DareNET IRCd Configuration/1.5
m |
(→Client block) |
||
Line 210: | Line 210: | ||
<html><pre><strong>Client</strong> { | <html><pre><strong>Client</strong> { | ||
<span class="comment">/* host: resolved user@host mask allowed to connect. This is optional | <span class="comment">/* host: resolved user@host mask allowed to connect. This is optional | ||
- | * if you are using the ip mask to match against. Additionally, if you specify *@loc for this field it will match all LOC users. | + | * if you are using the ip mask to match against. Additionally, if you specify *@loc for |
+ | * this field it will match all LOC users. | ||
*/</span> | */</span> | ||
host = <span class="qstring">"*@*.wirehub.net"</span>; | host = <span class="qstring">"*@*.wirehub.net"</span>; | ||
Line 236: | Line 237: | ||
</pre></html> | </pre></html> | ||
- | The server uses a default deny policy for incoming connections | + | The server uses a default deny policy for incoming connections. You need to define at least one Client block if you wish to use your server. |
- | The <code>host</code> and <code>ip</code> | + | The <code>host</code> and <code>ip</code> fields specify which connections the block matches. The server always performs a DNS and ident lookup for connections. If DNS cannot find a hostname, the IP address is used instead. If ident cannot get a valid reply, "unknown" is used during this state. The client's resolved hostname, IP address, ident reply, and username (from the USER line) are used according to the results of the matches described below. |
- | Note: There is a | + | '''Note:''' There is a specify case for UNIX domain sockets and localhost connections. In these cases, the <code>ip / host</code> field is compared with the name of the server, and thus not with any IP number representation. The name of the server is that returned in the numeric 002 reply, example: <code>002 Your host is 2.darenet.org[jolan.ppro]. running version ...</code> In this example, "jolan.ppro" is the name used for matching; therefore, UNIX domain sockets and connections to localhost would match a block containing: <code>host = "*@jolan.ppro";</code>. |
- | + | The <code>host</code> field attempts to match first against the resolved hostname, if available, and then against the IP address. To include the connection's ident reply in the match, use a mask in the form "ident@host". If a client matches, it appears on IRC using its resolved hostname. | |
- | + | The <code>ip</code> field attempts to match against the IP address only. An ident may be specified to match against, as well. | |
- | + | '''Note:''' If the ident portion is specified in a mask (i.e., "ident@host" instead of "host"), and no ident reply is received from the client, it will appear on IRC with its username prefixed with a '~' tilde. If the matching mask used only the "host" form, the client's username is not prefixed. If a valid ident reply is received, it is always used and not prefixed. | |
- | + | You need only specify a <code>host</code> or <code>ip</code> field, not both. If both are used, <code>host</code> is matched against first. | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
There may be multiple Client blocks; at least one is recommended. | There may be multiple Client blocks; at least one is recommended. |
Revision as of 06:08, 10 August 2012
This is a reference guide for ircd-darenet 1.5.x's configuration file.
The configuration format consists of various blocks, each containing name-value pairs, tags or string data. It is designed to be easily readable by both human and ircd.
A block consists of a name, an opening '{' brace, statements, a closing '}' brace, and a ';' semicolon. A statement consists of a name possibly followed by an '=' equals sign and a value, ending with a semicolon. All strings must be surrounded by '"' double quotes.
A sample block:
blockname { name = value; name = "string"; name = 123; tag; };
All elements of the configuration are separated by whitespace, and can be packed on one line, or broken up over several lines. Whitespace is defined as space, tab or carriage return/linefeed. Three forms of comments are allowed:
- C style single/multi-line
- C++ style single-line
- Shell style single-line
Important: When the configuration file is parsed by the ircd, blocks are used in reverse order than how they are listed. This means you should start multiple block definitions with the "fall through", and end with the most detailed. Keep in mind that Class {} blocks must be specified before anything that uses them. That means they must be defined before Client {}, Connect {} and Operator {} blocks.
