JANUS SRVSOCK

From m204wiki
Revision as of 17:31, 11 October 2012 by JAL (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

<section begin="desc" />Define JANUS SRVSOCK rules<section end="desc" />

The JANUS SRVSOCK command defines the rules for a Janus Sockets server running on a SRVSOCK port. These rules control access to the port.

Syntax

<section begin="syntax" /> JANUS SRVSOCK portname rule_type [optional parameters] <section end="syntax" />


The JANUS SRVSOCK command is slightly different from most Janus commands in that it usually takes a set of commands to fully specify the rules for a port. For instance, it may take a number of commands to specify the various host names and ranges of IP addresses that may connect. The order in which JANUS SRVSOCK commands are specified also affects how they are processed.

The first two parameters are positional and are required:

portname A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed.
rule_type The rule_type specifies what sort of rule is being specified for the port or ports. Valid rule_types are:
ALLOW Assigns access permission.
DISALLOW Removes access permission.

The ALLOW and DISALLOW rules are processed together, from most recent to oldest.

The optional parameters allowed for the JANUS SRVSOCK command depend on the rule_type that is specified. The various rule_types are shown in the following sections, followed by a section giving examples and showing the interaction of JANUS SRVSOCK commands ("Rule matching order and examples").

The JANUS WEB command, described in the Janus TCP/IP Base Reference Manual, is used by Janus Web Server to establish rules for WEBSERV ports. .do end Note that the JANUS CLSOCK and JANUS SRVSOCK commands differ from the corresponding rules available with the JANUS WEB command in the following ways:

  • JANUS WEB does not allow any optional parameters (for example, USGROUP) on the DISALLOW rule.
  • The default access for WEBSERV non-SSL ports and SRVSOCK ports is ALLOW; the default access for WEBSERV SSL ports, CLSOCK, and DEBUGGERCLIENT ports is DISALLOW.
  • ALLOW and DISALLOW are the only rule types for JANUS CLSOCK and JANUS SRVSOCK; there are a number of other rule types for JANUS WEB.

JANUS SRVSOCK ALLOW

JANUS SRVSOCK portname ALLOW - [NONE] | [IPADDR ipaddr | IPGROUP ipgroup]

JANUS SRVSOCK ALLOW command syntax

The JANUS SRVSOCK ALLOW command indicates that a particular remote host or set of hosts have access to the SRVSOCK ports that match pattern portname.

The default access for SRVSOCK ports is to allow all remote hosts. For an incoming request, access to a SRVSOCK port depends on the most recent rule for that port that matches the conditions of the request:

  • If the conditions match all clauses on a JANUS SRVSOCK ALLOW rule, access to the port is allowed.
  • If the conditions match all clauses on a JANUS SRVSOCK DISALLOW rule, access to the port is not allowed.
  • If the conditions match neither an ALLOW nor a DISALLOW rule, access to the port is allowed.

If a JANUS SRVSOCK ALLOW command is specified with no optional parameters, all hosts can access the SRVSOCK ports that match the pattern in portname.

The optional parameters for the JANUS SRVSOCK ALLOW command are:

NONE Indicates that no remote hosts are allowed access to portname. If NONE is specified, no other optional parameters may be specified.
IPADDR ipaddr Indicates that a request from a machine with an IP address that matches ipaddr is allowed access to portname. ipaddr can be a simple IP address or it can be a subnet. Subnets are indicated by an IP address followed by a slash (/) followed by a netmask (with no intervening blanks), or by a hyphen (-) followed by a number of bits in the subnet mask (with no intervening blanks). For example, 198.244.244.97 is a simple IP address that must be matched exactly. .198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to portname. The IPADDR parameter cannot be specified if the IPGROUP parameter is specified.
IPGROUP ipgroup Indicates that a user on a machine with an IP address that matches one of the entries in ipgroup is allowed access to portname. IP groups are defined with the JANUS DEFINEIPGROUP command. The IPGROUP parameter cannot be specified if the IPADDR parameter is specified.

JANUS SRVSOCK DISALLOW

JANUS SRVSOCK portname DISALLOW - [IPADDR ipaddr | IPGROUP ipgroup]

JANUS SRVSOCK DISALLOW command syntax

The JANUS SRVSOCK DISALLOW command indicates that a particular remote host or set of hosts does not have access to the SRVSOCK ports that match pattern portname.

The default access for all SRVSOCK ports is to allow all remote hosts. For an incoming request, access to a SRVSOCK port depends on the most recent rule for that port that matches the conditions of the request:

  • If the conditions match all clauses on a JANUS SRVSOCK DISALLOW rule, access to the port is not allowed.
  • If the conditions match all clauses on a JANUS SRVSOCK ALLOW rule, access to the port is allowed.
  • If the conditions match neither an ALLOW nor a DISALLOW rule, access to the port is allowed.

If a JANUS SRVSOCK DISALLOW command is specified with no optional parameters, no hosts can access the SRVSOCK ports that match the pattern in portname.

The optional parameters for the JANUS SRVSOCK DISALLOW command are:

IPADDR ipaddr Indicates that a request from a machine with an IP address that matches ipaddr is not allowed access to portname. ipaddr can be a simple IP address or it can be a subnet. Subnets are indicated by an IP address followed by a slash (/) followed by a netmask (with no intervening blanks), or by a hyphen (-) followed by a number of bits in the subnet mask (with no intervening blanks). For example, 198.244.244.97 is a simple IP address that must be matched exactly. .198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to portname. The IPADDR parameter cannot be specified if the IPGROUP parameter is specified.
IPGROUP ipgroup Indicates that a user on a machine with an IP address that matches one of the entries in ipgroup is not allowed access to portname. IP groups are defined with the JANUS DEFINEIPGROUP command. The IPGROUP parameter cannot be specified if the IPADDR parameter is specified.

Rule matching order and examples

Each execution of a JANUS SRVSOCK subcommand adds to the set of rules for the specified SRVSOCK port. Individual rules cannot be deleted nor modified. All rules can be deleted only by stopping and deleting the port definition. Deleting a port definition, however, should not be necessary, as long as you follow the two golden rules:

  1. Specify the most general rules first and the most specific last.
  2. Specify an initial rule that "clears&CQ. all related rules.

The following example illustrates these principles:

JANUS SRVSOCK TEST21 DISALLOW * JANUS SRVSOCK TEST21 ALLOW IPADDR 198.242.244.0-24 JANUS SRVSOCK TEST21 ALLOW IPADDR 169.84.128.0-3 JANUS SRVSOCK TEST21 DISALLOW IPADDR 169.84.128.17

In this example, any previously specified ALLOW rules on port TEST21 are made obsolete by the first DISALLOW rule. Once the TEST21 access rules are cleared, two subnets are given access permission, and then a single specific IP address within one of those subnets has its access revoked.

See: List of Janus commands