Log in | Back to darenet.org

DareNET IRCd Configuration/1.5

m (Connect block)
(Connect block)
 
(36 intermediate revisions not shown)
Line 1: Line 1:
__NOTOC__
__NOTOC__
-
This is a reference guide for ircd-darenet 1.4.1+'s configuration file.
+
This is a reference guide for ircd-darenet 1.5.x's configuration file.
-
The configuration format consists of various blocks, each containing name-value pairs, tags and/or string data. It is designed to be easily readable by both human and ircd.
+
The configuration format consists of various blocks, each containing name-value pairs, tags or string data. It is designed to be easily readable by both human ircd.
-
A block consists of a block name, an opening '{' brace, statements, a closing '}' brace, and a ';' semicolon. A statement consists of a name possibly followed by an '=' equals sign and a value, ending with a semicolon. All strings are surrounded by '"' double quotes.
+
A block consists of a name, an opening '{' brace, statements, a closing '}' brace, and a ';' semicolon. A statement consists of a name possibly followed by an '=' equals sign and a value, ending with a semicolon. All strings must be surrounded by '"' double quotes.
A sample block:
A sample block:
Line 15: Line 15:
};</pre></html>
};</pre></html>
-
All elements of the configuration are separated by whitespace, and can be packed on one line, or broken up over several lines. Whitespace is defined as space, tab or carriage return/linefeed. Three form of comments are allowed:
+
All elements of the configuration are separated by whitespace, and can be packed on one line, or broken up over several lines. Whitespace is defined as space, tab or carriage return/linefeed. Three forms of comments are allowed:  
-
* C style single/multi-line
+
<pre>/* C style single/multi-line */
-
* C++ style single-line
+
-
* Shell style single-line
+
-
'''Important notes:''' When the configuration file is parsed, blocks are used in reverse order than how they are listed. This means you should start multiple block definitions with the "fall through", and end with the most detailed. Class {} blocks MUST be specified before anything that uses them. That means they must be defined before client {}, connect {} and operator {}.
+
// C++ style single-line
-
Times / durations are written as:
+
# Shell style single-line
 +
</pre>
-
* A number in seconds (e.g., 60)
+
{{info|text=Blocks are used in the reverse order than how they're listed, when the configuration file is parsed. This means you should start multiple block definitions with the "fall through", and end with the most detailed.}}
-
* 1 hours 30 minutes 10 seconds
+
-
* An arithmetic expression (e.g., 1*60+20)
+
-
 
+
-
Valid units of time:
+
-
 
+
-
* Decade, year, month, week, day, hour, minute, second
+
-
 
+
-
Valid units of size:
+
-
 
+
-
* terabyte / tbyte
+
-
* gigabyte / gbyte
+
-
* megabyte / mbyte
+
-
* kilobyte / kbyte
+
-
* byte
+
-
 
+
-
Sizes and times may be specified as singular or plural.
+
== General block ==
== General block ==
Line 55: Line 38:
The General block defines information about the server itself. It is required for the server to start.
The General block defines information about the server itself. It is required for the server to start.
-
<html><pre><strong>general</strong> {
+
<html><pre><strong>General</strong> {
     <span class="comment">/* name: the name of our server. */</span>
     <span class="comment">/* name: the name of our server. */</span>
     name = <span class="qstring">"test.area.zone.darenet.org"</span>;
     name = <span class="qstring">"test.area.zone.darenet.org"</span>;
Line 102: Line 85:
The Admin block defines information that can be retrieved with the <code>/ADMIN</code> command.
The Admin block defines information that can be retrieved with the <code>/ADMIN</code> command.
-
<html><pre><strong>admin</strong> {
+
<html><pre><strong>Admin</strong> {
     location = <span class="qstring">"DareNET - http://www.darenet.org"</span>;
     location = <span class="qstring">"DareNET - http://www.darenet.org"</span>;
     location = <span class="qstring">"Infrastructure Team"</span>;
     location = <span class="qstring">"Infrastructure Team"</span>;
Line 124: Line 107:
The Class blocks define connection classes. All connections to the server are associated with a "connection class", whether they be incoming or outgoing (initiated by the server), be they clients or servers.
The Class blocks define connection classes. All connections to the server are associated with a "connection class", whether they be incoming or outgoing (initiated by the server), be they clients or servers.
-
<html><pre><strong>class</strong> {
+
<html><pre><strong>Class</strong> {
     <span class="comment">/* name: a name for the connection class. */</span>
     <span class="comment">/* name: a name for the connection class. */</span>
     name = <span class="qstring">"Users"</span>;
     name = <span class="qstring">"Users"</span>;
Line 141: Line 124:
     maxlinks = <span class="integer">100</span>;
     maxlinks = <span class="integer">100</span>;
-
     <span class="comment">/* usermode: an optional list of user modes that should be set
+
     <span class="comment">/* usermode: an optional list of user modes that should set
     * upon the user while connecting.
     * upon the user while connecting.
     */</span>
     */</span>
     usermode = <span class="qstring">"+iw"</span>;  
     usermode = <span class="qstring">"+iw"</span>;  
 +
 +
    <span class="comment">/* maxchans: the maximum number of channels that clients may join.
 +
    */</span>
 +
    maxchans = <span class="integer">50</span>;
};
};
-
<strong>class</strong> {
+
<strong>Class</strong> {
     name = <span class="qstring">"Opers"</span>;
     name = <span class="qstring">"Opers"</span>;
     pingfreq = 2 minutes;
     pingfreq = 2 minutes;
Line 156: Line 143:
};
};
-
<strong>class</strong> {
+
<strong>Class</strong> {
     name = <span class="qstring">"Server"</span>;
     name = <span class="qstring">"Server"</span>;
     pingfreq = 3 minutes;
     pingfreq = 3 minutes;
Line 175: Line 162:
};
};
-
<strong>class</strong> {
+
<strong>Class</strong> {
     name = <span class="qstring">"Leaf_Server"</span>;
     name = <span class="qstring">"Leaf_Server"</span>;
     pingfreq = 3 minutes;
     pingfreq = 3 minutes;
Line 202: Line 189:
The Client blocks define the hosts client connections are allowed from, and places them into classes. While the server will start without a Client block, it will not be usable.
The Client blocks define the hosts client connections are allowed from, and places them into classes. While the server will start without a Client block, it will not be usable.
-
<html><pre><strong>client</strong> {
+
<html><pre><strong>Client</strong> {
     <span class="comment">/* host: resolved user@host mask allowed to connect. This is optional
     <span class="comment">/* host: resolved user@host mask allowed to connect. This is optional
-
     * if you are using the ip mask to match against.
+
     * if you are using the ip mask to match against.  Additionally, if you specify *@loc for
 +
    * this field it will match all LOC users.
     */</span>
     */</span>
     host = <span class="qstring">"*@*.wirehub.net"</span>;
     host = <span class="qstring">"*@*.wirehub.net"</span>;
Line 230: Line 218:
</pre></html>
</pre></html>
-
The server uses a default deny policy for incoming connections; at least one Client block must be supplied if you wish to use your server.
+
The server uses a default deny policy for incoming connections. You need to define at least one Client block if you wish to use your server.
-
The <code>host</code> and <code>ip</code> tokens specify which connections the block matches. The server always performs DNS and ident lookups for connections. If DNS cannot find a hostname, the IP is used instead. If ident cannot get a valid response, "unknown" is used during this state. The client's resolved hostname, IP address, ident reply, and username (from the USER line) are used according to the results of the matches described below.
+
The <code>host</code> and <code>ip</code> fields specify which connections the block matches. The server always performs a DNS and ident lookup for connections. If DNS cannot find a hostname, the IP address is used instead. If ident cannot get a valid reply, "unknown" is used during this state. The client's resolved hostname, IP address, ident reply, and username (from the USER line) are used according to the results of the matches described below.
-
Note: There is a special case for UNIX domain sockets and localhost connections. In these cases, the <code><ip mask></code> field is compared with the name of the server (thus not with any IP number representation). The name of the server is the one returned in the numeric 002 reply.
+
'''Note:''' There is a specify case for UNIX domain sockets and localhost connections. In these cases, the <code>ip / host</code> field is compared with the name of the server, and thus not with any IP number representation. The name of the server is that returned in the numeric 002 reply, example: <code>002 Your host is 2.darenet.org[jolan.ppro]. running version ...</code> In this example, "jolan.ppro" is the name used for matching; therefore, UNIX domain sockets and connections to localhost would match a block containing: <code>host = "*@jolan.ppro";</code>.
-
For example: <code>002 Your host is 2.darenet.org[jolan.ppro]. running version ...</code>
+
The <code>host</code> field attempts to match first against the resolved hostname, if available, and then against the IP address. To include the connection's ident reply in the match, use a mask in the form "ident@host". If a client matches, it appears on IRC using its resolved hostname.
-
In the above example, "jolan.ppro" is the name used for matching; therefore, UNIX domain sockets and connections to localhost would match a block containing: <code>host = "*@jolan.ppro";</code>
+
The <code>ip</code> field attempts to match against the IP address only. An ident may be specified to match against, as well.
-
The <code>host</code> token attempts to match first against the resolved hostname if available, then against the IP address. To include the connection's ident response in the match, use a mask in the form "ident@host". If a client matches this token, it appears on IRC using its resolved name.
+
'''Note:''' If the ident portion is specified in a mask (i.e., "ident@host" instead of "host"), and no ident reply is received from the client, it will appear on IRC with its username prefixed with a '~' tilde. If the matching mask used only the "host" form, the client's username is not prefixed. If a valid ident reply is received, it is always used and not prefixed.
-
The <code>ip</code> token attempts to match against the IP address only. An ident may be specified to match against, as well.
+
You need only specify a <code>host</code> or <code>ip</code> field, not both. If both are used, <code>host</code> is matched against first.
-
 