Time / duration is written as:
- A number in seconds (e.g., 60)
- A grammatical expression (e.g., 1 hour 30 minutes 10 seconds)
- An arithmetic expression (e.g., 1*60*20)
Valid units of time:
- decade / decades
- year / years
- month / months
- week / weeks
- day / days
- hour / hours
- minute / minutes
- second / seconds
Valid units of size:
- terabyte / terabytes / tbyte
- gigabyte / gigabytes / gbyte
- megabyte / megabytes / mbyte
- kilobyte / kilobytes / kbyte
- byte / bytes
General block
Requirement: | REQUIRED |
Old conf format equivalents: | M:name:vhost:description::numeric
|
The General block defines information about the server itself. It is required for the server to start.
General { /* name: the name of our server. */ name = "test.area.zone.darenet.org"; /* description: the description of our server. */ description = "ircd-darenet test server"; /* numeric: the unique server numeric for our server. It must be a * digit between 0 and 4095, and is not updated on a rehash. */ numeric = 999; /* vhost: the IP to bind to when we connect outward to other servers. * It must contain either a * or a valid ipv4 address in dotted quad notation. */ vhost = "192.169.0.1"; /* ssl_private_key: our ssl private key. */ ssl_private_key = "etc/ircd.key"; /* ssl_pem: file containing our ssl certificate and private key */ ssl_pem = "etc/ircd.pem"; /* dpass: (optional) password for DIE command. */ dpass = "encrypted pass"; /* rpass: (optional) password for RESTART command. */ rpass = "$PLAIN$password"; };
The server name may only be changed by a server restart. The description can be changed on rehash, but will not propagate to other linked servers.
There must be exactly one General block.
Admin block
Requirement: | SUGGESTED |
Old conf format equivalents: | A:line1:line2:line3
|
The Admin block defines information that can be retrieved with the /ADMIN
command.
Admin { location = "DareNET - http://www.darenet.org"; location = "Infrastructure Team"; contact = "<infrastructure@darenet.org>"; };
Not all lines are required. There may only be one Admin block.
Class block
Requirement: | RECOMMENDED |
Old conf format equivalents: | Y:class:pingfreq::maxlinks:sendq (clients) Y:class:pingfreq:connectfreq:maxlinks:sendq (servers)
|
The Class blocks define connection classes. All connections to the server are associated with a "connection class", whether they be incoming or outgoing (initiated by the server), be they clients or servers.
Class { /* name: a name for the connection class. */ name = "Users"; /* pingfreq: how often to PING idle connections. */ pingfreq = 1 minute 30 seconds; /* sendq: send buffer limit (i.e., the amount of data allowed in * a client's queue before they are dropped. */ sendq = 100 kilobytes; /* maxlinks: the maximum number of connections that may use this * class. May be between 0 and 4,000,000,000. */ maxlinks = 100; /* usermode: an optional list of user modes that should set * upon the user while connecting. */ usermode = "+iw"; /* maxchans: the maximum number of channels that clients may join. */ maxchans = 50; }; Class { name = "Opers"; pingfreq = 2 minutes; sendq = 100 kilobytes; maxlinks = 10; usermode = "+iw"; whox; }; Class { name = "Server"; pingfreq = 3 minutes; /* connectfreq: this token applies only to servers, and specifies * the frequency that the server tries to auto connect. Setting this to 0 will cause a * server to attempt to connect repeatedly, with no delay until the maxlinks condition * is satisfied (which is not a good thing). */ connectfreq = 5 minutes; /* maxlinks: for server classes, specifies the maximum number of * servers to autoconnect to. This should be 0 for hubs, and 1 for leafs. */ maxlinks = 0; sendq = 10 megabytes; }; Class { name = "Leaf_Server"; pingfreq = 3 minutes; connectfreq = 5 minutes; maxlinks = 1; sendq = 10 megabytes; };
For connection classes intended for operator use, you can specify privileges the operator should be granted when the Operator block names the class. The local privilege MUST be defined by either the Class or Operator block. It is highly recommended that most privileges be explicitly specified in the operator's Operator block on DareNET.
