JANUS SRVSOCK: Difference between revisions

From m204wiki
Jump to navigation Jump to search
m (add IPV6 address format)
m (→‎Syntax: misc formatting)
Line 23: Line 23:
<tr><th><var>DISALLOW</var></th>
<tr><th><var>DISALLOW</var></th>
<td>Removes access permission.</td></tr>
<td>Removes access permission.</td></tr>
</table>
</table></td></tr>
</td></tr>
 
<tr><th>optional_parameters</th>
<td>These parameters vary with the <var class="term">rule_type</var> value. See [[#JANUS SRVSOCK rule types|JANUS SRVSOCK rule types]], below. </td></tr>
</table>
</table>



Revision as of 20:28, 6 December 2016

Define JANUS SRVSOCK rules

The JANUS SRVSOCK command defines the rules for a Janus Sockets server running on a SRVSOCK port. These rules control access to the port.

The JANUS SRVSOCK command is slightly different from most Janus commands in that it usually takes a set of commands to fully specify the rules for a port. For instance, it may take a number of commands to specify the various host names and ranges of IP addresses that may connect. The order in which JANUS SRVSOCK commands are specified also affects how they are processed.

Syntax

JANUS SRVSOCK portname rule_type [optional parameters]

The first two parameters are positional and are required:

portname A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed.
rule_type The sort of rule that is being specified for the port or ports. Valid types are:
ALLOW Assigns access permission.
DISALLOW Removes access permission.
optional_parameters These parameters vary with the rule_type value. See JANUS SRVSOCK rule types, below.

Usage notes

  • The ALLOW and DISALLOW rules are processed together, from most recent to oldest.
  • The optional parameters allowed for JANUS SRVSOCK depend on the rule type that is specified. The various types are shown in the following sections, followed by a section giving examples and showing the interaction of JANUS SRVSOCK commands (Rule matching order and examples).
  • The JANUS WEB command is used by Janus Web Server to establish rules for WEBSERV ports. Note that the JANUS CLSOCK and JANUS SRVSOCK commands differ from the corresponding rules available with the JANUS WEB command in the following ways:
    • JANUS WEB does not allow any optional parameters (for example, USGROUP) on the DISALLOW rule.
    • The default access for WEBSERV non-SSL ports and SRVSOCK ports is ALLOW. The default access for WEBSERV SSL ports, CLSOCK, and DEBUGGERCLIENT ports is DISALLOW.
    • ALLOW and DISALLOW are the only rule types for JANUS CLSOCK and JANUS SRVSOCK; there are a number of other rule types for JANUS WEB.

JANUS SRVSOCK ALLOW

JANUS SRVSOCK portname ALLOW - [NONE] | [IPADDR ipaddr | IPGROUP ipgroup]

The JANUS SRVSOCK ALLOW command indicates that a particular remote host or set of hosts have access to the SRVSOCK ports that match pattern portname.

The default access for SRVSOCK ports is to allow all remote hosts. For an incoming request, access to a SRVSOCK port depends on the most recent rule for that port that matches the conditions of the request:

  • If the conditions match all clauses on a JANUS SRVSOCK ALLOW rule, access to the port is allowed.
  • If the conditions match all clauses on a JANUS SRVSOCK DISALLOW rule, access to the port is not allowed.
  • If the conditions match neither an ALLOW nor a DISALLOW rule, access to the port is allowed.

If a JANUS SRVSOCK ALLOW command is specified with no optional parameters, all hosts can access the SRVSOCK ports that match the pattern in portname.

The optional parameters for the JANUS SRVSOCK ALLOW command are:

NONE Indicates that no remote hosts are allowed access to portname. If NONE is specified, no other optional parameters may be specified.
IPADDR ipaddr Indicates that a request from a machine with an IP address that matches ipaddr is allowed access to portname. ipaddr can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet.
  • IPV4 subnets are indicated by an IP address followed by one of these:
    • A forward slash (/) followed by a netmask (with no intervening blanks)
    • A hyphen (-) followed by the number of bits in the subnet mask (with no intervening blanks)

    For example, 198.242.244.97 is a simple IP address that must be matched exactly. .198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to portname.