+
-
If the matching mask used ident ("ident@host" instead of "host"), and no ident response was received from the client, it appears on IRC with its username prefixed with '~'. If the matching mask used only the "host" form, the client's username is not prefixed. If a valid ident response was received, it is always used (without prefixed), regardless of the mask form.
+
-
 
+
-
Only one of the <code>host</code> and <code>ip</code> tokens is needed; if both are used, host is matched first. For typical configurations, using only the <code>host</code> token with a "*@host" or "ident@host" mask is recommended.
+
There may be multiple Client blocks; at least one is recommended.
There may be multiple Client blocks; at least one is recommended.
Line 262: Line 246:
The Motd blocks allow a different Message of the Day to be shown to connecting clients based on their origin.
The Motd blocks allow a different Message of the Day to be shown to connecting clients based on their origin.
-
<html><pre><strong>motd</strong> {
+
<html><pre><strong>Motd</strong> {
     <span class="comment">/* host: a hostmask, class number or class name to match against. */</span>
     <span class="comment">/* host: a hostmask, class number or class name to match against. */</span>
     host = <span class="qstring">"*.jp"</span>;
     host = <span class="qstring">"*.jp"</span>;
Line 271: Line 255:
</pre></html>
</pre></html>
-
More then one 'host' entry may be present in an Motd block.
+
More then one <code>host</code> field may be present in an Motd block.
There may be multiple Motd blocks.
There may be multiple Motd blocks.
Line 287: Line 271:
The Connect blocks define links to other servers.
The Connect blocks define links to other servers.
-
<html><pre><strong>connect</strong> {
+
<html><pre><strong>Connect</strong> {
     <span class="comment">/* name: the name of the server. */</span>
     <span class="comment">/* name: the name of the server. */</span>
     name = <span class="qstring">"uplink.darenet.org"</span>;
     name = <span class="qstring">"uplink.darenet.org"</span>;
Line 295: Line 279:
     */</span>
     */</span>
     host = <span class="qstring">"192.168.0.1"</span>;
     host = <span class="qstring">"192.168.0.1"</span>;
-
 
-
    <span class="comment">/* vhost: (optional) the host or IP to bind to for this connection.
 
-
    * If this is not specified, the default vhost (in general {}) is used.
 