A "default" class is created internally. This class is used when no other class is specified, but its settings are not useful for most situations. Custom classes are strongly recommended.
There may be multiple Class blocks; at least one is recommended.
Client block
Requirement: | RECOMMENDED |
Old conf format equivalents: | I:ipmask:passwd:hostmask:port:class
|
The Client blocks define the hosts client connections are allowed from, and places them into classes. While the server will start without a Client block, it will not be usable.
Client { /* host: resolved user@host mask allowed to connect. This is optional * if you are using the ip mask to match against. Additionally, if you specify *@loc for * this field it will match all LOC users. */ host = "*@*.wirehub.net"; /* ip: unresolved user@ip mask allowed to connect. */ ip = "*@195.86.128.*"; /* password: (optional) password that is required to use this block. * This password string is not encrypted. */ password = "letMEHin"; /* class: the class the user should be placed in. */ class = "Users"; /* maxlinks: if specified, the server will only accept clients when * the total number of connections to the network from the same IP number doesn't exceed * this number. */ maxlinks = 6; /* port: (optional) a port to limit this block to. */ port = 6660; };
The server uses a default deny policy for incoming connections. You need to define at least one Client block if you wish to use your server.
The host
and ip
fields specify which connections the block matches. The server always performs a DNS and ident lookup for connections. If DNS cannot find a hostname, the IP address is used instead. If ident cannot get a valid reply, "unknown" is used during this state. The client's resolved hostname, IP address, ident reply, and username (from the USER line) are used according to the results of the matches described below.
Note: There is a specify case for UNIX domain sockets and localhost connections. In these cases, the ip / host
field is compared with the name of the server, and thus not with any IP number representation. The name of the server is that returned in the numeric 002 reply, example: 002 Your host is 2.darenet.org[jolan.ppro]. running version ...
In this example, "jolan.ppro" is the name used for matching; therefore, UNIX domain sockets and connections to localhost would match a block containing: host = "*@jolan.ppro";
.
The host
field attempts to match first against the resolved hostname, if available, and then against the IP address. To include the connection's ident reply in the match, use a mask in the form "ident@host". If a client matches, it appears on IRC using its resolved hostname.
The ip
field attempts to match against the IP address only. An ident may be specified to match against, as well.
Note: If the ident portion is specified in a mask (i.e., "ident@host" instead of "host"), and no ident reply is received from the client, it will appear on IRC with its username prefixed with a '~' tilde. If the matching mask used only the "host" form, the client's username is not prefixed. If a valid ident reply is received, it is always used and not prefixed.
You need only specify a host
or ip
field, not both. If both are used, host
is matched against first.
There may be multiple Client blocks; at least one is recommended.
Motd block
Requirement: | OPTIONAL |
Old conf format equivalents: | T:hostmask|classnumber:path
|
The Motd blocks allow a different Message of the Day to be shown to connecting clients based on their origin.
Motd { /* host: a hostmask, class number or class name to match against. */ host = "*.jp"; /* file: the path to the MOTD file to be shown (relative to DPATH). */ file = "jp.motd"; };
More then one 'host' entry may be present in an Motd block.
There may be multiple Motd blocks.
Connect block
Requirement: | OPTIONAL |
Old conf format equivalents: | C:host:cpassword:name:port:class N:host:apassword:name:flags:class H:host::name:maxhops L:host::mask:depth
|
The Connect blocks define links to other servers.
