JANUS CLSOCK: Difference between revisions

From m204wiki
Jump to navigation Jump to search
mNo edit summary
m (→‎Syntax: typos)
 
(12 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{DISPLAYTITLE:JANUS CLSOCK}}
{{DISPLAYTITLE:JANUS CLSOCK}}
<span class="pageSubtitle"><section begin="desc" />Defines rules for a Janus socket client<section end="desc" /></span>
<span class="pageSubtitle">Defines rules for a Janus socket client</span>


The <var>JANUS CLSOCK</var> command defines the rules for a <var class="product">[[Janus Sockets]]</var> client <var>CLSOCK</var> or <var>[[JANUS DEFINE#type|DEBUGGERCLIENT]]</var> port. These rules control access to the port. ''System administrators always have access to a client port'', so no <var>CLSOCK</var> rules are required to provide socket access to these users.
The <var>JANUS CLSOCK</var> command defines the rules for a <var class="product">[[Janus Sockets]]</var> client <var>CLSOCK</var> or <var>[[JANUS DEFINE#type|DEBUGGERCLIENT]]</var> port. These rules control access to the port. ''System administrators always have access to a client port'', so no <var>CLSOCK</var> rules are required to provide socket access to these users.


The <var>JANUS CLSOCK</var> command is slightly different from most Janus commands in that it usually takes a set of commands to fully specify the rules for a port. For instance, it may take a number of commands to specify the various users and applications that may use a port on the socket-connection $function <var>[[$Sock_Conn]]</var> or object method <var>[[New (Socket constructor)|New]]</var>.
The <var>JANUS CLSOCK</var> command is slightly different from most Janus commands in that it usually takes a set of commands to fully specify the rules for a port. For instance, it may take a number of commands to specify the various users and applications that may use a port on the socket-connection $function <var>[[$Sock_Conn]]</var> or <var>Socket</var> class method <var>[[New (Socket constructor)|New]]</var>.


The order in which <var>JANUS CLSOCK</var> commands are specified also affects how they are processed.
The order in which <var>JANUS CLSOCK</var> commands are specified also affects how they are processed.


==Syntax==
==Syntax==
<p class="syntax"><span class="literal">JANUS CLSOCK </span><span class="term">portname rule_type </span><span class="squareb">[</span><span class="term">optional parameters</span><span class="squareb">]</span>
<p class="syntax"><span class="literal">JANUS CLSOCK</span> <span class="term">portname rule_type </span><span class="squareb">[</span><span class="term">optional_parameters</span><span class="squareb">]</span>
</p>
</p>


Where:
Where:


<table class="syntaxTable">
<table>
<tr><th>portname</th>
<tr><th>portname</th>
<td>A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed.</td></tr>
<td>A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed.</td></tr>
<tr><th>rule_type</th>
<tr><th>rule_type</th>
<td>The type of rule being specified for the port or ports. Valid <var class="term">rule_types</var> are:
<td>The type of rule being specified for the port or ports. Valid <var class="term">rule_type</var> are:
<ul>
<ul>
<li><var>DISALLOW</var> &mdash; Removes access permission.</li>
<li><var>DISALLOW</var> &mdash; Removes access permission.</li>
Line 24: Line 25:
</ul>
</ul>
</td></tr>
</td></tr>
<tr><th>optional_parameters</th>
<td>These parameters vary with the <var class="term">rule_type</var> value. See [[#JANUS CLSOCK rule types|JANUS CLSOCK rule types]], below. </td></tr>
</table>
</table>


The <var>ALLOW</var> and <var>DISALLOW</var> rules are processed together, from most recent to oldest. The optional parameters allowed for the <var>JANUS CLSOCK</var> command depend on the <var class="term">rule_type</var> value. The rule types are shown below, followed by a section giving examples and showing the interaction of <var>JANUS CLSOCK</var> commands.
==Usage notes==
<ul>
<li>The <var>ALLOW</var> and <var>DISALLOW</var> rules are processed together, from most recent to oldest. The optional parameters allowed for the <var>JANUS CLSOCK</var> command depend on the <var class="term">rule_type</var> value. The rule types are shown below, followed by a section giving examples and showing the interaction of <var>JANUS CLSOCK</var> commands.


Note that the <var>JANUS CLSOCK</var> and <var>JANUS SRVSOCK</var> commands differ from the corresponding rules available with the <var>[[JANUS WEB]]</var> command in the following ways:
<li>The <var>JANUS CLSOCK</var> and <var>JANUS SRVSOCK</var> commands differ from the corresponding rules available with the <var>[[JANUS WEB]]</var> command in the following ways:


<ul>
<ul>
<li><var>JANUS WEB</var> does not allow any optional parameters (for example, <var>USGROUP</var> on the <var>DISALLOW</var> rule).</li>
<li><var>JANUS WEB</var> does not allow any optional parameters (for example, <var>USGROUP</var> on the <var>DISALLOW</var> rule).</li>
<li>The default access for <var>WEBSERV</var> non-SSL ports and <var>SRVSOCK</var> ports is <var>ALLOW</var>. The default access for <var>WEBSERV</var> SSL ports and <var>CLSOCK</var> and <var>DEBUGGERCLIENT</var> ports is <var>DISALLOW</var>.</li>
<li>The default access for <var>WEBSERV</var> non-SSL ports and <var>SRVSOCK</var> ports is <var>ALLOW</var>. The default access for <var>WEBSERV</var> SSL ports and <var>CLSOCK</var> and <var>DEBUGGERCLIENT</var> ports is <var>DISALLOW</var>.</li>
<li><var>ALLOW</var> and <var>DISALLOW</var> are the only rule types for <var>JANUS CLSOCK</var> and <var>JANUS SRVSOCK</var>. There are a number of other rule types for <var>JANUS WEB</var>.</li>
<li><var>ALLOW</var> and <var>DISALLOW</var> are the only rule types for <var>JANUS CLSOCK</var> and <var>JANUS SRVSOCK</var>. There are a number of other rule types for <var>JANUS WEB</var>.</li>
</ul>
</ul>
</ul>
==Examples==
This is a simple port definition deck that allows connections to any remote site:
<p class="code">JANUS FORCE  CLSOCK
JANUS DELETE CLSOCK
JANUS DEFINE CLSOCK * CLSOCK 5 TIMEOUT 240 REMOTE * * MASTER
JANUS CLSOCK CLSOCK ALLOW REMOTE * *
JANUS START  CLSOCK
</p>
Here is a similar port definition deck enhanced to support SSL connections (the <code>SSL 0</code> option) to any remote port for any valid user (the <var>ALLOW</var> rules).
The <var>ADDCA</var> rule at the end supports connections to ports that are secured with "unrecognized" SSL certificates, typically these would be self-signed certificates created with the Rocket JANSSL application.
<p class="code">JANUS FORCE  CLSOCK
JANUS DELETE CLSOCK
JANUS DEFINE CLSOCK * CLSOCK 5 TIMEOUT 240 REMOTE * * MASTER SSL 0 SSLOPT -
            SSLMAXCERTL 4096 SSLBSIZE 32767
JANUS CLSOCK CLSOCK ALLOW
JANUS CLSOCK CLSOCK ALLOW REMOTE * *
JANUS START  CLSOCK
JANUS ADDCA  CLSOCK JANWEB LOCALLY.SIGNED.CERT
</p>


==JANUS CLSOCK ALLOW==
==JANUS CLSOCK rule types==


===JANUS CLSOCK ALLOW===
The <var>JANUS CLSOCK ALLOW</var> command indicates a combination of conditions which, if all specified, allow either of these:
The <var>JANUS CLSOCK ALLOW</var> command indicates a combination of conditions which, if all specified, allow either of these:
<ul>
<ul>
<li>A socket-connection $function <var>$Sock_Conn</var> or object method <var>New</var> invocation to access the <var>CLSOCK</var> ports that match pattern <var class="term">portname</var>.
<li>A socket-connection $function <var>[[$Sock_Conn]]</var> or <var>Socket</var> class method <var>New</var> invocation to access the <var>CLSOCK</var> ports that match pattern <var class="term">portname</var>.
<li>A <var class="product">Sirius Debugger</var> user to access the <var>DEBUGGERCLIENT</var> ports that match pattern <var class="term">portname</var>.
 