  • IPV6 addresses are 128-bit integers, represented with eight, colon-separated, 16-bit (four hex-digit) groups, which may be abbreviated and represented with fewer groups. For example, fe80:0000:0000:0000:0200:0000:0300:0016 or fe80::200:0:300:16.

    An IPV6 subnet is indicated by the first address in the range, followed by a forward slash, and a decimal value equal to the number of bits in the network prefix. A subnet that includes the example address above is: fe80::200:0/48.

The IPADDR parameter cannot be specified if the IPGROUP parameter is specified.
IPGROUP ipgroup A user on a machine with an IP address that matches one of the entries in ipgroup is allowed access to portname.

IP groups are defined with the JANUS DEFINEIPGROUP command.

The IPGROUP parameter cannot be specified if the IPADDR parameter is specified.

JANUS SRVSOCK DISALLOW

JANUS SRVSOCK portname DISALLOW - [IPADDR ipaddr| IPGROUP ipgroup]

The JANUS SRVSOCK DISALLOW command indicates that a particular remote host or set of hosts does not have access to the SRVSOCK ports that match pattern portname.

The default access for all SRVSOCK ports is to allow all remote hosts. For an incoming request, access to a SRVSOCK port depends on the most recent rule for that port that matches the conditions of the request:

  • If the conditions match all clauses on a JANUS SRVSOCK DISALLOW rule, access to the port is not allowed.
  • If the conditions match all clauses on a JANUS SRVSOCK ALLOW rule, access to the port is allowed.
  • If the conditions match neither an ALLOW nor a DISALLOW rule, access to the port is allowed.

If a JANUS SRVSOCK DISALLOW command is specified with no optional parameters, no hosts can access the SRVSOCK ports that match the pattern in portname.

The optional parameters for the JANUS SRVSOCK DISALLOW command are:

IPADDR ipaddr Indicates that a request from a machine with an IP address that matches ipaddr is not allowed access to portname.

ipaddr can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet.

  • IPV4 subnets are indicated by an IP address followed by one of these:
    • A forward slash (/) followed by a netmask (with no intervening blanks)
    • A hyphen (-) followed by the number of bits in the subnet mask (with no intervening blanks)

    For example, 198.242.244.97 is a simple IP address that must be matched exactly. .198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to portname.

  • IPV6 addresses are 128-bit integers, represented with eight, colon-separated, 16-bit (four hex-digit) groups, which may be abbreviated and represented with fewer groups. For example, fe80:0000:0000:0000:0200:0000:0300:0016 or fe80::200:0:300:16.

    An IPV6 subnet is indicated by the first address in the range, followed by a forward slash, and a decimal value equal to the number of bits in the network prefix. A subnet that includes the example address above is: fe80::200:0/48.

The IPADDR parameter cannot be specified if the IPGROUP parameter is specified.

IPGROUP ipgroup Indicates that a user on a machine with an IP address that matches one of the entries in ipgroup is not allowed access to portname.

IP groups are defined with the JANUS DEFINEIPGROUP command.

The IPGROUP parameter cannot be specified if the IPADDR parameter is specified.

Rule matching order and examples

Each execution of a JANUS SRVSOCK subcommand adds to the set of rules for the specified SRVSOCK port. Individual rules cannot be deleted nor modified. All rules can be deleted only by stopping and deleting the port definition. Deleting a port definition, however, should not be necessary, as long as you follow the two golden rules:

  1. Specify the most general rules first and the most specific last.
  2. Specify an initial rule that "clears" all related rules.

The following example illustrates these principles:

JANUS SRVSOCK TEST21 DISALLOW * JANUS SRVSOCK TEST21 ALLOW IPADDR 198.242.244.0-24 JANUS SRVSOCK TEST21 ALLOW IPADDR 169.84.128.0-3 JANUS SRVSOCK TEST21 DISALLOW IPADDR 169.84.128.17

In this example, any previously specified ALLOW rules on port TEST21 are made obsolete by the first DISALLOW rule. Once the TEST21 access rules are cleared, two subnets are given access permission, and then a single specific IP address within one of those subnets has its access revoked.

See also