Connect { /* name: the name of the server. */ name = "uplink.darenet.org"; /* host: the host or IP to connect to. If a hostname is used it * must match the reverse dns of the server. */ host = "192.168.0.1"; /* vhost: (optional) the host or IP to bind to for this connection. * If this is not specified, the default vhost (in general {}) is used. */ #vhost = "192.168.0.50"; /* password: the password we send and accept. */ password = "somepass"; /* port: the port to connect to this server on. This is also the * port used when the server attempts to auto-connect (if enabled). */ port = 7325; /* class: the class this server should be placed in. */ class = "Server"; /* maxhops: the max number of hops a hub may introduce. If a hub * tries to introduce servers farther away than what is specified here, an SQUIT is * issued. The 'leaf' token is an alias for "maxhops = 0;". */ maxhops = 2; /* hub: (optional) the mask of servers that this server may hub * for. The tag 'hub' is an alias for 'hub = "*";'. */ hub = "*.us.darenet.org"; /* autoconnect: (optional) determines if we should try to * automatically connect to this server. The default is to autoconnect. */ autoconnect = no; };
There may be multiple Connect blocks.
CRule block
Requirement: | OPTIONAL |
Old conf format equivalents: | D:servermask::rule d:servermask::rule
|
The CRule (connection rule) blocks control ircd-darenet's advanced, real-time rule-based routing decision making system.
CRule { /* server: rules will be applied towards servers matching this mask. */ server = "*.eu.darenet.org"; /* rule: the connection rule. */ rule = "connected(amsterdam.eu.*)"; /* all: (optional) setting this to 'yes' will make the rule always * apply; otherwise, it only applies to autoconnects. */ all = yes; };
If more than one server mask is present in a single crule, the rule will apply to all servers.
See doc/readme.crules for more information on the crule system, including examples of allowed rules.
There may be multiple CRule blocks.
Port Block
Requirement: | REQUIRED |
Old conf format equivalents: | P:hostmask:interface:<[CES][H]>:port
|
The Port blocks define where the server will accept connections. At least one port block is required to start.
Port { /* port: the specific port to listen on. */ port = 7325; /* mask: (optional) the IP address (or a range of IP addresses) that * the server will allow connections from. */ mask = "127.0.*.*"; /* vhost: (optional) set a specific IP/host the port (listed after * the 'port' token) will listen for. */ vhost = "127.0.0.1"; /* server: setting this to yes makes this a server only port. */ server = yes; /* hidden: (optional) setting this to 'yes' makes the port * "hidden" from stats replies. */ hidden = yes; /* crypt: (optional) setting this to 'yes' makes the port accept * SSL connections. */ crypt = yes; /* exempt: (optional) setting this to 'yes' makes the port exempt * from connection restrictions during a timed /RESTART or /DIE. */ exempt = no; };
The mask setting should only contain IP addresses or '*' if used. This does not use DNS in any way, so you cannot use it to allow *.nl or *.uk, for example. Attempting to specify anything other than IP addresses will result in the port allowing connections from anyone (as if you used '*').
If a bind address (vhost) is not specified, the server will listen on all available interfaces for that port.
There may be multiple Port blocks.
Operator block
Requirement: | SUGGESTED |
Old conf format equivalents: | O:host:password:name:flags:class o:host:password:name:flags:class
|
The Operator blocks define server operators. One or more of these blocks is recommended if you intend to maintain your server.
Operator { /* name: the oper's username. */ name = "johndoe"; /* host: the user@host/IP mask required for this operator. CIDR * notation is supported. Multiple host="" lines are supported. */ host = "god@*"; host = "*@127.0.0.1"; /* password: the password required to oper. By default, the password is * hashed using the system's native crypt() function. Other password * mechanisms are available; the umkpasswd utility located in the ircd * directory can hash passwords using those mechanisms. If you use a * password format that is not generated by umkpasswd, ircd-darenet will * not recognize the oper's password. */ password = "/home/irc/keys/johndoe.key"; /* flags: misc options for the oper. */ flags = "OAWInFR"; /* snomask: (optional) specific server notice mask on oper up. If this * is specified, an oper will not be given sno_default. */ snomask = "+cegGiKorRs"; /* privileges: (optional) you can specify privileges an oper will be * explicitly granted (or denied) upon opering. Any privileges defined * will override any privilege settings that may be present in the class * block specified above, and the default setting for those privileges. */ local = no; routing = yes; routeinfo = yes; };
The name
and password
tokens match the parameters of the OPER
command. To authenticate as an oper, a client must match one of the host
tokens specified in "user@host/IP mask" form. The host part is matched against both resolved hostnames and IP address.