<li>A <var class="product">TN3270 Debugger</var> user to access the <var>DEBUGGERCLIENT</var> ports that match pattern <var class="term">portname</var>.
</ul>
</ul>


The default access for all <var>CLSOCK</var> and <var>DEBUGGERCLIENT</var> ports is to disallow all access &#x2014; except system administrators can access '''''any''''' such port, regardless of rules (since a system administrator can always issue <var>JANUS CLSOCK</var> to grant access to herself).  
The default access for all <var>CLSOCK</var> and <var>DEBUGGERCLIENT</var> ports is to disallow all access &emdash; except system administrators can access '''''any''''' such port, regardless of rules (since a system administrator can always issue <var>JANUS CLSOCK</var> to grant access to herself).  


For a non-system administrator, access to a <var>CLSOCK</var> or <var>DEBUGGERCLIENT</var> port depends on the most recent rule for that port that matches the conditions of the <var>$Sock_Conn</var> or <var>New</var> method call, or <var class="product">Sirius Debugger</var> <var>SIRIUS DEBUG ON</var> command:
For a non-system administrator, access to a <var>CLSOCK</var> or <var>DEBUGGERCLIENT</var> port depends on the most recent rule for that port that matches the conditions of the <var>$Sock_Conn</var> or <var>New</var> method call, or <var class="product">Sirius Debugger</var> <var>SIRIUS DEBUG ON</var> command:
Line 50: Line 84:
<ul>
<ul>
<li>If the conditions match all clauses on a <var>JANUS CLSOCK ALLOW</var> rule, access to the port is allowed.</li>
<li>If the conditions match all clauses on a <var>JANUS CLSOCK ALLOW</var> rule, access to the port is allowed.</li>
<li>If the conditions match all clauses on a <var>JANUS CLSOCK DISALLOW</var> rule, access to the port is disallowed.</li>
<li>If the conditions match all clauses on a <var>JANUS CLSOCK DISALLOW</var> rule, access to the port is disallowed.</li>
<li>If the conditions match neither an <var>ALLOW</var> nor <var>DISALLOW</var> rule, access to the port is disallowed.</li>
<li>If the conditions match neither an <var>ALLOW</var> nor <var>DISALLOW</var> rule, access to the port is disallowed.</li>
</ul>
</ul>
If the <var>JANUS CLSOCK ALLOW</var> command is specified with no optional parameters, access to the <var>CLSOCK</var> or <var>DEBUGGERCLIENT</var> ports that match the pattern in <var class="term">portname</var> is unrestricted.
If the <var>JANUS CLSOCK ALLOW</var> command is specified with no optional parameters, access to the <var>CLSOCK</var> or <var>DEBUGGERCLIENT</var> ports that match the pattern in <var class="term">portname</var> is unrestricted.


===Syntax===
====Syntax====
<p class="syntax"><span class="literal">JANUS CLSOCK </span><span class="term">portname </span><span class="literal">ALLOW -</span>
<p class="syntax"><span class="literal">JANUS CLSOCK </span><span class="term">portname </span><span class="literal">ALLOW -</span>
                       <span class="squareb">[</span><span class="literal">NONE</span><span class="squareb">]</span> <span class="squareb">|</span> <span class="squareb">[</span><span class="literal">USER </span><span class="term">userid </span><span class="squareb">|</span> <span class="literal">USGROUP </span><span class="term">usgroup</span><span class="squareb">]</span> -
                       <span class="squareb">[</span><span class="literal">NONE</span><span class="squareb">]</span> <span class="squareb">|</span> <span class="squareb">[</span><span class="literal">USER </span><span class="term">userid </span><span class="squareb">|</span> <span class="literal">USGROUP </span><span class="term">usgroup</span><span class="squareb">]</span> -
Line 66: Line 102:
The optional parameters for the <var>JANUS CLSOCK ALLOW</var> command are:
The optional parameters for the <var>JANUS CLSOCK ALLOW</var> command are:


<table class="syntaxTable">
<table>
<tr><th><var>NONE</var></th>  
<tr><th><var>NONE</var></th>  
<td>Indicates that no access is allowed to <var class="term">portname</var>. If <var>NONE</var> is specified, no other optional parameters may be specified.</td></tr>
<td>Indicates that no access is allowed to <var class="term">portname</var>. If <var>NONE</var> is specified, no other optional parameters may be specified.</td></tr>
Line 72: Line 108:
<tr><th><var>USER</var> userid</th>
<tr><th><var>USER</var> userid</th>
<td>Indicates that the <var class="product">Model 204</var> user ID <var class="term">userid</var> may issue a <var>$Sock_Conn</var> or a <var>New</var> method call or a <var>SIRIUS DEBUG ON</var> command for <var class="term">portname</var>.  
<td>Indicates that the <var class="product">Model 204</var> user ID <var class="term">userid</var> may issue a <var>$Sock_Conn</var> or a <var>New</var> method call or a <var>SIRIUS DEBUG ON</var> command for <var class="term">portname</var>.  
<p>
For example, if <var class="term">userid</var> is <code>HOMER</code>, a user that logs in as <code>HOMER</code> will be allowed access to <var class="term">portname</var>. If <var class="term">userid</var> is <code>SIMP*</code>, a user that logs in as any user ID that begins with the string <code>SIMP</code> is allowed access to <var class="term">portname</var>.
For example, if <var class="term">userid</var> is <code>HOMER</code>, a user that logs in as <code>HOMER</code> will be allowed access to <var class="term">portname</var>. If <var class="term">userid</var> is <code>SIMP*</code>, a user that logs in as any user ID that begins with the string <code>SIMP</code> is allowed access to <var class="term">portname</var>. </p>
 
<p>
The <var>USER</var> parameter cannot be specified if the <var>USGROUP</var> parameter is specified.
The <var>USER</var> parameter cannot be specified if the <var>USGROUP</var> parameter is specified. </p>
 
<p>
<code>USER &#39;&#39;</code> (that is, <var>USER</var> with the null string) is not allowed, since there is always a (non-null) user ID when a request is issued.
<code>USER &#39;&#39;</code> (that is, <var>USER</var> with the null string) is not allowed, since there is always a (non-null) user ID when a request is issued. </p>
 
<p>
<code>USER *</code> is allowed, but it is meaningless: it does not change which conditions a rule matches.</td></tr>
<code>USER *</code> is allowed, but it is meaningless: it does not change which conditions a rule matches. </p></td></tr>


<tr><th nowrap="true"><var>USGROUP</var> usgroup</th>
<tr><th nowrap="true"><var>USGROUP</var> usgroup</th>
<td>Indicates that a <var class="product">Model 204</var> user is allowed access to <var class="term">portname</var> if his or her user ID matches an entry in the user group identified by <var class="term">usgroup</var>. User groups are defined with the <var>[[JANUS DEFINEUSGROUP]]</var> command. The <var>USGROUP</var> parameter cannot be specified if the <var>USER</var> parameter is specified.</td></tr>
<td>Indicates that a <var class="product">Model&nbsp;204</var> user is allowed access to <var class="term">portname</var> if his or her user ID matches an entry in the user group identified by <var class="term">usgroup</var>. User groups are defined with the <var>[[JANUS DEFINEUSGROUP]]</var> command. The <var>USGROUP</var> parameter cannot be specified if the <var>USER</var> parameter is specified.</td></tr>