-
    */</span>
 
-
    <span class="comment">#vhost = "192.168.0.50";</span>
 
     <span class="comment">/* password: the password we send and accept. */</span>
     <span class="comment">/* password: the password we send and accept. */</span>
Line 334: Line 313:
== CRule block ==
== CRule block ==
-
{| class="simpletable"
+
{| class="simpletable" width="100%"
|width="250px"|Requirement:
|width="250px"|Requirement:
|OPTIONAL
|OPTIONAL
Line 344: Line 323:
The CRule (connection rule) blocks control ircd-darenet's advanced, real-time rule-based routing decision making system.
The CRule (connection rule) blocks control ircd-darenet's advanced, real-time rule-based routing decision making system.
-
<html><pre><strong>crule</strong> {
+
<html><pre><strong>CRule</strong> {
     <span class="comment">/* server: rules will be applied towards servers matching this mask. */</span>
     <span class="comment">/* server: rules will be applied towards servers matching this mask. */</span>
     server = <span class="qstring">"*.eu.darenet.org"</span>;
     server = <span class="qstring">"*.eu.darenet.org"</span>;
Line 366: Line 345:
== Port Block ==
== Port Block ==
-
{| class="simpletable"
+
{| class="simpletable" width="100%"
|width="250px"|Requirement:
|width="250px"|Requirement:
|REQUIRED
|REQUIRED
Line 376: Line 355:
The Port blocks define where the server will accept connections. At least one port block is required to start.
The Port blocks define where the server will accept connections. At least one port block is required to start.
-
<html><pre><strong>port</strong> {
+
<html><pre><strong>Port</strong> {
     <span class="comment">/* port: the specific port to listen on. */</span>
     <span class="comment">/* port: the specific port to listen on. */</span>
     port = <span class="integer">7325</span>;
     port = <span class="integer">7325</span>;
Line 410: Line 389:
</pre></html>
</pre></html>
-
The mask setting should only contain IP addresses or '*' if used. This does not use DNS in any way, so you cannot use it to allow *.nl or *.uk, for example. Attempting to specify anything other than IP addresses will result in the port allowing connections from anyone (as if you used '*').
+
The <code>mask</code> field should only contain IP addresses (CIDR notation is supported) or '*', if used. This does not use DNS in any way, so you cannot use it to allow *.dk or *.uk, for example. Attempting to specify anything other than IP addresses will result in the port allowing connections from anyone (as if you used '*').
-
If a bind address (vhost) is not specified, the server will listen on all available interfaces for that port.
+
If the <code>vhost</code> field (i.e., bind address) is not specified, the server will listen on all available interfaces for that port.
There may be multiple Port blocks.
There may be multiple Port blocks.
-
== Operator Block ==
+
== Operator block ==
-
{| class="wikitable" width="40%" style="font-size: 97%; text-align: left;"
+
{| class="simpletable" width="100%"
-
| Requirement:
+
|width="250px"|Requirement:
-
| SUGGESTED
+
|SUGGESTED
|-
|-
-
| Old conf format equivalents:
+
|Old conf format equivalents:
-
| O:line
+
|<code>O:host:password:name:flags:class</code><br /><code>o:host:password:name:flags:class</code>
|}
|}
-
The Operator {} block defines a server operator. Oper status grants some special privileges to a user, like the power to make the server break or (try to) establish a connection with another server. and to "kill" users off the network.
+
The Operator blocks define server operators. One or more of these blocks is recommended if you intend to maintain your server.
-
More than one host = "mask"; entry may be present in one block; this has the same effect as one Operator block for each host entry, but makes it easier to update operator nicks, passwords, classes, and privileges.
+
<html><pre><strong>Operator</strong> {
 +
    <span class="comment">/* name: the oper's username. */</span>
 +
    name = <span class="qstring">"johndoe"</span>;
-
There may be multiple Operator {} blocks.
+
    <span class="comment">/* host: the user@host/IP mask required for this operator. CIDR
 +
    * notation is supported. Multiple host="" lines are supported.
 +
    */</span>
 +
    host = <span class="qstring">"god@*"</span>;
 +
    host = <span class="qstring">"*@127.0.0.1"</span>;
-
<pre>Operator
+
    <span class="comment">/* password: the password required to oper. By default, the password is
-
{
+
    * hashed using the system's native crypt() function. Other password
-
  name = "opername";
+
    * mechanisms are available; the umkpasswd utility located in the ircd
-
  host = "host/IP mask";
+
    * directory can hash passwords using those mechanisms. If you use a
-
  password = "encryptedpass";
+
    * password format that is not generated by umkpasswd, ircd-darenet will
-
  flags = "oper flags";
+
    * not recognize the oper's password.
-
  class = "classname";
+
    */</span>
-
  local = no;
+
    password = <span class="qstring">"/home/irc/keys/johndoe.key"</span>;
-
  snomask = "snomask";
+
-
  display_mode = yes;  routing = yes;  routeinfo = yes;
+
-
};</pre>
+
-
'''Required tokens:''' <code>name, host, password, flags</code>
+
    <span class="comment">/* flags: misc options for the oper. */</span>
 +
    flags = <span class="qstring">"OAWInFR"</span>;
-
'''Optional tokens:''' <code>class, snomask</code>
+
    <span class="comment">/* snomask: (optional) specific server notice mask on oper up. If this
 +
    * is specified, an oper will not be given sno_default.
 +
    */</span>
 +
    snomask = <span class="qstring">"+cegGiKorRs"</span>;
-
By default, the password is hashed using the system's native crypt() function. Other password mechanisms are available; the umkpasswd utility located in the ircd directory can hash passwords using those mechanisms. If you use a password format that is NOT generated by umkpasswd, ircd-darenet will not recognize the oper's password. If you want to use a non-encrypted password, prefix the password with $PLAIN$ (e.g., "$PLAIN$aPplE123"). NOTE: Plain passwords are not allowed on DareNET.
+
    <span class="comment">/* privileges: (optional) you can specify privileges an oper will be
 +
    * explicitly granted (or denied) upon opering. Any privileges defined
 +
    * will override any privilege settings that may be present in the class
 +
    * block specified above, and the default setting for those privileges.
 +
    */</span>
 +
    local = no;    routing = yes;    routeinfo = yes;
 +
};
 +
</pre></html>
-
A SSL client certificate fingerprint can be used in place of a password. To use this method, specify the fingerprint as the password, and add the S flag to the blocks oper flag string. This will allow the oper to simply use "/OPER opername" to oper, provided they are connected using SSL and have a matching certificate fingerprint.
+
The <code>name</code> and <code>password</code> fields match the parameters of the <code>OPER</code> command. To authenticate as an IRC operator, a client must match one of the <code>host</code> fields, which may be a resolved hostname or IP address.
-
If you want to use a even more secure password authentication system then generate a 1024bit RSA key, specify the path to the key as the password and add R as the oper flag. This will use the /CHALLENGE system instead of /OPER. See doc/challenge.txt for more information.
+
To use an unencrypted password, prefix the password with '$PLAIN', e.g., "$PLAIN$aPpLe".
-
Note that the <connection class> is optional, but omitting it puts the oper in class "default". which usually only accepts one connection at a time. If you want users to be able to /OPER more than once per block, then use a connection class that allows more than one connection.
+
If you want to use a more secure password authentication system, generate a 1024bit RSA key, and specify the path to the key as the password (as shown in the example above), and add 'R' to the <code>flags</code> field. This will use the <code>/CHALLENGE</code> system instead of <code>/OPER</code>. See doc/challenge.txt for more details.
-
Once you /OPER, your connection class changes no matter where you are or what your previous connection class was. If the defined connections class is Opers for the Operator {} block, then your new connection class is Opers.
+
A client may also use their SSL client certificate fingerprint to authenticate as an IRC operator. To use this method, specify the client's certificate fingerprint as the password, and add 'S' to the <code>flags</code> field.
-
'''Privileges:'''
+
Only one password authentication method may be used at a time. That is, you cannot use <code>CHALLENGE</code> and SSL client certificate fingerprint at the same time.
-
Operator privileges may be specified within the Operator {} block itself. A privilege defined for a single operator will override any privilege settings that may be present in the specified Class {} block, and the default setting.
+
There are currently 9 different oper flags:
 +
* o - Local operator
 +
* O - Global operator
 +
* A - Server administrator
 +
* r - This operator block may be used from remote servers
 +
* W - Allowed to set user mode +W
 +
* I - Allowed to set user mode +I
 +
* n - Allowed to set user mode +n
 +
* F - Allowed to set user mode +F
 +
* S - Use SSL client certificate fingerprint to <code>/OPER</code>
 +
* R - Use <code>/CHALLENGE</code> password authentication system.
 +
* j - Allowed to use juped nicknames.
-
NOTE: On DareNET, adding privileges you have not been authorized to your operator block may result in it being removed during periodic audits and/or the server being juped.
+
The <code>class</code> field specifies the connection class the client will be placed in, regardless of their previous connection class. If not specified, the default class is used; see the Class block description for details.
-
For a list of all supported privileges, go [[Operator Privileges|here]].
+
There may be multiple Operator blocks.
-
'''Oper flags:'''
+
== UWorld block ==
-
There are currently 9 different oper flags:
+
{| class="simpletable" width="100%"
 +
|width="250px"|Requirement:
 +
|OPTIONAL
 +
|-
 +
|Old conf format equivalents:
 +
|<code>U:server:jupednicks:*</code>
 +
|}
-
* o - Local Operator
+
The Uworld block defines "U-lined" servers, which are allowed to do special network things. Used for network services.
-
* O - Global Operator
+
-
* A - Server Administrator
+
-
* r - Operator {} block an be used from remote servers
+
-
* W - Allowed to set user mode +W (whois notice)
+
-
* I - Allowed to set user mode +I (hide idle)
+
-
* n - Allowed to set user mode +n (hide channels)
+
-
* S - Use SSL client certificate fingerprint to /OPER
+
-
* R - Use /CHALLENGE instead of /OPER
+
-
* j - Allowed to use juped nicknames
+
-
* F - Allowed to set user mode +F (flood exempt)
+
-
Note that you need at least an o or O flag for your block. Additionally, you cannot specify <code>*@*</code> in the host field.  
+
<html><pre><strong>UWorld</strong> {
 +
    <span class="comment">/* name: the server name or wildcard mask the "U-line" applies to. */</span>
 +
    name = <span class="qstring">"services.darenet.org"</span>;
 +
    name = <span class="qstring">"stats.darenet.org"</span>;
 +
};
 +
</pre></html>
-
Example block:
+
UWorld servers are permitted to do things typical network services would want to do, such as apply network bans, manage channel modes, etc; the details are too numerous and complex to provide here.
-
<c>Operator
+
-
{
+
-
  name = "JoeOper";
+
-
  host = "*joe@*.uu.net";
+
-
  password = "/home/irc/keys/joeoper.key";
+
-
  flags = "OrWInR";
+
-
  class = "Opers";
+
-
  local = no;
+
-
  kill = yes;
+
-
};</c>
+
-
== UWorld Block ==
+
There may be multiple UWorld blocks; all blocks are combined into one list.
-
{| class="wikitable" width="40%" style="font-size: 97%; text-align: left;"
+
== NickJupe block ==
-
| Requirement:
+
 