To use an unencrypted password, prefix the password with '$PLAIN', e.g., "$PLAIN$aPpLe".
If you want to use a more secure password authentication system, generate a 1024bit RSA key, and specify the path to the key as the password (as shown in the example above), and add 'R' to the flags field. This will use the /CHALLENGE
system instead of /OPER
. See doc/challenge.txt for more details.
An oper may also use their SSL client certificate fingerprint to authenticate as an oper. To use this method, specify the oper's certificate fingerprint as the password, and add 'S' to the flags field.
Only one password authentication method may be used at a time. That is, you cannot use CHALLENGE and SSL client certificate fingerprint at the same time.
There are currently 9 different oper flags:
- o - Local operator
- O - Global operator
- A - Server administrator
- r - This operator block may be used from remote servers
- W - Allowed to set user mode +W
- I - Allowed to set user mode +I
- n - Allowed to set user mode +n
- F - Allowed to set user mode +F
- S - Use SSL client certificate fingerprint to
/OPER
- R - Use
/CHALLENGE
password authentication system. - j - Allowed to use juped nicknames.
The class token specifies the connection class the oper will be placed in, regardless of their previous connection class. If not specified, the default class is used; see the Class block description for details.
There may be multiple Operator blocks.
UWorld block
Requirement: | OPTIONAL |
Old conf format equivalents: | U:server:jupednicks:*
|
The Uworld block defines "U-lined" servers, which are allowed to do special network things. Used for network services.
UWorld { /* name: the server name or wildcard mask the "U-line" applies to. */ name = "services.darenet.org"; name = "stats.darenet.org"; };
UWorld servers are permitted to do things typical network services would want to do, such as apply network bans, manage channel modes, etc; the details are too numerous and complex to provide here.
There may be multiple UWorld blocks; all blocks are combined into one list.
NickJupe block
Requirement: | OPTIONAL |
Old conf format equivalents: | U:server:jupednicks:*
|
The NickJupe blocks disallow certain nicknames from being used.
NickJupe { "ChanServ" = "Reserved for Services"; "NickS?rv" = "Reserved for Services"; };
Entries are specified in a key-value format, with the key being the nick to disallow (the '*' and '?' wildcards are supported), and the value being the reason (a single-line reason for the restriction, which is sent to clients along with the rejection notice).
There may be multiple NickJupe blocks; all blocks are combined into one list.
Quarantine block
Requirement: | OPTIONAL |
Old conf format equivalents: | Q:channel:reason
|
The Quarantine blocks disallow certain channel names from being used by non-opers.
Quarantine { "#help" = "For assistance, please join #Support instead."; };
Entries are specified in a key-value format, with the key being the channel to disallow, and the value being the reason (a single-line reason for the restriction, which is sent to clients along with the rejection notice). Note, these are only checked at /JOIN
, so if you add a channel and rehash, users will not be kicked if they're already in the channel.
There may be multiple Quarantine blocks; all blocks are combined into one list.
Ban Block
Requirement: | OPTIONAL |
Old conf format equivalents: | K:line |
Ban {} blocks disallow connections from clients based on specific ident, host and/or gecos masks. They are a flexible general client ban mechanism.
Ban { host = "user@host"; reason = "The reason the user will see"; klineprompt; name = "mark"; };
Required tokens (at least one of): host, realname, username
Optional tokens: klineprompt, reason, name, file
If klineprompt;
is present, users may bypass the ban by using Login-on-Connect (LOC). You can also mark clients by using name = "mark here";
Ban { realname = "realname here"; reason = "The reason the user will see"; };
It is also possible to ban based on username.
Ban { username = "username here"; reason = "The reason the user will see"; };
It is also possible to use a file as comment for the ban, using.