<tr><th><var>FILE</var> procfile</th>
<tr><th><var>FILE</var> procfile</th>
Line 93: Line 129:
<td>Indicates that a <var>$Sock_Conn</var> or <var>New</var> call or <var>SIRIUS DEBUG ON</var> command is allowed to access <var class="term">portname</var> if issued from an APSY subsystem with a name that matches the pattern <var class="term">subsysname</var>. <code>SUBSYS *</code> indicates that access is allowed by any subsystem. <code>SUBSYS &#39;&#39;</code> indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure.</td></tr>
<td>Indicates that a <var>$Sock_Conn</var> or <var>New</var> call or <var>SIRIUS DEBUG ON</var> command is allowed to access <var class="term">portname</var> if issued from an APSY subsystem with a name that matches the pattern <var class="term">subsysname</var>. <code>SUBSYS *</code> indicates that access is allowed by any subsystem. <code>SUBSYS &#39;&#39;</code> indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure.</td></tr>


<tr><th><var>REMOTE</var> rmt_host rmt_portnum
<tr><th nowrap><var>REMOTE</var> rmt_host rmt_portnum
<td>Indicates that access is allowed to <var class="term">portname</var> if the remote host and port number (<var>$Sock_CONN</var> or <var>New</var> method arguments, with their defaults from the <var>REMOTE</var> clause of the <var>JANUS DEFINE</var> command for the <var>CLSOCK</var> port; or <var>SIRIUS DEBUG ON</var> command arguments for the Debugger Client address and port) match <var class="term">rmt_host</var> and <var class="term">rmt_portnum</var>, respectively. <var class="term">Rmt_host</var> can be any of the following:
<td>Access is allowed to <var class="term">portname</var> if the remote host and port number (<var>$Sock_Conn</var> or <var>New</var> method arguments or their defaults; or <var>SIRIUS DEBUG ON</var> command arguments for the Debugger Client address and port) match <var class="term">rmt_host</var> and <var class="term">rmt_portnum</var>, respectively.  
<p>
<var class="term">rmt_host</var> is one of the options in the "Remote host formats" table below. </p>
 
<var class="term">rmt_portnum</var> can be either of these:
<ul>
<li>An asterisk (<tt>*</tt>), indicating access is allowed for any port number at the specified remote host.</li>
 
<li>An integer in the range 1-65535, indicating that access is allowed only for the specified port number at the specified remote host.</li>
</ul>


<table class="syntaxTable">
<table>
<caption>Remote host formats</caption>
<tr><th nowrap><var>[NAME]</var> hostname</th>
<tr><th nowrap><var>[NAME]</var> hostname</th>
<td>Indicates that access is allowed if the name of the remote host matches the pattern <var class="term">hostname</var>. The null string is not allowed for <var class="term">hostname</var>, since there is always a (non-null) host for the <var>$Sock_Conn</var> or <var>New</var> method or <var>SIRIUS DEBUG ON</var> operation.  
<td>Access is allowed if the name of the remote host matches the pattern <var class="term">hostname</var>. The null string is not allowed for <var class="term">hostname</var>, since there is always a (non-null) host for the <var>$Sock_Conn</var> or <var>New</var> method or <var>SIRIUS DEBUG ON</var> operation.  
<p>
<p>
When the <var>NAME</var> keyword is explicitly specified, or when <var class="term">hostname</var> is a form that cannot be an IP address, the clause only matches if the connection to the remote host is made using a name rather than an IP address. This leads to some subtle differences in the meaning of an asterisk in the <var>REMOTE</var> clause. </p>
When the <var>NAME</var> keyword is explicitly specified, or when <var class="term">hostname</var> is a form that cannot be an IP address, the clause only matches if the connection to the remote host is made using a name rather than an IP address. This leads to some subtle differences in the meaning of an asterisk in the <var>REMOTE</var> clause. </p>
Line 104: Line 150:
For example, the following rule restricts the connection to any remote host at port 1234, whether the connection is specified by name or by IP address: </p>
For example, the following rule restricts the connection to any remote host at port 1234, whether the connection is specified by name or by IP address: </p>


<p class="code"> JANUS CLSOCK FOO ALLOW REMOTE * 1234</p>
<p class="code">JANUS CLSOCK FOO ALLOW REMOTE * 1234</p>


The following clause restricts the connection to any remote host at port 1234, as long as the connection is specified by host name:
The following clause restricts the connection to any remote host at port 1234, as long as the connection is specified by host name:


<p class="code"> JANUS CLSOCK FOO ALLOW REMOTE NAME * 1234</p>
<p class="code">JANUS CLSOCK FOO ALLOW REMOTE NAME * 1234</p>


<code>REMOTE * *</code> is allowed, but it is meaningless; that is,  it does not change which conditions a rule matches. <code>REMOTE NAME * *</code>, however, does restrict a rule to match only if the host name is specified on the connection, but it matches any remote host.</td></tr>
<code>REMOTE * *</code> is allowed, but it is meaningless; that is,  it does not change which conditions a rule matches. <code>REMOTE NAME * *</code>, however, does restrict a rule to match only if the host name is specified on the connection, but it matches any remote host.</td></tr>


<tr><th><var>IPGROUP</var> ipgroup</th>
<tr><th nowrap><var>IPGROUP</var> ipgroup</th>
<td>Indicates that access is allowed if the remote host's IP address matches one of the entries in <var class="term">ipgroup</var>. IP groups are defined with the <var>[[JANUS DEFINEIPGROUP]]</var> command.</td></tr>
<td>Access is allowed if the remote host's IP address matches one of the entries in <var class="term">ipgroup</var>. IP groups are defined with the <var>[[JANUS DEFINEIPGROUP]]</var> command.</td></tr>


<tr><th>ipaddr</th>  
<tr><th>ipaddr</th>  
<td>Indicates that access is allowed if the remote host has an IP address that matches <var class="term">ipaddr</var>. <var class="term">ipaddr</var> can be a simple IP address or it can be a subnet. Subnets are indicated by an IP address followed by either of these:
<td>Access is allowed if the remote host has an IP address that matches <var class="term">ipaddr</var>. <var class="term">ipaddr</var> can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model&nbsp;204), or it can be a subnet.  
 
