6 December 2016
Define JANUS SRVSOCK rules
The JANUS SRVSOCK command defines the rules for a Janus Sockets server running on a SRVSOCK port. These rules control access to the port.
The JANUS SRVSOCK command is slightly different from most Janus commands in that it usually takes a set of commands to fully specify the rules for a port. For instance, it may take a number of commands to specify the various host names and ranges of IP addresses that may connect. The order in which JANUS SRVSOCK commands are specified also affects how they are processed.
Syntax
JANUS SRVSOCK portname rule_type [optional parameters]
The first two parameters are positional and are required:
portname | A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed. | ||||
---|---|---|---|---|---|
rule_type | The sort of rule that is being specified for the port or ports. Valid types are:
| ||||
optional_parameters | These parameters vary with the rule_type value. See JANUS SRVSOCK ALLOW and JANUS SRVSOCK DISALLOW, below. |
Usage notes
- The ALLOW and DISALLOW rules are processed together, from most recent to oldest.
- The optional parameters allowed for JANUS SRVSOCK depend on the rule type that is specified. The various types are shown in the following sections, followed by a section giving examples and showing the interaction of JANUS SRVSOCK commands (Rule matching order and examples).
- The JANUS WEB command is used by Janus Web Server to establish rules for WEBSERV ports. Note that the JANUS CLSOCK and JANUS SRVSOCK commands differ from the corresponding rules available with the JANUS WEB command in the following ways:
- JANUS WEB does not allow any optional parameters (for example, USGROUP) on the DISALLOW rule.
- The default access for WEBSERV non-SSL ports and SRVSOCK ports is ALLOW. The default access for WEBSERV SSL ports, CLSOCK, and DEBUGGERCLIENT ports is DISALLOW.
- ALLOW and DISALLOW are the only rule types for JANUS CLSOCK and JANUS SRVSOCK; there are a number of other rule types for JANUS WEB.
JANUS SRVSOCK ALLOW
JANUS SRVSOCK portname ALLOW - [NONE] | [IPADDR ipaddr | IPGROUP ipgroup]
The JANUS SRVSOCK ALLOW command indicates that a particular remote host or set of hosts have access to the SRVSOCK ports that match pattern portname.
The default access for SRVSOCK ports is to allow all remote hosts. For an incoming request, access to a SRVSOCK port depends on the most recent rule for that port that matches the conditions of the request:
- If the conditions match all clauses on a JANUS SRVSOCK ALLOW rule, access to the port is allowed.
- If the conditions match all clauses on a JANUS SRVSOCK DISALLOW rule, access to the port is not allowed.
- If the conditions match neither an ALLOW nor a DISALLOW rule, access to the port is allowed.
If a JANUS SRVSOCK ALLOW command is specified with no optional parameters, all hosts can access the SRVSOCK ports that match the pattern in portname.
The optional parameters for the JANUS SRVSOCK ALLOW command are:
NONE | Indicates that no remote hosts are allowed access to portname. If NONE is specified, no other optional parameters may be specified. |
---|---|
IPADDR ipaddr | Indicates that a request from a machine with an IP address that matches ipaddr is allowed access to portname. ipaddr can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet.
|
IPGROUP ipgroup | A user on a machine with an IP address that matches one of the entries in ipgroup is allowed access to portname.
IP groups are defined with the JANUS DEFINEIPGROUP command. The IPGROUP parameter cannot be specified if the IPADDR parameter is specified. |
JANUS SRVSOCK DISALLOW
JANUS SRVSOCK portname DISALLOW - [IPADDR ipaddr| IPGROUP ipgroup]
The JANUS SRVSOCK DISALLOW command indicates that a particular remote host or set of hosts does not have access to the SRVSOCK ports that match pattern portname.
The default access for all SRVSOCK ports is to allow all remote hosts. For an incoming request, access to a SRVSOCK port depends on the most recent rule for that port that matches the conditions of the request:
- If the conditions match all clauses on a JANUS SRVSOCK DISALLOW rule, access to the port is not allowed.
- If the conditions match all clauses on a JANUS SRVSOCK ALLOW rule, access to the port is allowed.
- If the conditions match neither an ALLOW nor a DISALLOW rule, access to the port is allowed.
If a JANUS SRVSOCK DISALLOW command is specified with no optional parameters, no hosts can access the SRVSOCK ports that match the pattern in portname.
The optional parameters for the JANUS SRVSOCK DISALLOW command are:
IPADDR ipaddr | Indicates that a request from a machine with an IP address that matches ipaddr is not allowed access to portname.
ipaddr can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet.
The IPADDR parameter cannot be specified if the IPGROUP parameter is specified. |
---|---|
IPGROUP ipgroup | Indicates that a user on a machine with an IP address that matches one of the entries in ipgroup is not allowed access to portname.
IP groups are defined with the JANUS DEFINEIPGROUP command. The IPGROUP parameter cannot be specified if the IPADDR parameter is specified. |
Rule matching order and examples
Each execution of a JANUS SRVSOCK subcommand adds to the set of rules for the specified SRVSOCK port. Individual rules cannot be deleted nor modified. All rules can be deleted only by stopping and deleting the port definition. Deleting a port definition, however, should not be necessary, as long as you follow the two golden rules:
- Specify the most general rules first and the most specific last.
- Specify an initial rule that "clears" all related rules.
The following example illustrates these principles:
JANUS SRVSOCK TEST21 DISALLOW * JANUS SRVSOCK TEST21 ALLOW IPADDR 198.242.244.0-24 JANUS SRVSOCK TEST21 ALLOW IPADDR 169.84.128.0-3 JANUS SRVSOCK TEST21 DISALLOW IPADDR 169.84.128.17
In this example, any previously specified ALLOW rules on port TEST21
are made obsolete by the first DISALLOW rule. Once the TEST21
access rules are cleared, two subnets are given access permission, and then a single specific IP address within one of those subnets has its access revoked.