Ban { host = "user@host"; file = "path/to/file/with/reason/to/show"; };
The file can contain for example, a reason, a link to the server rules and a contact address. Also, note the combination of username and host in the host field. IP-based Ban {} blocks apply to all hosts, even if an IP address has a properly resolving host name. CIDR format is the most efficient, and should be used when possible. The server will attempt to convert wildcard IP masks to CIDR form internally.
Additionally, you may specify a hostmask prefixed with $V to indicate a match should be performed against the CTCP version of the user rather han the host/IP.
Ban { version = "string"; reason = "reason here"; };
There may be multiple Ban {} blocks.
Example blocks:
Ban { host = "*@*.aol.com"; reason = "Due to abuse, AOL users must login with their DareNET account to connect."; klineprompt; };
Ban { host = "192.168.*"; reason = "Monkeys."; };
Ban { host = "192.168.0.0/16"; reason = "Monkeys."; };
Ban { username = "sub7"; realname = "s*7*"; reason = "You are infected with a Trojan"; };
Ban { username = "sub7"; realname = "s*7*"; reason = "You are infected with a Trojan"; };
Except Block
Requirement: | OPTIONAL |
Old conf format equivalents: | E:line |
Except {} blocks can be used to exempt a user from Kill {} blocks, GLINEs, ZLINEs, SHUNs, spam filters, IDENT_CHALLENGE and LIST restrictions.
Except { mask = "<mask>"; flags = "<flags>"; };
<mask> is an ident@ip/host/cidr mask that is to match the user to be exempted. <flags> is one or more of the following flags to specify what the exempt is to match.
- k - Except affects KLINEs.
- g - Except affects GLINEs.
- i - Except affects ident challenges (see IDENT_CHALLENGE feature).
- n - Except for notilde.
- s - Except affects SHUNs.
- z - Except affects ZLINEs.
- F - Forces umode +F on user to bypass message flood checks.
- I - Exempts user from rapid (re)connection throttling & clone checks.
- L - Except affects LIST restrictions.
- N - Exempts user from "no connections" restrictions, allowing them to connect anyway.
- S - Except affects spam filters.
NOTE: For throttling/clone exemptions (I), only IP addresses are supported, since these checks are performed before any DNS resolutions or identd replies are received.
Example block:
Except { host = "*@*.darenet.org"; flags = "kgzsL"; };
Except { host = "*@127.0.0.1"; flags = "T"; };
Command Block
Requirement: | OPTIONAL |
Old conf format equivalents: | B:line |
Command {} blocks aim to improve the generic IRC users ability to use network services. Each block sets up a /<service> alias so that users may type that instead of a full /msg command. Some might argue this is a bit more secure as well :)
Command { cmd = "<alias name>"; service = "<target>"; prefix = "<anything to prepend to the message>"; };
If prefix = "";
is given, then ircd-darenet will prefix the specified string to whatever the user inputs before sending it to the service.
Example blocks:
Command { cmd = "AUTH"; service = "NickServ@services.darenet.org"; prefix = "AUTH"; };
Command { cmd = "NICKSERV"; service = "NickServ@services.darenet.org"; };
Forward Block
Requirement: | OPTIONAL |
Old conf format equivalents: | b:line |
Forward {} blocks enable the server to forward any messages which are prefixed and specific with a Forward {} block. This allows users to use Services' fantasy commands without a service client being in the channel (provided the channel is registered). This also removes the need for ChanServ to monitor channel traffic (e.g. allowing the use of umode +d).
Forward { "<prefix>" = "<server>"; };
Example block:
Forward { "." = "services.darenet.org"; "?" = "services.darenet.org"; };
Redirect Block
Requirement: | OPTIONAL |
Old conf format equivalents: | R:line |
When a client connects and his/her host matches a Redirect {} block, then a 010 reply is sent back to the client with the redirection server and port.
Currently only EPIC supports auto redirection when it gets a 010 reply (e.g. it will automatically connect to the server specified in the 010 reply). Other clients will get a message specifying what server and port to connect to. as well as an unauthorized disconnect.