<ul>
<ul>
<li>A slash (<tt>/</tt>) followed by a netmask (with no intervening blanks)</li>
<li>IPV4 subnets are indicated by an IP address followed by one of these:
<li>A hyphen (<tt>-</tt>) followed by a number of bits in the subnet mask (with no intervening blanks)</li>
<ul>
</ul>
<li>A forward slash (<tt>/</tt>) followed by a netmask (with no intervening blanks)</li>


For example, <code>198.244.244.97</code> is a simple address that must be matched exactly. <code>198.242.244.0/255.255.255.0</code>, which is equivalent to <code>198.242.244.0-24</code>, indicates that any machine on subnet 198.242.244.0 is to be allowed access to <var class="term">portname</var>.</td></tr>
<li>A hyphen (<tt>-</tt>) followed by the number of bits in the subnet mask (with no intervening blanks)</li>
</table>
</ul>
<p>
For example, <code>198.242.244.97</code> is a simple IP address that must be matched exactly. <code>.198.242.244.0/255.255.255.0</code>, which is equivalent to <code>198.242.244.0-24</code>, indicates that any machine on subnet 198.242.244.0 is to be allowed access to <var class="term">portname</var>. </p>


Note that when the <var>IPGROUP</var> <var class="term">ipgroup</var> or the <var class="term">ipaddr</var> form is used, the rule can match whether a connection is specified by host name or IP address. If the connection is by host name, it is first translated to an IP address, which is then used to match the rule.
<li>IPV6 addresses are 128-bit integers, represented with eight, colon-separated, 16-bit (four hex-digit) groups, which may be abbreviated and represented with fewer groups. For example,
 
<code>fe80:0000:0000:0000:0200:0000:0300:0016</code> or <code>fe80::200:0:300:16</code>.
<var class="term">rmt_portnum</var> can be either of these:
<p>
<ul>
An IPV6 subnet is indicated by the first address in the range, followed by a forward slash, and a decimal value equal to the number of bits in the network prefix. A subnet that includes the example address above is: <code>fe80::200:0/48</code>. </p></li>
<li>An asterisk (<tt>*</tt>), indicating access is allowed for any port number at the specified remote host.</li>
<li>An integer in the range 1-65535, indicating that access is allowed only for the specified port number at the specified remote host.</li>
</ul>
</ul>
</td></tr>
</td></tr>
</table>
</table>


==JANUS CLSOCK DISALLOW==
<p class="note"><b>Note:</b> When the <var>IPGROUP</var> <var class="term">ipgroup</var> or the <var class="term">ipaddr</var> form is used, the rule can match whether a connection is specified by host name or IP address. If the connection is by host name, it is first translated to an IP address, which is then used to match the rule. </p>
</td></tr>
</table>


===JANUS CLSOCK DISALLOW===
The <var>JANUS CLSOCK DISALLOW</var> command indicates a combination of conditions which, if all specified, prevent both of these:
The <var>JANUS CLSOCK DISALLOW</var> command indicates a combination of conditions which, if all specified, prevent both of these:
<ul>
<ul>
<li>A socket-connection $function <var>$Sock_Conn</var> or object method invocation from accessing the <var>CLSOCK</var> ports that match pattern <var class="term">portname</var>.
<li>A socket-connection $function <var>$Sock_Conn</var> or object method invocation from accessing the <var>CLSOCK</var> ports that match pattern <var class="term">portname</var>. </li>
<li>A <var class="product">Sirius Debugger</var> user who is '''not''' a <var class="product">Model 204</var> system administrator from accessing the <var>DEBUGGERCLIENT</var> ports that match pattern <var class="term">portname</var>.
 
<li>A <var class="product">Sirius Debugger</var> user from accessing the <var>DEBUGGERCLIENT</var> ports that match pattern <var class="term">portname</var>. </li>
</ul>
</ul>


The default access for all <var>CLSOCK</var> and <var>DEBUGGERCLIENT</var> ports is to disallow all access &#x2014; except system administrators can access any <var>CLSOCK</var> port, regardless of rules (since a system administrator can always issue <var>JANUS CLSOCK</var> to grant access to herself). For a non-system administrator, access to a <var>CLSOCK</var> port on a <var>$Sock_Conn</var> or <var>New</var> method invocation depends on the most recent rule for that port that matches the conditions of the <var>$Sock_Conn</var> or <var>New</var> method call:
The default access for all <var>CLSOCK</var> and <var>DEBUGGERCLIENT</var> ports is to disallow all access &#x2014; except system administrators can access '''''any''''' <var>CLSOCK</var> port, regardless of rules (since a system administrator can always issue <var>JANUS CLSOCK</var> to grant access to herself). For a non-system administrator, access to a <var>CLSOCK</var> or <var>DEBUGGERCLIENT</var> port depends on the most recent rule for that port that matches the conditions of the <var>$Sock_Conn</var> or <var>New</var> method call, or <var class="product">Sirius Debugger</var> <var>SIRIUS DEBUG ON</var> command:  


<ul>
<ul>
Line 151: Line 202:
</ul>
</ul>


===Syntax===
====Syntax====
<p class="syntax">JANUS CLSOCK portname DISALLOW -
<p class="syntax"><span class="literal">JANUS CLSOCK </span><span class="term">portname </span><span class="literal">DISALLOW -</span>
                [USER userid | USGROUP usgroup] -
                      <span class="squareb">[</span><span class="literal">USER </span><span class="term">userid </span><span class="squareb">|</span> <span class="literal">USGROUP </span><span class="term">usgroup</span><span class="squareb">]</span> -
                [FILE procfile] -
                      <span class="squareb">[</span><span class="literal">FILE </span><span class="term">procfile</span><span class="squareb">]</span> -
                [PROC procname] -
                      <span class="squareb">[</span><span class="literal">PROC </span><span class="term">procname</span><span class="squareb">]</span> -
                [SUBSYS subsysname] -
                      <span class="squareb">[</span><span class="literal">SUBSYS </span><span class="term">subsysname</span><span class="squareb">]</span> -
                [REMOTE rmt_host rmt_portnum]
                      <span class="squareb">[</span><span class="literal">REMOTE </span><span class="literal">rmt_host rmt_portnum</span><span class="squareb">]</span></p>
</p>
 
If the <var>JANUS CLSOCK DISALLOW</var> command is specified with no optional parameters, no <var>$Sock_Conn</var> invocation can access the <var>CLSOCK</var> ports that match the pattern in <var class="term">portname</var>.
If the <var>JANUS CLSOCK DISALLOW</var> command is specified with no optional parameters, no access is allowed to the <var>CLSOCK</var> or <var>DEBUGGERCLIENT</var> ports that match the pattern in <var class="term">portname</var>.


The optional parameters for the <var>JANUS CLSOCK DISALLOW</var> command are:
The optional parameters for the <var>JANUS CLSOCK DISALLOW</var> command are:


<table class="syntaxTable">
<table>
<tr><th><var>USER</var> userid</th>
<td>Indicates that the <var class="product">Model 204</var> user ID <var class="term">userid</var> may not issue a <var>$Sock_Conn</var> or a <var>New</var> method call or a <var>SIRIUS DEBUG ON</var> command for <var class="term">portname</var>.
For example, if <var class="term">userid</var> is <code>HOMER</code>, a user that logs in as <code>HOMER</code> is not allowed access to <var class="term">portname</var>. If <var class="term">userid</var> is <code>SIMP*</code>, a user that logs in as any user ID that begins with the string <code>SIMP</code> is not allowed access to <var class="term">portname</var>.
 
The <var>USER</var> parameter cannot be specified if the <var>USGROUP</var> parameter is specified.
 
<code>USER &#39;&#39;</code> (that is, <var>USER</var> with the null string) is not allowed, since there is always a (non-null) user ID when a request is issued.
 