-
| OPTIONAL
+
{| class="simpletable" width="100%"
 +
|width="250px"|Requirement:
 +
|OPTIONAL
|-
|-
-
| Old conf format equivalents:
+
|Old conf format equivalents:
-
| U:line
+
|<code>U:server:jupednicks:*</code>
|}
|}
-
UWorld {} blocks allow a server to broadcast any mode change (without regard to TimeStamps), among other things. Used for network services.
+
The NickJupe blocks disallow certain nicknames from being used.
-
<pre>UWorld
+
<html><pre><strong>NickJupe</strong> {
-
{
+
    <span class="qstring">"ChanServ"</span> = <span class="qstring">"Reserved for Services"</span>;
-
  name = "realservername";
+
    <span class="qstring">"NickS?rv"</span> = <span class="qstring">"Reserved for Services"</span>;
-
};</pre>
+
};
 +
</pre></html>
-
Note, these lines must be the same on every single server; otherwise, results may be disastrous.
+
Entries are specified in a key-value format, with the key being the nick to disallow (the '*' and '?' wildcards are supported), and the value being the reason (a single-line reason for the restriction, which is sent to clients along with the rejection notice).
-
You may have have more than one name listed in a block. There may be multiple UWorld {} blocks.
+
There may be multiple NickJupe blocks; all blocks are combined into one list.
-
Example block:
+
== Quarantine block ==
-
 
+
-
<c>UWorld
+
-
{
+
-
  name = "services.darenet.org";
+
-
  name = "statistics.darenet.org";
+
-
};</c>
+
-
== NickJupe Block ==
+
{| class="simpletable" width="100%"
-
 
+
|width="250px"|Requirement:
-
{| class="wikitable" width="40%" style="font-size: 97%; text-align: left;"
+
|OPTIONAL
-
| Requirement:
+
-
| OPTIONAL
+
|-
|-
-
| Old conf format equivalents:
+
|Old conf format equivalents:
-
| New ''(split from old U:line)''
+
|<code>Q:channel:reason</code>
|}
|}
-
It is possible to "jupe" nicknames, so that users may not use them. This also prevents opers from using them, unless their Operator {} block contains the 'j' oper flag. You may also specify wildcards of * and ?. The <reason> is shown to the user when trying to use a juped nickname.
+
The Quarantine blocks disallow certain channel names from being used by non-opers.
-
You may have more than one nick/reason pair listed in a block. There may be multiple NickJupe {} blocks.
+
<html><pre><strong>Quarantine</strong> {
 +
    <span class="qstring">"#help"</span> = <span class="qstring">"For assistance, please join #Support instead."</span>;
 +
};
 +
</pre></html>
-
<pre>NickJupe
+
Entries are specified in a key-value format, with the key being the channel to disallow, and the value being the reason (a single-line reason for the restriction, which is sent to clients along with the rejection notice). Note, these are only checked at <code>/JOIN</code>, so if you add a channel and rehash, users will not be kicked if they're already in the channel.
-
{
+
-
  "nick" = "reason";
+
-
};</pre>
+
-
'''Example block:'''
+
There may be multiple Quarantine blocks; all blocks are combined into one list.
-
 
+
-
<c>NickJupe
+
-
{
+
-
  "*ChanS?rv*" = "Reserved for Services.";
+
-
  "*NickS?rv*" = "Reserved for Services.";
+
-
  "DareNET" = "Reserved for network staff.";
+
-
};</c>
+
== Ban Block ==
== Ban Block ==
Line 668: Line 651:
<mask> is an ident@ip/host/cidr mask that is to match the user to be exempted. <flags> is one or more of the following flags to specify what the exempt is to match.
<mask> is an ident@ip/host/cidr mask that is to match the user to be exempted. <flags> is one or more of the following flags to specify what the exempt is to match.
 +
* k - Except affects KLINEs.
* g - Except affects GLINEs.
* g - Except affects GLINEs.
* i - Except affects ident challenges (see IDENT_CHALLENGE feature).
* i - Except affects ident challenges (see IDENT_CHALLENGE feature).
-
* j - Except affects NickJupes.
+
* n - Except for notilde.
* s - Except affects SHUNs.
* s - Except affects SHUNs.
* z - Except affects ZLINEs.
* z - Except affects ZLINEs.
Line 680: Line 664:
NOTE: For throttling/clone exemptions (I), only IP addresses are supported, since these checks are performed before any DNS resolutions or identd replies are received.
NOTE: For throttling/clone exemptions (I), only IP addresses are supported, since these checks are performed before any DNS resolutions or identd replies are received.
 +
NOTE: For notilde (n), IP/Host is required.
Example block:
Example block:
Line 685: Line 670:
<c>Except
<c>Except
{
{
-
   host = "*@*.darenet.org";
+
   mask = "*@*.darenet.org";
   flags = "kgzsL";
   flags = "kgzsL";
};</c>
};</c>
Line 691: Line 676:
<c>Except
<c>Except
{
{
-
   host = "*@127.0.0.1";
+
   mask = "*@127.0.0.1";
-
   flags = "T";
+
   flags = "I";
};</c>
};</c>
Line 814: Line 799:
   host = "127.0.0.1";
   host = "127.0.0.1";
   username = "*";
   username = "*";
-
};</c>
 
-
 
-
== Quarantine Block ==
 
-
 
-
{| class="wikitable" width="40%" style="font-size: 97%; text-align: left;"
 
-
| Requirement:
 
-
| OPTIONAL
 
-
|-
 
-
| Old conf format equivalents:
 
-
| Q:line
 
-
|}
 
-
 
-
Quarantine {} blocks, in ircd-darenet, allow you to specify channels that non-opers cannot join. The reason specified will be shown to users when they try to join the channel. Note, these are only checked at /JOIN. So, if you add a channel and rehash, users will not be kicked if they're already in the channel.
 