Redirect { mask = "<mask>"; server = "<redirection server>"; port = "<redirection port>"; };
Redirect { mask = "*.aol.com"; server = "irc.aol.com"; port = "6667"; };
Spoofhost Block
Requirement: | OPTIONAL |
Old conf format equivalents: | S:line |
Spoofhost {} blocks allows clients/opers to spoof their host.
Spoofhost "<spoof host>" { pass = "<password>"; host = "<*.host.cc|a.b.c.*|CIDR>"; username = "<ident>"; };
- <spoof host> - The spoofed hostname.
- <pass> - A password for this spoof host. Used if SETHOST_USER is set to TRUE.
- <host> - A hostmask to match against users that are to be auto-spoofed. Used if SETHOST_AUTO is set to TRUE. Can be in the form of: host.domain.cc, 127.0.0.1 or 127.0.0.0/24, supports wildcards for non-CIDR.
- <username> - A mask for matching against the user's ident reply.
Example block:
Spoofhost "sline.darenet.org" { pass = "anygoodpass"; host = "127.0.0.1"; username = "*"; };
DNSBL Block
Requirement: | OPTIONAL |
Old conf format equivalents: | X:line |
DNSBL {} blocks allow you to prevent clients connecting who are listed on DNS blacklists. Their connection will be rejected during the connection process along with the name and reason you give for the DNSBL they have been matched on.
DNSBL { server = "<dnsbl.site.org>"; name = "<name>"; flags = "<flags>"; replies = "<replies/mask>"; reply = "<rejection message>"; rank = "<rank>"; };
Available flags:
- b (Bitmask DNSBL) - See your DNSBL provider as to whether you should use this or not.
- r (Reply DNSBL) - See your DNSBL provider as to whether you should use this or not.
- a (Allow Connect) - Allow the client to connect anyway. This could used with a DNSBL whitelist. This could also be used to allow users to still connect, but mark their hosts so that channel ops can easily ban them from their channels.
- d (Deny Connect) - If the user is found on this DNSBL, then they can't connect, even if they are allowed on through another DNSBL {} block.
- m (Mark Hostname) - Mark the hostname of a skipped client
The name option is used for the Mark Hostname flag, and may only contain hostname valid characters only (e.g. NO spaces). With Reply DNSBL's you need to list the replies in a comma separated list. See below for an example. With Bitmask DNSBL's, again, specify the replies you need to match for. The server will sum them up and match them against the DNSBL reply. The rejected user's nick, username, ip, and host can be placed into the rejection message by using these codes:
- %n - Nickname
- %u - Username
- %h - Hostname
- %i - IP Address
The rank number must be unique over all DNSBL {} blocks. The higher the number, the greater precedence it has. The highest ranking DNSBL {} block which is a matched against a user will get its name marked in the hostname.
Notes: MAKE SURE you read the DNSBL website before you go ahead and use it as they may have rules for large sites/servers who use them. If you do not wish to use DNSBL checking then simply do not create any DNSBL {} blocks.
Example blocks:
Reply DNSBL:
DNSBL { server = "dnsbl.sorbs.net"; name = "sorbs.net"; flags = "r"; replies = "1,2,3,4"; reply = "%n!%u@%h Found On Sorbs DNSBL http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?IP=%i"; rank = "1"; };
Bitmask DNSBL:
DNSBL { server = "dnsbl.dnsbl.net"; name = "dnsbl.net"; flags = "b"; replies = "1,3,5"; reply = "%n!%u@%h Found On DNSBL"; rank = "2"; };
WebIRC Block
Requirement: | OPTIONAL |
Old conf format equivalents: | W:line |
WebIRC {} blocks allow you display the real hostname of users connecting via CGI:IRC clients and sites such as Mibbit.com. These clients will send a WEBIRC command along with the user's hostname, ip and WebIRC {} block password to the server. The password needs to be encrypted like Operator {} block passwords. When the ircd receives the command, instead of using the hostname of the site the users is connecting from, the hostname sent in WEBIRC will be set. All this is done before the client enters the network completely. Please remember to enclose the description using quotes otherwise things will break.