<code>USER *</code> is allowed, but it is meaningless: it does not change which conditions a rule matches.</td></tr>


<tr><th>USER userid</th>
<tr><th nowrap="true"><var>USGROUP</var> usgroup</th>
<td>Indicates that the <var class="product">Model 204</var> user ID <var class="term">userid</var> may not issue <var>$Sock_Conn</var> or the <var>New</var> method for <var class="term">portname</var>. For example, if <var class="term">userid</var> is <code>HOMER</code>, a user that logs in as <code>HOMER</code> is not allowed access to <var class="term">portname</var>. If <var class="term">userid</var> is <code>SIMP*</code>, a user that logs in as any user ID that begins with the string <code>SIMP</code> is not allowed access to <var class="term">portname</var>.
<td>Indicates that a <var class="product">Model 204</var> user is not allowed access to <var class="term">portname</var> if his or her user ID matches an entry in the user group identified by <var class="term">usgroup</var>. User groups are defined with the <var>[[JANUS DEFINEUSGROUP]]</var> command. The <var>USGROUP</var> parameter cannot be specified if the <var>USER</var> parameter is specified.</td></tr>


The <var>USER</var> parameter cannot be specified if the <var>USGROUP</var> parameter is specified.
<tr><th><var>FILE</var> procfile</th>
<td>Indicates that access is not allowed to <var class="term">portname</var> if invoked by executing an outer procedure stored in a <var class="product">Model 204</var> file whose name matches the pattern <var class="term">procfile</var>. <code>FILE *</code> indicates that access is allowed by any procedure except a temporary request or an instream procedure. <code>FILE &#39;&#39;</code> indicates that access is allowed only by a temporary request or an in-stream procedure.</td></tr>


<code>USER</code> (that is, <var>USER</var> with the null string) is not allowed, since there is always a (non-null) user ID when a request is issued.
<tr><th><var>PROC</var> procname</th>
<td>Indicates that access is not allowed to <var class="term">portname</var> if invoked by executing an outer procedure whose name matches the pattern <var class="term">procname</var>. <code>PROC *</code> indicates that access is allowed by any procedure except a temporary request or an in-stream procedure. <code>PROC &#39;&#39;</code> indicates that access is allowed only by a temporary request or an in-stream procedure.</td></tr>


<code>USER *</code> is allowed, but it is meaningless; it does not change which conditions a rule matches.</td></tr>
<tr><th nowrap><var>SUBSYS</var> subsysname</th>
<td>Indicates that a <var>$Sock_Conn</var> or <var>New</var> call or <var>SIRIUS DEBUG ON</var> command is not allowed to access <var class="term">portname</var> if issued from an APSY subsystem with a name that matches the pattern <var class="term">subsysname</var>. <code>SUBSYS *</code> indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure. <code>SUBSYS &#39;&#39;</code> indicates that access is allowed by any subsystem.</td></tr>


<tr><th nowrap="true">>USGROUP usgroup</th>
<tr><th nowrap><var>REMOTE</var> rmt_host rmt_portnum
<td>Indicates that a <var class="product">Model 204</var> user is not allowed access to <var class="term">portname</var> if his or her user ID matches an entry in the user group identified by <var class="term">usgroup</var>. User groups are defined with the <var>JANUS DEFINEUSGROUP</var> command. The <var>USGROUP</var> parameter cannot be specified if the <var>USER</var> parameter is specified.</td></tr>
<td>Indicates that access is not allowed to <var class="term">portname</var> if the remote host and port number (from <var>[[$Sock_Conn]]</var> or <var>Socket</var> class <var>[[New (Socket constructor)|New]]</var> method arguments or their defaults; or <var>SIRIUS DEBUG ON</var> command arguments for the Debugger Client address and port) match <var class="term">rmt_host</var> and <var class="term">rmt_portnum</var>, respectively.


<tr><th>FILE procfile</th>
<var class="term">rmt_host</var> is one of the options in the "Remote host formats" table below.
<td>Indicates that <var>$Sock_Conn</var> or the <var>New</var> method is not allowed to access <var class="term">portname</var> if invoked by executing an outer procedure stored in a <var class="product">Model 204</var> file whose name matches the pattern <var class="term">procfile</var>. <code>FILE *</code> indicates that access is allowed only by a temporary request or an in-stream procedure. <code>FILE &#39;&#39;</code> indicates that access is allowed by any procedure except a temporary request or an in-stream procedure.</td></tr>


<tr><th>PROC procname</th>
<var class="term">rmt_portnum</var> is either of these:
<td>Indicates that <var>$Sock_Conn</var> or the <var>New</var> method is not allowed to access <var class="term">portname</var> if invoked by executing an outer procedure whose name matches the pattern <var class="term">procname</var>. <code>PROC *</code> indicates that access is allowed only by a temporary request or an in-stream procedure. <code>PROC &#39;&#39;</code> indicates that access is allowed by any procedure except a temporary request or an instream procedure.</td></tr>


<tr><th>SUBSYS subsysname</th>
<ul>
<td>Indicates that a <var>$Sock_Conn</var> or <var>New</var> method invocation is not allowed to access <var class="term">portname</var> if issued from an APSY subsystem with a name that matches the pattern <var class="term>subsysname</var>. <var>SUBSYS *</var> indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure. <var>SUBSYS</var> indicates that access is allowed by any subsystem.</td></tr>
<li>An asterisk (<tt>*</tt>), indicating access is allowed for any port number at the specified remote host.</li>
<li>An integer in the range 1-65535, indicating that access is allowed only for the specified port number at the specified remote host.</li>
</ul>


<tr><th>REMOTE rmt_host rmt_portnum</th>
<table>
<td>Indicates that a <var>$Sock_Conn</var> or <var>New</var> method invocation is not allowed to access <var class="term">portname</var> if the remote host and port number (<var>$Sock_Conn</var> or <var>New</var> method arguments, with their defaults from the <var>REMOTE</var> clause of the <var>JANUS DEFINE</var> command for the <var>CLSOCK</var> port) match <var class="term">rmt_host</var> and <var class="term">rmt_portnum</var>, respectively. <var class="term">Rmt_host</var> can be any of the following:
<caption>Remote host formats</caption>
<tr><th nowrap><var>[NAME]</var> hostname</th>
<td>Access is not allowed if the name of the remote host matches the pattern <var class="term">hostname</var>. The null string is not allowed for <var class="term">hostname</var>, since there is always a (non-null) host for the <var>$Sock_Conn</var> or <var>New</var> method or <var>SIRIUS DEBUG ON</var> operation.
<p>
When the <var>NAME</var> keyword is explicitly specified, or when <var class="term">hostname</var> is a form that cannot be an IP address, the clause only matches if the connection to the remote host is made using a name rather than an IP address. This leads to some subtle differences in the meaning of an asterisk in the <var>REMOTE</var> clause. </p>


<table class="syntaxTable">
For example, the following rule restricts the connection to any remote host, as long as a port other than 1234 is used, whether the connection is specified by name or by IP address:
<tr><th>[NAME] hostname</th>
<td>Indicates that access is not allowed if the name of the remote host matches the pattern <var class="term">hostname</var>.
The null string is not allowed for <var class="term">hostname</var>, since there is always a (non-null) host for the <var>$Sock_Conn</var> or <var>New</var> method operation.<br /><br />When the <var>NAME</var> keyword is explicitly specified, or when <var class="term>hostname</var> is a form that cannot be an IP address, the clause only matches if the connection to the remote host is made using a name rather than an IP address. This leads to some subtle differences in the meaning of an asterisk in the <var>REMOTE</var> clause.<br /><br />For example, the following rule restricts the connection to any remote host, as long as a port other than 1234 is used, whether the connection is specified by name or by IP address:


<p class="code"> JANUS CLSOCK FOO DISALLOW REMOTE * 1234</p>
<p class="code"> JANUS CLSOCK FOO DISALLOW REMOTE * 1234</p>
Line 198: Line 263:
The following rule disallows a connection to any remote host at port 1234, if the connection is specified by host name.
The following rule disallows a connection to any remote host at port 1234, if the connection is specified by host name.