-
 
-
<pre>Quarantine
 
-
{
 
-
  "<channel>" = "reason";
 
-
};</pre>
 
-
 
-
Example block:
 
-
 
-
<c>Quarantine
 
-
{
 
-
  "#help" = "For assistance, please join #Support instead.";
 
};</c>
};</c>

Current revision as of 18:00, 17 June 2013

This is a reference guide for ircd-darenet 1.5.x's configuration file.

The configuration format consists of various blocks, each containing name-value pairs, tags or string data. It is designed to be easily readable by both human ircd.

A block consists of a name, an opening '{' brace, statements, a closing '}' brace, and a ';' semicolon. A statement consists of a name possibly followed by an '=' equals sign and a value, ending with a semicolon. All strings must be surrounded by '"' double quotes.

A sample block:

blockname {
    name = value;
    name = "string";
    name = 123;
    tag;
};

All elements of the configuration are separated by whitespace, and can be packed on one line, or broken up over several lines. Whitespace is defined as space, tab or carriage return/linefeed. Three forms of comments are allowed:

/* C style single/multi-line */

// C++ style single-line

# Shell style single-line

Blocks are used in the reverse order than how they're listed, when the configuration file is parsed. This means you should start multiple block definitions with the "fall through", and end with the most detailed.

General block

Requirement: REQUIRED
Old conf format equivalents: M:name:vhost:description::numeric

The General block defines information about the server itself. It is required for the server to start.

General {
    /* name: the name of our server. */
    name = "test.area.zone.darenet.org";

    /* description: the description of our server. */
    description = "ircd-darenet test server";

    /* numeric: the unique server numeric for our server. It must be a
     * digit between 0 and 4095, and is not updated on a rehash.
     */
    numeric = 999;

    /* vhost: the IP to bind to when we connect outward to other servers.
     * It must contain either a * or a valid ipv4 address in dotted quad notation. 
     */
    vhost = "192.169.0.1";

    /* ssl_private_key: our ssl private key. */
    ssl_private_key = "etc/ircd.key";

    /* ssl_pem: file containing our ssl certificate and private key */
    ssl_pem = "etc/ircd.pem";

    /* dpass: (optional) password for DIE command. */
    dpass = "encrypted pass";

    /* rpass: (optional) password for RESTART command. */
    rpass = "$PLAIN$password";  
};

The server name may only be changed by a server restart. The description can be changed on rehash, but will not propagate to other linked servers.

There must be exactly one General block.

Admin block

Requirement: SUGGESTED
Old conf format equivalents: A:line1:line2:line3

The Admin block defines information that can be retrieved with the /ADMIN command.

Admin {
    location = "DareNET - http://www.darenet.org";
    location = "Infrastructure Team";
    contact = "<infrastructure@darenet.org>";
};

Not all lines are required. There may only be one Admin block.

Class block

Requirement: RECOMMENDED
Old conf format equivalents: Y:class:pingfreq::maxlinks:sendq (clients)
Y:class:pingfreq:connectfreq:maxlinks:sendq (servers)

The Class blocks define connection classes. All connections to the server are associated with a "connection class", whether they be incoming or outgoing (initiated by the server), be they clients or servers.

Class {
    /* name: a name for the connection class. */
    name = "Users";

    /* pingfreq: how often to PING idle connections. */
    pingfreq = 1 minute 30 seconds;

    /* sendq: send buffer limit (i.e., the amount of data allowed in
     * a client's queue before they are dropped.
     */
    sendq = 100 kilobytes;

    /* maxlinks: the maximum number of connections that may use this
     * class. May be between 0 and 4,000,000,000.
     */
    maxlinks = 100;

    /* usermode: an optional list of user modes that should set
     * upon the user while connecting.
     */
    usermode = "+iw"; 

    /* maxchans: the maximum number of channels that clients may join.
    */
    maxchans = 50;
};

Class {
    name = "Opers";
    pingfreq = 2 minutes;
    sendq = 100 kilobytes;
    maxlinks = 10;
    usermode = "+iw";
    whox;
};

Class {
    name = "Server";
    pingfreq = 3 minutes;

    /* connectfreq: this token applies only to servers, and specifies
     * the frequency that the server tries to auto connect. Setting this to 0 will cause a
     * server to attempt to connect repeatedly, with no delay until the maxlinks condition
     * is satisfied (which is not a good thing).
     */
    connectfreq = 5 minutes;

    /* maxlinks: for server classes, specifies the maximum number of
     * servers to autoconnect to. This should be 0 for hubs, and 1 for leafs.
     */
    maxlinks = 0;

    sendq = 10 megabytes;
};

Class {
    name = "Leaf_Server";
    pingfreq = 3 minutes;
    connectfreq = 5 minutes;
    maxlinks = 1;
    sendq = 10 megabytes;
};

For connection classes intended for operator use, you can specify privileges the operator should be granted when the Operator block names the class. The local privilege MUST be defined by either the Class or Operator block. It is highly recommended that most privileges be explicitly specified in the operator's Operator block on DareNET.

A "default" class is created internally. This class is used when no other class is specified, but its settings are not useful for most situations. Custom classes are strongly recommended.

There may be multiple Class blocks; at least one is recommended.

Client block

Requirement: RECOMMENDED
Old conf format equivalents: I:ipmask:passwd:hostmask:port:class

The Client blocks define the hosts client connections are allowed from, and places them into classes. While the server will start without a Client block, it will not be usable.

Client {
    /* host: resolved user@host mask allowed to connect. This is optional
     * if you are using the ip mask to match against.  Additionally, if you specify *@loc for 
     * this field it will match all LOC users.
     */
    host = "*@*.wirehub.net";

    /* ip: unresolved user@ip mask allowed to connect. */
    ip = "*@195.86.128.*";

    /* password: (optional) password that is required to use this block.
     * This password string is not encrypted.
     */
    password = "letMEHin";

    /* class: the class the user should be placed in. */
    class = "Users";

    /* maxlinks: if specified, the server will only accept clients when 
     * the total number of connections to the network from the same IP number doesn't exceed
     * this number.
     */
    maxlinks = 6;

    /* port: (optional) a port to limit this block to. */
    port = 6660;
};

The server uses a default deny policy for incoming connections. You need to define at least one Client block if you wish to use your server.

The host and ip fields specify which connections the block matches. The server always performs a DNS and ident lookup for connections. If DNS cannot find a hostname, the IP address is used instead. If ident cannot get a valid reply, "unknown" is used during this state. The client's resolved hostname, IP address, ident reply, and username (from the USER line) are used according to the results of the matches described below.

Note: There is a specify case for UNIX domain sockets and localhost connections. In these cases, the ip / host field is compared with the name of the server, and thus not with any IP number representation. The name of the server is that returned in the numeric 002 reply, example: 002 Your host is 2.darenet.org[jolan.ppro]. running version ... In this example, "jolan.ppro" is the name used for matching; therefore, UNIX domain sockets and connections to localhost would match a block containing: host = "*@jolan.ppro";.

The host field attempts to match first against the resolved hostname, if available, and then against the IP address. To include the connection's ident reply in the match, use a mask in the form "ident@host". If a client matches, it appears on IRC using its resolved hostname.

The ip field attempts to match against the IP address only. An ident may be specified to match against, as well.