WebIRC { mask = "<mask>"; pass = "<password>"; flags = "<flags>"; ident = "<ident>"; desc = "<description>"; };
Available flags:
- m - Marks each client connected via the WebIRC {} block using the provided description.
- s - Sets the ident specified in the ident field for each WEBIRC client.
- u - Uses the ident from USER that the WEBIRC client sends.
Note: Do not use both s and u, only choose one of them.
Example:
WebIRC { mask = "*@webchat.darenet.org"; pass = "VRKLKuGKn0jLs"; flags = "ms"; ident = "webirc"; desc = "DareNET WebChat"; };
SpamFilter Block
Requirement: | OPTIONAL |
Old conf format equivalents: | - |
This is probably the most controversial addition to ircd-darenet 1.3.x; however, sadly, it may become useful.
SpamFiler {} blocks allow you to filter PRIVMSG's, NOTICE's, TOPIC's and AWAY's for spam. The filtering is done using regular expressions, so please be careful.
SpamFilter { regex = "<regex>"; rtype = "<watch flags>"; action = "<action flags>"; reason = "<reason>"; channel = "<optional alert channel>"; length = <length in seconds>; };
- <regex> - PCRE format regular expression to match against.
- <watch flags> - See below for a list.
- <action flags> - See below for a list.
- <reason> - Used in error messages displayed to the user and/or kills/shuns/glines/zlines.
- <optional alert channel> - Requires the C action flag.
- <length in seconds> - Only applies to glines, zlines and shuns.
Available watch flags:
- n - Notices.
- N - Channel notices.
- p - Privmsgs.
- C - Channel privmsgs.
- q - Quits.
- P - Parts.
- d - DCCs.
- a - Away messages.
- t - Topics.
- u - Connects (nick!user@host:gecos).
- i - Nickname changes.
Available action flags:
- a - Auth. If used, logged in clients will be exempt from the filter.
- C - Channel alert. If used, filter matches will be sent to what is set in the SpamFilter {} block channel setting.
- S - Server (snotice) alert.
- k - Kill anyone who matches the filter.
- g - Gline anyone who matches the filter. The length can be given in seconds.
- z - Zline anyone who matches the filter. The length can be given in seconds. This zlines *@ip, so you do not need the i action flag.
- s - Shun anyone who matches the filter. The length can be given in seconds.
- i - Uses the client's IP vice host in a Gline/Shun.
- b - Block; will prevent the PRIVMSG/NOTICE/TOPIC/AWAY from going through.
- n - Notify; will notify the person matching the filter, stating they've matched a filter, and deny their message.
- m - Mark; will mark the client as being a spam source.
- K - Kick; will kick the user triggering the Spam Filter. The kick reason given will be the reason set in the Spam Filter. This Flag will only work with the N and C watch flags.
- o - Ops/HalfOps; exempts ops and halfops from any checks which have a channel target.
- v - Voice; exempts voiced users from any checks which have a channel target.
Notes:
- Shuns and Glines will be set using *@hostname. If you would them to be set using *@ip use the 'i' action flag.
- If you do not specify a length, then FILTER_DEFAULT_LENGTH will be used.
- The 'b' action flag cannot be used with the 'u' watch flag. You will need to use a kill flag to block them.
Features Block
Requirement: | SUGGESTED |
Old conf format equivalents: | F:line |
ircd-darenet has a large number of options and features, most of which can be configured using a Features {} block. If linking to DareNET, your Features {} block will be rather bare, since most DareNET-specific settings have been already defined in the source.
Features { "featurename" = "value"; "featurename2" = "value2"; };
You only need one Features {} block, in which you use "featurename" = "value1";, "featurename2" = "value2";, and so on. Please note all values, whether integers or strings, must be enclosed in double quotes.
See the servers features page for a list of available features.
Example block:
Features { "LOG" = "SYSTEM" "FILE" "ircd.log"; "LOG" = "SYSTEM" "LEVEL" "CRIT"; "HUB" = "FALSE"; };