<p class="code"> JANUS CLSOCK FOO DISALLOW REMOTE NAME * 1234</p>
<p class="code">JANUS CLSOCK FOO DISALLOW REMOTE NAME * 1234</p>


(Admittedly, these <var>DISALLOW</var> examples, especially the latter one, seem far-fetched and probably are not useful in practice.)   
(Admittedly, these <var>DISALLOW</var> examples, especially the latter one, seem far-fetched and probably are not useful in practice.)   
Line 204: Line 269:
<code>REMOTE * *</code> is allowed, but it is meaningless: it does not change which conditions a rule matches. <code>REMOTE NAME * *</code>, however, does restrict a rule to match only if the host name is specified on the connection, but it matches any remote host.</td></tr>
<code>REMOTE * *</code> is allowed, but it is meaningless: it does not change which conditions a rule matches. <code>REMOTE NAME * *</code>, however, does restrict a rule to match only if the host name is specified on the connection, but it matches any remote host.</td></tr>


<tr><th>IPGROUP ipgroup</th>
<tr><th nowrap><var>IPGROUP</var> ipgroup</th>
<td>Indicates that access is not allowed if the remote host's IP address matches one of the entries in <var class="term">ipgroup</var>. IP groups are defined with the <var>[[JANUS DEFINEIPGROUP]]</var> command. </td></tr>
<td>Access is not allowed if the remote host's IP address matches one of the entries in <var class="term">ipgroup</var>. IP groups are defined with the <var>[[JANUS DEFINEIPGROUP]]</var> command. </td></tr>


<tr><th>ipaddr</th>  
<tr><th>ipaddr</th>  
<td>Indicates that access is not allowed if the remote host has an IP address that matches <var class="term">ipaddr</var>. <var class="term">ipaddr</var> can be a simple IP address or it can be a subnet. Subnets are indicated by an IP address followed by either of these:
<td>Access is not allowed if the remote host has an IP address that matches <var class="term">ipaddr</var>. <var class="term">ipaddr</var> can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model&nbsp;204), or it can be a subnet.  
 
<ul>
<ul>
<li>A slash ( / ) followed by a netmask (with no intervening blanks)
<li>IPV4 subnets are indicated by an IP address followed by one of these:
<li>A hyphen ( - ) followed by a number of bits in the subnet mask (with no intervening blanks)
<ul>
</ul>
<li>A forward slash (<tt>/</tt>) followed by a netmask (with no intervening blanks)</li>
 
<li>A hyphen (<tt>-</tt>) followed by the number of bits in the subnet mask (with no intervening blanks)</li>
</ul>
<p>
For example, <code>198.242.244.97</code> is a simple IP address that must be matched exactly. <code>.198.242.244.0/255.255.255.0</code>, which is equivalent to <code>198.242.244.0-24</code>, indicates that any machine on subnet 198.242.244.0 is to be allowed access to <var class="term">portname</var>. </p>


For example, 198.244.244.97 is a simple address that must be matched exactly. 198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to <var class="term">portname</var>.
<li>IPV6 addresses are 128-bit integers, represented with eight, colon-separated, 16-bit (four hex-digit) groups, which may be abbreviated and represented with fewer groups. For example,  
</td></tr>
<code>fe80:0000:0000:0000:0200:0000:0300:0016</code> or <code>fe80::200:0:300:16</code>.  
<p>
An IPV6 subnet is indicated by the first address in the range, followed by a forward slash, and a decimal value equal to the number of bits in the network prefix. A subnet that includes the example address above is: <code>fe80::200:0/48</code>. </p></li>
</ul></td></tr>
</table>
</table>


Note that when the <var>IPGROUP</var> <var class="term">ipgroup</var> or the <var class="term">ipaddr</var> form is used, the rule
<p class="note"><b>Note:</b> When the <var>IPGROUP</var> <var class="term">ipgroup</var> or the <var class="term">ipaddr</var> form is used, the rule
can match whether a connection is specified by host name or IP address. If
can match whether a connection is specified by host name or IP address. If
the connection is by host name, it is first translated to an IP address, which
the connection is by host name, it is first translated to an IP address, which is then used to match the rule. </p>
is then used to match the rule.
 
<var class="term">Rmt_portnum</var> can be either of these:
 
<ul>
<li>An asterisk (*), indicating access is allowed for any port number at the specified remote host.</li>
<li>An integer in the range 1-65535, indicating that access is allowed only for the specified port number at the specified remote host.</li>
</ul>
</td></tr>
</td></tr>
</table>
</table>


==Rule matching order and examples==
==Rule matching order and examples==
Each execution of a <var>JANUS CLSOCK</var> subcommand adds to the set of rules for the
Each execution of a <var>JANUS CLSOCK</var> subcommand adds to the set of rules for the
specified port. Individual rules cannot be deleted nor modified. All rules can be deleted
specified port. Individual rules cannot be deleted nor modified. All rules can be deleted
Line 246: Line 311:
The following example illustrates these principles:
The following example illustrates these principles:


<p class="code"> JANUS CLSOCK TEST21 DISALLOW *
<p class="code">JANUS CLSOCK TEST21 DISALLOW *
JANUS CLSOCK TEST21 ALLOW SUBSYS ECOMMER*
JANUS CLSOCK TEST21 ALLOW SUBSYS ECOMMER*
JANUS CLSOCK TEST21 ALLOW PROC FILETRANS -
JANUS CLSOCK TEST21 ALLOW PROC FILETRANS REMOTE IPADDR 169.84.111.0-24 9333
              REMOTE IPADDR 169.84.111.0-24 9333
JANUS CLSOCK TEST21 ALLOW PROC FILETRANS REMOTE IPADDR 169.84.112.0-24 9333
JANUS CLSOCK TEST21 ALLOW PROC FILETRANS -
JANUS CLSOCK TEST21 ALLOW USER SIMP*
              REMOTE IPADDR 169.84.112.0-24 9333
JANUS CLSOCK TEST21 ALLOW USER SIMP*
</p>
</p>


Line 262: Line 325:
</ul>
</ul>


==References and links==
==See also==
See: [[List_of_Janus_commands|Janus command list]]
<ul>
<li>[[List of Janus commands]]
</ul>
 
[[Category:Janus commands|JANUS CLSOCK]]
[[Category:Janus commands|JANUS CLSOCK]]

Latest revision as of 20:25, 6 December 2016

Defines rules for a Janus socket client

The JANUS CLSOCK command defines the rules for a Janus Sockets client CLSOCK or DEBUGGERCLIENT port. These rules control access to the port. System administrators always have access to a client port, so no CLSOCK rules are required to provide socket access to these users.

The JANUS CLSOCK command is slightly different from most Janus commands in that it usually takes a set of commands to fully specify the rules for a port. For instance, it may take a number of commands to specify the various users and applications that may use a port on the socket-connection $function $Sock_Conn or Socket class method New.

The order in which JANUS CLSOCK commands are specified also affects how they are processed.

Syntax

JANUS CLSOCK portname rule_type [optional_parameters]

Where:

portname A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed.
rule_type The type of rule being specified for the port or ports. Valid rule_type are:
  • DISALLOW — Removes access permission.
  • ALLOW — Assigns access permission.
optional_parameters These parameters vary with the rule_type value. See JANUS CLSOCK rule types, below.

Usage notes

  • The ALLOW and DISALLOW rules are processed together, from most recent to oldest. The optional parameters allowed for the JANUS CLSOCK command depend on the rule_type value. The rule types are shown below, followed by a section giving examples and showing the interaction of JANUS CLSOCK commands.
  • The JANUS CLSOCK and JANUS SRVSOCK commands differ from the corresponding rules available with the JANUS WEB command in the following ways:
    • JANUS WEB does not allow any optional parameters (for example, USGROUP on the DISALLOW rule).
    • The default access for WEBSERV non-SSL ports and SRVSOCK ports is ALLOW. The default access for WEBSERV SSL ports and CLSOCK and DEBUGGERCLIENT ports is DISALLOW.
    • ALLOW and DISALLOW are the only rule types for JANUS CLSOCK and JANUS SRVSOCK. There are a number of other rule types for JANUS WEB.