Note: If the ident portion is specified in a mask (i.e., "ident@host" instead of "host"), and no ident reply is received from the client, it will appear on IRC with its username prefixed with a '~' tilde. If the matching mask used only the "host" form, the client's username is not prefixed. If a valid ident reply is received, it is always used and not prefixed.

You need only specify a host or ip field, not both. If both are used, host is matched against first.

There may be multiple Client blocks; at least one is recommended.

Motd block

Requirement: OPTIONAL
Old conf format equivalents: T:hostmask|classnumber:path

The Motd blocks allow a different Message of the Day to be shown to connecting clients based on their origin.

Motd {
    /* host: a hostmask, class number or class name to match against. */
    host = "*.jp";

    /* file: the path to the MOTD file to be shown (relative to DPATH). */
    file = "jp.motd";
};

More then one host field may be present in an Motd block.

There may be multiple Motd blocks.

Connect block

Requirement: OPTIONAL
Old conf format equivalents: C:host:cpassword:name:port:class
N:host:apassword:name:flags:class
H:host::name:maxhops
L:host::mask:depth

The Connect blocks define links to other servers.

Connect {
    /* name: the name of the server. */
    name = "uplink.darenet.org";

    /* host: the host or IP to connect to. If a hostname is used it
     * must match the reverse dns of the server.
     */
    host = "192.168.0.1";

    /* password: the password we send and accept. */
    password = "somepass";

    /* port: the port to connect to this server on. This is also the
     * port used when the server attempts to auto-connect (if enabled). 
     */
    port = 7325;

    /* class: the class this server should be placed in. */
    class = "Server";

    /* maxhops: the max number of hops a hub may introduce. If a hub
     * tries to introduce servers farther away than what is specified here, an SQUIT is
     * issued. The 'leaf' token is an alias for "maxhops = 0;". 
     */
    maxhops = 2;

    /* hub: (optional) the mask of servers that this server may hub
     * for. The tag 'hub' is an alias for 'hub = "*";'.
     */
    hub = "*.us.darenet.org";

    /* autoconnect: (optional) determines if we should try to
    * automatically connect to this server. The default is to autoconnect.
    */
    autoconnect = no;  
};

There may be multiple Connect blocks.

CRule block

Requirement: OPTIONAL
Old conf format equivalents: D:servermask::rule
d:servermask::rule

The CRule (connection rule) blocks control ircd-darenet's advanced, real-time rule-based routing decision making system.

CRule {
    /* server: rules will be applied towards servers matching this mask. */
    server = "*.eu.darenet.org";

    /* rule: the connection rule. */
    rule = "connected(amsterdam.eu.*)";

    /* all: (optional) setting this to 'yes' will make the rule always
     * apply; otherwise, it only applies to autoconnects.
     */
    all = yes;
};

If more than one server mask is present in a single crule, the rule will apply to all servers.

See doc/readme.crules for more information on the crule system, including examples of allowed rules.

There may be multiple CRule blocks.

Port Block

Requirement: REQUIRED
Old conf format equivalents: P:hostmask:interface:<[CES][H]>:port

The Port blocks define where the server will accept connections. At least one port block is required to start.

Port {
    /* port: the specific port to listen on. */
    port = 7325;

    /* mask: (optional) the IP address (or a range of IP addresses) that
     * the server will allow connections from.
     */
    mask = "127.0.*.*";

    /* vhost: (optional) set a specific IP/host the port (listed after
     * the 'port' token) will listen for.
     */
    vhost = "127.0.0.1";

    /* server: setting this to yes makes this a server only port. */
    server = yes;

    /* hidden: (optional) setting this to 'yes' makes the port
     * "hidden" from stats replies.
     */
    hidden = yes;

    /* crypt: (optional) setting this to 'yes' makes the port accept
     * SSL connections.
     */
    crypt = yes;

    /* exempt: (optional) setting this to 'yes' makes the port exempt
     * from connection restrictions during a timed /RESTART or /DIE.
     */
    exempt = no;
};

The mask field should only contain IP addresses (CIDR notation is supported) or '*', if used. This does not use DNS in any way, so you cannot use it to allow *.dk or *.uk, for example. Attempting to specify anything other than IP addresses will result in the port allowing connections from anyone (as if you used '*').

If the vhost field (i.e., bind address) is not specified, the server will listen on all available interfaces for that port.

There may be multiple Port blocks.

Operator block

Requirement: SUGGESTED
Old conf format equivalents: O:host:password:name:flags:class
o:host:password:name:flags:class

The Operator blocks define server operators. One or more of these blocks is recommended if you intend to maintain your server.

Operator {
    /* name: the oper's username. */
    name = "johndoe";

    /* host: the user@host/IP mask required for this operator. CIDR
     * notation is supported. Multiple host="" lines are supported.
     */
    host = "god@*";
    host = "*@127.0.0.1";

    /* password: the password required to oper. By default, the password is
     * hashed using the system's native crypt() function. Other password
     * mechanisms are available; the umkpasswd utility located in the ircd
     * directory can hash passwords using those mechanisms. If you use a
     * password format that is not generated by umkpasswd, ircd-darenet will
     * not recognize the oper's password.
     */
    password = "/home/irc/keys/johndoe.key";

    /* flags: misc options for the oper. */
    flags = "OAWInFR";

    /* snomask: (optional) specific server notice mask on oper up. If this
     * is specified, an oper will not be given sno_default.
     */
    snomask = "+cegGiKorRs";

    /* privileges: (optional) you can specify privileges an oper will be
     * explicitly granted (or denied) upon opering. Any privileges defined
     * will override any privilege settings that may be present in the class
     * block specified above, and the default setting for those privileges.
     */
    local = no;    routing = yes;    routeinfo = yes;
};

The name and password fields match the parameters of the OPER command. To authenticate as an IRC operator, a client must match one of the host fields, which may be a resolved hostname or IP address.

To use an unencrypted password, prefix the password with '$PLAIN', e.g., "$PLAIN$aPpLe".

If you want to use a more secure password authentication system, generate a 1024bit RSA key, and specify the path to the key as the password (as shown in the example above), and add 'R' to the flags field. This will use the /CHALLENGE system instead of /OPER. See doc/challenge.txt for more details.

A client may also use their SSL client certificate fingerprint to authenticate as an IRC operator. To use this method, specify the client's certificate fingerprint as the password, and add 'S' to the flags field.

Only one password authentication method may be used at a time. That is, you cannot use CHALLENGE and SSL client certificate fingerprint at the same time.

There are currently 9 different oper flags:

  • o - Local operator
  • O - Global operator
  • A - Server administrator
  • r - This operator block may be used from remote servers
  • W - Allowed to set user mode +W
  • I - Allowed to set user mode +I
  • n - Allowed to set user mode +n
  • F - Allowed to set user mode +F
  • S - Use SSL client certificate fingerprint to /OPER
  • R - Use /CHALLENGE password authentication system.
  • j - Allowed to use juped nicknames.

The class field specifies the connection class the client will be placed in, regardless of their previous connection class. If not specified, the default class is used; see the Class block description for details.

There may be multiple Operator blocks.

UWorld block

Requirement: OPTIONAL
Old conf format equivalents: U:server:jupednicks:*

The Uworld block defines "U-lined" servers, which are allowed to do special network things. Used for network services.

