JANUS SRVSOCK
Define JANUS SRVSOCK rules
The JANUS SRVSOCK command defines the rules for a Janus Sockets server running on a SRVSOCK port. These rules control access to the port.
The JANUS SRVSOCK command is slightly different from most Janus commands in that it usually takes a set of commands to fully specify the rules for a port. For instance, it may take a number of commands to specify the various host names and ranges of IP addresses that may connect. The order in which JANUS SRVSOCK commands are specified also affects how they are processed.
Syntax
JANUS SRVSOCK portname rule_type [optional parameters]
The first two parameters are positional and are required:
portname | A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed. | ||||
---|---|---|---|---|---|
rule_type | The sort of rule that is being specified for the port or ports. Valid types are:
|
Usage notes
- The ALLOW and DISALLOW rules are processed together, from most recent to oldest.
- The optional parameters allowed for JANUS SRVSOCK depend on the rule type that is specified. The various types are shown in the following sections, followed by a section giving examples and showing the interaction of JANUS SRVSOCK commands (Rule matching order and examples).
- The JANUS WEB command is used by Janus Web Server to establish rules for WEBSERV ports. Note that the JANUS CLSOCK and JANUS SRVSOCK commands differ from the corresponding rules available with the JANUS WEB command in the following ways:
- JANUS WEB does not allow any optional parameters (for example, USGROUP) on the DISALLOW rule.
- The default access for WEBSERV non-SSL ports and SRVSOCK ports is ALLOW. The default access for WEBSERV SSL ports, CLSOCK, and DEBUGGERCLIENT ports is DISALLOW.
- ALLOW and DISALLOW are the only rule types for JANUS CLSOCK and JANUS SRVSOCK; there are a number of other rule types for JANUS WEB.
JANUS SRVSOCK ALLOW
JANUS SRVSOCK portname ALLOW - [NONE] | [IPADDR ipaddr | IPGROUP ipgroup]
The JANUS SRVSOCK ALLOW command indicates that a particular remote host or set of hosts have access to the SRVSOCK ports that match pattern portname.
The default access for SRVSOCK ports is to allow all remote hosts. For an incoming request, access to a SRVSOCK port depends on the most recent rule for that port that matches the conditions of the request:
- If the conditions match all clauses on a JANUS SRVSOCK ALLOW rule, access to the port is allowed.
- If the conditions match all clauses on a JANUS SRVSOCK DISALLOW rule, access to the port is not allowed.
- If the conditions match neither an ALLOW nor a DISALLOW rule, access to the port is allowed.
If a JANUS SRVSOCK ALLOW command is specified with no optional parameters, all hosts can access the SRVSOCK ports that match the pattern in portname.
The optional parameters for the JANUS SRVSOCK ALLOW command are:
NONE | Indicates that no remote hosts are allowed access to portname. If NONE is specified, no other optional parameters may be specified. |
---|---|
IPADDR ipaddr | Indicates that a request from a machine with an IP address that matches ipaddr is allowed access to portname. ipaddr can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet.
|
IPGROUP ipgroup | A user on a machine with an IP address that matches one of the entries in ipgroup is allowed access to portname.
IP groups are defined with the JANUS DEFINEIPGROUP command. The IPGROUP parameter cannot be specified if the IPADDR parameter is specified. |
JANUS SRVSOCK DISALLOW
JANUS SRVSOCK portname DISALLOW - [IPADDR ipaddr| IPGROUP ipgroup]
The JANUS SRVSOCK DISALLOW command indicates that a particular remote host or set of hosts does not have access to the SRVSOCK ports that match pattern portname.
The default access for all SRVSOCK ports is to allow all remote hosts. For an incoming request, access to a SRVSOCK port depends on the most recent rule for that port that matches the conditions of the request:
- If the conditions match all clauses on a JANUS SRVSOCK DISALLOW rule, access to the port is not allowed.
- If the conditions match all clauses on a JANUS SRVSOCK ALLOW rule, access to the port is allowed.
- If the conditions match neither an ALLOW nor a DISALLOW rule, access to the port is allowed.
If a JANUS SRVSOCK DISALLOW command is specified with no optional parameters, no hosts can access the SRVSOCK ports that match the pattern in portname.
The optional parameters for the JANUS SRVSOCK DISALLOW command are:
IPADDR ipaddr | Indicates that a request from a machine with an IP address that matches ipaddr is not allowed access to portname.
ipaddr can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet.
The IPADDR parameter cannot be specified if the IPGROUP parameter is specified. |
---|---|
IPGROUP ipgroup | Indicates that a user on a machine with an IP address that matches one of the entries in ipgroup is not allowed access to portname.
IP groups are defined with the JANUS DEFINEIPGROUP command. The IPGROUP parameter cannot be specified if the IPADDR parameter is specified. |
Rule matching order and examples
Each execution of a JANUS SRVSOCK subcommand adds to the set of rules for the specified SRVSOCK port. Individual rules cannot be deleted nor modified. All rules can be deleted only by stopping and deleting the port definition. Deleting a port definition, however, should not be necessary, as long as you follow the two golden rules:
- Specify the most general rules first and the most specific last.
- Specify an initial rule that "clears" all related rules.
The following example illustrates these principles:
JANUS SRVSOCK TEST21 DISALLOW * JANUS SRVSOCK TEST21 ALLOW IPADDR 198.242.244.0-24 JANUS SRVSOCK TEST21 ALLOW IPADDR 169.84.128.0-3 JANUS SRVSOCK TEST21 DISALLOW IPADDR 169.84.128.17
In this example, any previously specified ALLOW rules on port TEST21
are made obsolete by the first DISALLOW rule. Once the TEST21
access rules are cleared, two subnets are given access permission, and then a single specific IP address within one of those subnets has its access revoked.