Examples

This is a simple port definition deck that allows connections to any remote site:

JANUS FORCE CLSOCK JANUS DELETE CLSOCK JANUS DEFINE CLSOCK * CLSOCK 5 TIMEOUT 240 REMOTE * * MASTER JANUS CLSOCK CLSOCK ALLOW REMOTE * * JANUS START CLSOCK

Here is a similar port definition deck enhanced to support SSL connections (the SSL 0 option) to any remote port for any valid user (the ALLOW rules). The ADDCA rule at the end supports connections to ports that are secured with "unrecognized" SSL certificates, typically these would be self-signed certificates created with the Rocket JANSSL application.

JANUS FORCE CLSOCK JANUS DELETE CLSOCK JANUS DEFINE CLSOCK * CLSOCK 5 TIMEOUT 240 REMOTE * * MASTER SSL 0 SSLOPT - SSLMAXCERTL 4096 SSLBSIZE 32767 JANUS CLSOCK CLSOCK ALLOW JANUS CLSOCK CLSOCK ALLOW REMOTE * * JANUS START CLSOCK JANUS ADDCA CLSOCK JANWEB LOCALLY.SIGNED.CERT

JANUS CLSOCK rule types

JANUS CLSOCK ALLOW

The JANUS CLSOCK ALLOW command indicates a combination of conditions which, if all specified, allow either of these:

  • A socket-connection $function $Sock_Conn or Socket class method New invocation to access the CLSOCK ports that match pattern portname.
  • A TN3270 Debugger user to access the DEBUGGERCLIENT ports that match pattern portname.

The default access for all CLSOCK and DEBUGGERCLIENT ports is to disallow all access &emdash; except system administrators can access any such port, regardless of rules (since a system administrator can always issue JANUS CLSOCK to grant access to herself).

For a non-system administrator, access to a CLSOCK or DEBUGGERCLIENT port depends on the most recent rule for that port that matches the conditions of the $Sock_Conn or New method call, or Sirius Debugger SIRIUS DEBUG ON command:

  • If the conditions match all clauses on a JANUS CLSOCK ALLOW rule, access to the port is allowed.
  • If the conditions match all clauses on a JANUS CLSOCK DISALLOW rule, access to the port is disallowed.
  • If the conditions match neither an ALLOW nor DISALLOW rule, access to the port is disallowed.

If the JANUS CLSOCK ALLOW command is specified with no optional parameters, access to the CLSOCK or DEBUGGERCLIENT ports that match the pattern in portname is unrestricted.

Syntax

JANUS CLSOCK portname ALLOW - [NONE] | [USER userid | USGROUP usgroup] - [FILE procfile] - [PROC procname] - [SUBSYS subsysname] - [REMOTE rmt_host rmt_portnum]

The optional parameters for the JANUS CLSOCK ALLOW command are:

NONE Indicates that no access is allowed to portname. If NONE is specified, no other optional parameters may be specified.
USER userid Indicates that the Model 204 user ID userid may issue a $Sock_Conn or a New method call or a SIRIUS DEBUG ON command for portname.

For example, if userid is HOMER, a user that logs in as HOMER will be allowed access to portname. If userid is SIMP*, a user that logs in as any user ID that begins with the string SIMP is allowed access to portname.

The USER parameter cannot be specified if the USGROUP parameter is specified.

USER '' (that is, USER with the null string) is not allowed, since there is always a (non-null) user ID when a request is issued.

USER * is allowed, but it is meaningless: it does not change which conditions a rule matches.

USGROUP usgroup Indicates that a Model 204 user is allowed access to portname if his or her user ID matches an entry in the user group identified by usgroup. User groups are defined with the JANUS DEFINEUSGROUP command. The USGROUP parameter cannot be specified if the USER parameter is specified.
FILE procfile Indicates that access is allowed to portname if invoked by executing an outer procedure stored in a Model 204 file whose name matches the pattern procfile. FILE * indicates that access is allowed by any procedure except a temporary request or an instream procedure. FILE '' indicates that access is allowed only by a temporary request or an in-stream procedure.
PROC procname Indicates that access is allowed to portname if invoked by executing an outer procedure whose name matches the pattern procname. PROC * indicates that access is allowed by any procedure except a temporary request or an in-stream procedure. PROC '' indicates that access is allowed only by a temporary request or an in-stream procedure.
SUBSYS subsysname Indicates that a $Sock_Conn or New call or SIRIUS DEBUG ON command is allowed to access portname if issued from an APSY subsystem with a name that matches the pattern subsysname. SUBSYS * indicates that access is allowed by any subsystem. SUBSYS '' indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure.
REMOTE rmt_host rmt_portnum Access is allowed to portname if the remote host and port number ($Sock_Conn or New method arguments or their defaults; or SIRIUS DEBUG ON command arguments for the Debugger Client address and port) match rmt_host and rmt_portnum, respectively.

rmt_host is one of the options in the "Remote host formats" table below.

rmt_portnum can be either of these:

  • An asterisk (*), indicating access is allowed for any port number at the specified remote host.
  • An integer in the range 1-65535, indicating that access is allowed only for the specified port number at the specified remote host.
Remote host formats
[NAME] hostname Access is allowed if the name of the remote host matches the pattern hostname. The null string is not allowed for hostname, since there is always a (non-null) host for the $Sock_Conn or New method or SIRIUS DEBUG ON operation.

When the NAME keyword is explicitly specified, or when hostname is a form that cannot be an IP address, the clause only matches if the connection to the remote host is made using a name rather than an IP address. This leads to some subtle differences in the meaning of an asterisk in the REMOTE clause.

For example, the following rule restricts the connection to any remote host at port 1234, whether the connection is specified by name or by IP address:

JANUS CLSOCK FOO ALLOW REMOTE * 1234

The following clause restricts the connection to any remote host at port 1234, as long as the connection is specified by host name:

JANUS CLSOCK FOO ALLOW REMOTE NAME * 1234

REMOTE * * is allowed, but it is meaningless; that is, it does not change which conditions a rule matches. REMOTE NAME * *, however, does restrict a rule to match only if the host name is specified on the connection, but it matches any remote host.
IPGROUP ipgroup Access is allowed if the remote host's IP address matches one of the entries in ipgroup. IP groups are defined with the JANUS DEFINEIPGROUP command.
ipaddr Access is allowed if the remote host has an IP address that matches ipaddr. ipaddr can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet.
  • IPV4 subnets are indicated by an IP address followed by one of these:
    • A forward slash (/) followed by a netmask (with no intervening blanks)
    • A hyphen (-) followed by the number of bits in the subnet mask (with no intervening blanks)

    For example, 198.242.244.97 is a simple IP address that must be matched exactly. .198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to portname.

  • IPV6 addresses are 128-bit integers, represented with eight, colon-separated, 16-bit (four hex-digit) groups, which may be abbreviated and represented with fewer groups. For example, fe80:0000:0000:0000:0200:0000:0300:0016 or fe80::200:0:300:16.

    An IPV6 subnet is indicated by the first address in the range, followed by a forward slash, and a decimal value equal to the number of bits in the network prefix. A subnet that includes the example address above is: fe80::200:0/48.

Note: When the IPGROUP ipgroup or the ipaddr form is used, the rule can match whether a connection is specified by host name or IP address. If the connection is by host name, it is first translated to an IP address, which is then used to match the rule.