UWorld {
    /* name: the server name or wildcard mask the "U-line" applies to. */
    name = "services.darenet.org";
    name = "stats.darenet.org";
};

UWorld servers are permitted to do things typical network services would want to do, such as apply network bans, manage channel modes, etc; the details are too numerous and complex to provide here.

There may be multiple UWorld blocks; all blocks are combined into one list.

NickJupe block

Requirement: OPTIONAL
Old conf format equivalents: U:server:jupednicks:*

The NickJupe blocks disallow certain nicknames from being used.

NickJupe {
    "ChanServ" = "Reserved for Services";
    "NickS?rv" = "Reserved for Services";
};

Entries are specified in a key-value format, with the key being the nick to disallow (the '*' and '?' wildcards are supported), and the value being the reason (a single-line reason for the restriction, which is sent to clients along with the rejection notice).

There may be multiple NickJupe blocks; all blocks are combined into one list.

Quarantine block

Requirement: OPTIONAL
Old conf format equivalents: Q:channel:reason

The Quarantine blocks disallow certain channel names from being used by non-opers.

Quarantine {
    "#help" = "For assistance, please join #Support instead.";
};

Entries are specified in a key-value format, with the key being the channel to disallow, and the value being the reason (a single-line reason for the restriction, which is sent to clients along with the rejection notice). Note, these are only checked at /JOIN, so if you add a channel and rehash, users will not be kicked if they're already in the channel.

There may be multiple Quarantine blocks; all blocks are combined into one list.

Ban Block

Requirement: OPTIONAL
Old conf format equivalents: K:line

Ban {} blocks disallow connections from clients based on specific ident, host and/or gecos masks. They are a flexible general client ban mechanism.

Ban
{
  host = "user@host";
  reason = "The reason the user will see";
  klineprompt;
  name = "mark";
};

Required tokens (at least one of): host, realname, username

Optional tokens: klineprompt, reason, name, file

If klineprompt; is present, users may bypass the ban by using Login-on-Connect (LOC). You can also mark clients by using name = "mark here";

Ban
{
  realname = "realname here";
  reason = "The reason the user will see";
};

It is also possible to ban based on username.

Ban
{
  username = "username here";
  reason = "The reason the user will see";
};

It is also possible to use a file as comment for the ban, using.

Ban
{
  host = "user@host";
  file = "path/to/file/with/reason/to/show";
};

The file can contain for example, a reason, a link to the server rules and a contact address. Also, note the combination of username and host in the host field. IP-based Ban {} blocks apply to all hosts, even if an IP address has a properly resolving host name. CIDR format is the most efficient, and should be used when possible. The server will attempt to convert wildcard IP masks to CIDR form internally.

Additionally, you may specify a hostmask prefixed with $V to indicate a match should be performed against the CTCP version of the user rather han the host/IP.

Ban
{
  version = "string";
  reason = "reason here";
};

There may be multiple Ban {} blocks.

Example blocks:

Ban
{
  host = "*@*.aol.com";
  reason = "Due to abuse, AOL users must login with their DareNET account to connect.";
  klineprompt;
};
Ban
{
  host = "192.168.*";
  reason = "Monkeys.";
};
Ban
{
  host = "192.168.0.0/16";
  reason = "Monkeys.";
};
Ban
{
  username = "sub7";
  realname = "s*7*";
  reason = "You are infected with a Trojan";
};
Ban
{
  username = "sub7";
  realname = "s*7*";
  reason = "You are infected with a Trojan";
};

Except Block

Requirement: OPTIONAL
Old conf format equivalents: E:line

Except {} blocks can be used to exempt a user from Kill {} blocks, GLINEs, ZLINEs, SHUNs, spam filters, IDENT_CHALLENGE and LIST restrictions.

Except
{
  mask = "<mask>";
  flags = "<flags>";
};

<mask> is an ident@ip/host/cidr mask that is to match the user to be exempted. <flags> is one or more of the following flags to specify what the exempt is to match.

  • k - Except affects KLINEs.
  • g - Except affects GLINEs.
  • i - Except affects ident challenges (see IDENT_CHALLENGE feature).
  • n - Except for notilde.
  • s - Except affects SHUNs.
  • z - Except affects ZLINEs.
  • F - Forces umode +F on user to bypass message flood checks.
  • I - Exempts user from rapid (re)connection throttling & clone checks.
  • L - Except affects LIST restrictions.
  • N - Exempts user from "no connections" restrictions, allowing them to connect anyway.
  • S - Except affects spam filters.

NOTE: For throttling/clone exemptions (I), only IP addresses are supported, since these checks are performed before any DNS resolutions or identd replies are received. NOTE: For notilde (n), IP/Host is required.

Example block:

Except
{
  mask = "*@*.darenet.org";
  flags = "kgzsL";
};
Except
{
  mask = "*@127.0.0.1";
  flags = "I";
};

Command Block

Requirement: OPTIONAL
Old conf format equivalents: B:line

Command {} blocks aim to improve the generic IRC users ability to use network services. Each block sets up a /<service> alias so that users may type that instead of a full /msg command. Some might argue this is a bit more secure as well :)

Command
{
  cmd = "<alias name>";
  service = "<target>";
  prefix = "<anything to prepend to the message>";
};

If prefix = ""; is given, then ircd-darenet will prefix the specified string to whatever the user inputs before sending it to the service.

Example blocks:

Command
{
  cmd = "AUTH";
  service = "NickServ@services.darenet.org";
  prefix = "AUTH";
};
Command
{
  cmd = "NICKSERV";
  service = "NickServ@services.darenet.org";
};

Forward Block

Requirement: OPTIONAL
Old conf format equivalents: b:line

Forward {} blocks enable the server to forward any messages which are prefixed and specific with a Forward {} block. This allows users to use Services' fantasy commands without a service client being in the channel (provided the channel is registered). This also removes the need for ChanServ to monitor channel traffic (e.g. allowing the use of umode +d).

Forward
{
  "<prefix>" = "<server>";
};

Example block:

Forward
{
  "." = "services.darenet.org";
  "?" = "services.darenet.org";
};

Redirect Block

Requirement: OPTIONAL
Old conf format equivalents: R:line

When a client connects and his/her host matches a Redirect {} block, then a 010 reply is sent back to the client with the redirection server and port.

Currently only EPIC supports auto redirection when it gets a 010 reply (e.g. it will automatically connect to the server specified in the 010 reply). Other clients will get a message specifying what server and port to connect to. as well as an unauthorized disconnect.

Redirect
{
  mask = "<mask>";
  server = "<redirection server>";
  port = "<redirection port>";
};
Redirect
{
  mask = "*.aol.com";
  server = "irc.aol.com";
  port = "6667";
};

Spoofhost Block

Requirement: OPTIONAL
Old conf format equivalents: S:line

Spoofhost {} blocks allows clients/opers to spoof their host.

Spoofhost "<spoof host>"
{
  pass = "<password>";
  host = "<*.host.cc|a.b.c.*|CIDR>";
  username = "<ident>";
};
  • <spoof host> - The spoofed hostname.
  • <pass> - A password for this spoof host. Used if SETHOST_USER is set to TRUE.
  • <host> - A hostmask to match against users that are to be auto-spoofed. Used if SETHOST_AUTO is set to TRUE. Can be in the form of: host.domain.cc, 127.0.0.1 or 127.0.0.0/24, supports wildcards for non-CIDR.
  • <username> - A mask for matching against the user's ident reply.

Example block:

Spoofhost "sline.darenet.org"
{
  pass = "anygoodpass";
  host = "127.0.0.1";
  username = "*";
};

DNSBL Block

Requirement: OPTIONAL
Old conf format equivalents: X:line

DNSBL {} blocks allow you to prevent clients connecting who are listed on DNS blacklists. Their connection will be rejected during the connection process along with the name and reason you give for the DNSBL they have been matched on.

DNSBL
{
  server = "<dnsbl.site.org>";
  name = "<name>";
  flags = "<flags>";
  replies = "<replies/mask>";
  reply = "<rejection message>";
  rank = "<rank>";
};

Available flags:

  • b (Bitmask DNSBL) - See your DNSBL provider as to whether you should use this or not.
  • r (Reply DNSBL) - See your DNSBL provider as to whether you should use this or not.
  • a (Allow Connect) - Allow the client to connect anyway. This could used with a DNSBL whitelist. This could also be used to allow users to still connect, but mark their hosts so that channel ops can easily ban them from their channels.
  • d (Deny Connect) - If the user is found on this DNSBL, then they can't connect, even if they are allowed on through another DNSBL {} block.
  • m (Mark Hostname) - Mark the hostname of a skipped client

The name option is used for the Mark Hostname flag, and may only contain hostname valid characters only (e.g. NO spaces). With Reply DNSBL's you need to list the replies in a comma separated list. See below for an example. With Bitmask DNSBL's, again, specify the replies you need to match for. The server will sum them up and match them against the DNSBL reply. The rejected user's nick, username, ip, and host can be placed into the rejection message by using these codes:

  •  %n - Nickname
  •  %u - Username
  •  %h - Hostname
  •  %i - IP Address

The rank number must be unique over all DNSBL {} blocks. The higher the number, the greater precedence it has. The highest ranking DNSBL {} block which is a matched against a user will get its name marked in the hostname.

Notes: MAKE SURE you read the DNSBL website before you go ahead and use it as they may have rules for large sites/servers who use them. If you do not wish to use DNSBL checking then simply do not create any DNSBL {} blocks.

Example blocks:

Reply DNSBL:

DNSBL
{
  server = "dnsbl.sorbs.net";
  name = "sorbs.net";
  flags = "r";
  replies = "1,2,3,4";
  reply = "%n!%u@%h Found On Sorbs DNSBL http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?IP=%i";
  rank = "1";
};

Bitmask DNSBL:

DNSBL
{
  server = "dnsbl.dnsbl.net";
  name = "dnsbl.net";
  flags = "b";
  replies = "1,3,5";
  reply = "%n!%u@%h Found On DNSBL";
  rank = "2";
};

WebIRC Block

Requirement: OPTIONAL
Old conf format equivalents: W:line

WebIRC {} blocks allow you display the real hostname of users connecting via CGI:IRC clients and sites such as Mibbit.com. These clients will send a WEBIRC command along with the user's hostname, ip and WebIRC {} block password to the server. The password needs to be encrypted like Operator {} block passwords. When the ircd receives the command, instead of using the hostname of the site the users is connecting from, the hostname sent in WEBIRC will be set. All this is done before the client enters the network completely. Please remember to enclose the description using quotes otherwise things will break.

WebIRC
{
  mask = "<mask>";
  pass = "<password>";
  flags = "<flags>";
  ident = "<ident>";
  desc = "<description>";
};

Available flags:

  • m - Marks each client connected via the WebIRC {} block using the provided description.
  • s - Sets the ident specified in the ident field for each WEBIRC client.
  • u - Uses the ident from USER that the WEBIRC client sends.

Note: Do not use both s and u, only choose one of them.

Example:

WebIRC
{
  mask = "*@webchat.darenet.org";
  pass = "VRKLKuGKn0jLs";
  flags = "ms";
  ident = "webirc";
  desc = "DareNET WebChat";
};

SpamFilter Block

Requirement: OPTIONAL
Old conf format equivalents: -

This is probably the most controversial addition to ircd-darenet 1.3.x; however, sadly, it may become useful.

SpamFiler {} blocks allow you to filter PRIVMSG's, NOTICE's, TOPIC's and AWAY's for spam. The filtering is done using regular expressions, so please be careful.

SpamFilter {
   regex = "<regex>";                   
   rtype = "<watch flags>";                
   action = "<action flags>";              
   reason = "<reason>";
   channel = "<optional alert channel>";   
   length = <length in seconds>;                        
};
  • <regex> - PCRE format regular expression to match against.
  • <watch flags> - See below for a list.
  • <action flags> - See below for a list.
  • <reason> - Used in error messages displayed to the user and/or kills/shuns/glines/zlines.
  • <optional alert channel> - Requires the C action flag.
  • <length in seconds> - Only applies to glines, zlines and shuns.

Available watch flags:

  • n - Notices.
  • N - Channel notices.
  • p - Privmsgs.
  • C - Channel privmsgs.
  • q - Quits.
  • P - Parts.
  • d - DCCs.
  • a - Away messages.
  • t - Topics.
  • u - Connects (nick!user@host:gecos).
  • i - Nickname changes.

Available action flags:

  • a - Auth. If used, logged in clients will be exempt from the filter.
  • C - Channel alert. If used, filter matches will be sent to what is set in the SpamFilter {} block channel setting.
  • S - Server (snotice) alert.
  • k - Kill anyone who matches the filter.
  • g - Gline anyone who matches the filter. The length can be given in seconds.
  • z - Zline anyone who matches the filter. The length can be given in seconds. This zlines *@ip, so you do not need the i action flag.
  • s - Shun anyone who matches the filter. The length can be given in seconds.
  • i - Uses the client's IP vice host in a Gline/Shun.
  • b - Block; will prevent the PRIVMSG/NOTICE/TOPIC/AWAY from going through.
  • n - Notify; will notify the person matching the filter, stating they've matched a filter, and deny their message.
  • m - Mark; will mark the client as being a spam source.
  • K - Kick; will kick the user triggering the Spam Filter. The kick reason given will be the reason set in the Spam Filter. This Flag will only work with the N and C watch flags.
  • o - Ops/HalfOps; exempts ops and halfops from any checks which have a channel target.
  • v - Voice; exempts voiced users from any checks which have a channel target.

Notes:

  • Shuns and Glines will be set using *@hostname. If you would them to be set using *@ip use the 'i' action flag.
  • If you do not specify a length, then FILTER_DEFAULT_LENGTH will be used.
  • The 'b' action flag cannot be used with the 'u' watch flag. You will need to use a kill flag to block them.

Features Block

Requirement: SUGGESTED
Old conf format equivalents: F:line

ircd-darenet has a large number of options and features, most of which can be configured using a Features {} block. If linking to DareNET, your Features {} block will be rather bare, since most DareNET-specific settings have been already defined in the source.

Features
{
  "featurename" = "value";
  "featurename2" = "value2";
};

You only need one Features {} block, in which you use "featurename" = "value1";, "featurename2" = "value2";, and so on. Please note all values, whether integers or strings, must be enclosed in double quotes.

See the servers features page for a list of available features.

Example block:

Features
{
  "LOG" = "SYSTEM" "FILE" "ircd.log";
  "LOG" = "SYSTEM" "LEVEL" "CRIT";
  "HUB" = "FALSE";
};