JANUS CLSOCK DISALLOW

The JANUS CLSOCK DISALLOW command indicates a combination of conditions which, if all specified, prevent both of these:

  • A socket-connection $function $Sock_Conn or object method invocation from accessing the CLSOCK ports that match pattern portname.
  • A Sirius Debugger user from accessing the DEBUGGERCLIENT ports that match pattern portname.

The default access for all CLSOCK and DEBUGGERCLIENT ports is to disallow all access — except system administrators can access any CLSOCK port, regardless of rules (since a system administrator can always issue JANUS CLSOCK to grant access to herself). For a non-system administrator, access to a CLSOCK or DEBUGGERCLIENT port depends on the most recent rule for that port that matches the conditions of the $Sock_Conn or New method call, or Sirius Debugger SIRIUS DEBUG ON command:

  • If the conditions match all clauses on a JANUS CLSOCK DISALLOW rule, access to the port is not allowed.
  • If the conditions match all clauses on a JANUS CLSOCK ALLOW rule, access to the port is allowed.
  • If the conditions match neither an ALLOW nor DISALLOW rule, access to the port is disallowed.

Syntax

JANUS CLSOCK portname DISALLOW - [USER userid | USGROUP usgroup] - [FILE procfile] - [PROC procname] - [SUBSYS subsysname] - [REMOTE rmt_host rmt_portnum]

If the JANUS CLSOCK DISALLOW command is specified with no optional parameters, no access is allowed to the CLSOCK or DEBUGGERCLIENT ports that match the pattern in portname.

The optional parameters for the JANUS CLSOCK DISALLOW command are:

USER userid Indicates that the Model 204 user ID userid may not issue a $Sock_Conn or a New method call or a SIRIUS DEBUG ON command for portname.

For example, if userid is HOMER, a user that logs in as HOMER is not allowed access to portname. If userid is SIMP*, a user that logs in as any user ID that begins with the string SIMP is not allowed access to portname.

The USER parameter cannot be specified if the USGROUP parameter is specified.

USER '' (that is, USER with the null string) is not allowed, since there is always a (non-null) user ID when a request is issued.

USER * is allowed, but it is meaningless: it does not change which conditions a rule matches.
USGROUP usgroup Indicates that a Model 204 user is not allowed access to portname if his or her user ID matches an entry in the user group identified by usgroup. User groups are defined with the JANUS DEFINEUSGROUP command. The USGROUP parameter cannot be specified if the USER parameter is specified.
FILE procfile Indicates that access is not allowed to portname if invoked by executing an outer procedure stored in a Model 204 file whose name matches the pattern procfile. FILE * indicates that access is allowed by any procedure except a temporary request or an instream procedure. FILE '' indicates that access is allowed only by a temporary request or an in-stream procedure.
PROC procname Indicates that access is not allowed to portname if invoked by executing an outer procedure whose name matches the pattern procname. PROC * indicates that access is allowed by any procedure except a temporary request or an in-stream procedure. PROC '' indicates that access is allowed only by a temporary request or an in-stream procedure.
SUBSYS subsysname Indicates that a $Sock_Conn or New call or SIRIUS DEBUG ON command is not allowed to access portname if issued from an APSY subsystem with a name that matches the pattern subsysname. SUBSYS * indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure. SUBSYS '' indicates that access is allowed by any subsystem.
REMOTE rmt_host rmt_portnum Indicates that access is not allowed to portname if the remote host and port number (from $Sock_Conn or Socket class New method arguments or their defaults; or SIRIUS DEBUG ON command arguments for the Debugger Client address and port) match rmt_host and rmt_portnum, respectively.

rmt_host is one of the options in the "Remote host formats" table below.

rmt_portnum is either of these:

  • An asterisk (*), indicating access is allowed for any port number at the specified remote host.
  • An integer in the range 1-65535, indicating that access is allowed only for the specified port number at the specified remote host.
Remote host formats
[NAME] hostname Access is not allowed if the name of the remote host matches the pattern hostname. The null string is not allowed for hostname, since there is always a (non-null) host for the $Sock_Conn or New method or SIRIUS DEBUG ON operation.

When the NAME keyword is explicitly specified, or when hostname is a form that cannot be an IP address, the clause only matches if the connection to the remote host is made using a name rather than an IP address. This leads to some subtle differences in the meaning of an asterisk in the REMOTE clause.

For example, the following rule restricts the connection to any remote host, as long as a port other than 1234 is used, whether the connection is specified by name or by IP address:

JANUS CLSOCK FOO DISALLOW REMOTE * 1234

The following rule disallows a connection to any remote host at port 1234, if the connection is specified by host name.

JANUS CLSOCK FOO DISALLOW REMOTE NAME * 1234

(Admittedly, these DISALLOW examples, especially the latter one, seem far-fetched and probably are not useful in practice.)

REMOTE * * is allowed, but it is meaningless: it does not change which conditions a rule matches. REMOTE NAME * *, however, does restrict a rule to match only if the host name is specified on the connection, but it matches any remote host.
IPGROUP ipgroup Access is not allowed if the remote host's IP address matches one of the entries in ipgroup. IP groups are defined with the JANUS DEFINEIPGROUP command.
ipaddr Access is not allowed if the remote host has an IP address that matches ipaddr. ipaddr can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet.
  • IPV4 subnets are indicated by an IP address followed by one of these:
    • A forward slash (/) followed by a netmask (with no intervening blanks)
    • A hyphen (-) followed by the number of bits in the subnet mask (with no intervening blanks)

    For example, 198.242.244.97 is a simple IP address that must be matched exactly. .198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to portname.

  • IPV6 addresses are 128-bit integers, represented with eight, colon-separated, 16-bit (four hex-digit) groups, which may be abbreviated and represented with fewer groups. For example, fe80:0000:0000:0000:0200:0000:0300:0016 or fe80::200:0:300:16.

    An IPV6 subnet is indicated by the first address in the range, followed by a forward slash, and a decimal value equal to the number of bits in the network prefix. A subnet that includes the example address above is: fe80::200:0/48.

Note: When the IPGROUP ipgroup or the ipaddr form is used, the rule can match whether a connection is specified by host name or IP address. If the connection is by host name, it is first translated to an IP address, which is then used to match the rule.

Rule matching order and examples

Each execution of a JANUS CLSOCK subcommand adds to the set of rules for the specified port. Individual rules cannot be deleted nor modified. All rules can be deleted only by stopping and deleting the port definition. Deleting a port definition, however, should not be necessary, as long as you follow the two golden rules:

  1. Specify the most general rules first and the most specific last.
  2. Specify an initial rule that “clears” all related rules.

The following example illustrates these principles:

JANUS CLSOCK TEST21 DISALLOW * JANUS CLSOCK TEST21 ALLOW SUBSYS ECOMMER* JANUS CLSOCK TEST21 ALLOW PROC FILETRANS REMOTE IPADDR 169.84.111.0-24 9333 JANUS CLSOCK TEST21 ALLOW PROC FILETRANS REMOTE IPADDR 169.84.112.0-24 9333 JANUS CLSOCK TEST21 ALLOW USER SIMP*

In this example, any previously specified ALLOW rules on port TEST21 are made obsolete by the first DISALLOW rule. Once the TEST21 access rules are cleared, the rules allow invocation of $Sock_Conn or the New method for port TEST21, if any of the following conditions are met:

  • It is invoked from a subsystem whose name begins with the string ECOMMER.
  • It is invoked for port number 9333 at a remote host that is on either the subnet 169.84.111.0 or the subnet 169.84.112.0.
  • It is invoked by a Model 204 user whose ID begins with the string SIMP.

See also

Retrieved from "https://m204wiki.rocketsoftware.com/index.php?title=JANUS_CLSOCK&oldid=94918"