Allow block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

Allow blocks specify who may connect to this server. You can have multiple allow blocks.

Syntax[edit]

allow {
        /* NOTE THAT YOU MUST SPECIFY EITHER 'ip' OR 'hostname', BUT NOT BOTH */
        ip <user@ip-connection-mask>;
        hostname <user@host-connection-mask>;

        /* Other mandatory options: */
        class <connection-class>;
        maxperip <max-connections-per-ip>;

        /* All the rest is optional: */
        password <connection-password> { <auth-type>; }; /* OPTIONAL */
        ipv6-clone-mask <number-of-bits>; /* OPTIONAL */
        redirect-server <server-to-forward-to>; /* OPTIONAL */
        redirect-port <port-to-forward-to>; /* OPTIONAL */
        options {
            <option>;
            <option>;
            ...
        };
};

Do you have multiple allow blocks? Then note that they will be read upside down, so you need specific host/ip allow blocks AFTER your general *@* allow blocks.

If a client does not match any allow block then the client is rejected with the message from set::reject-message.

required items[edit]

ip & hostname[edit]

You need to specify either ip or hostname which will be matched against the IP or hostname (DNS) of the user who is connecting. For example ip *; will match everyone and hostname *.uk; will match only people with a host ending in ".uk".

IMPORTANT: If you simply want to match any user, then use ip *;. You should not use hostname *; as this will match only users with a hostname, and not everyone may have a hostname (unresolvable IP).

class[edit]

Specifies the class name that connections using this allow block will be placed into.

maxperip[edit]

With maxperip you specify how many connections may come from each IP. For example maxperip 4; means that only 4 clients may connect per-IP to this server.

optional items[edit]

password[edit]

The server password or another authentication method that the user authenticates with.

In UnrealIRCd 5 we have two behaviors for password control:

optional password to get extra rights[edit]

The default behavior in 5.x is to continue matching next allow block if the password is incorrect:

allow { ip *@*; class clients; maxperip 2; }
allow { ip *@*; password "iwantmore"; class clients; maxperip 10; }

If a user connects with the password iwantmore then they will get a maxperip of 10. If the user does not connect with that password (either wrong or no password) then the user will get a maxperip of 2.

mandatory password[edit]

On the other hand, you may want to use passwords to keep other users out. In this case you need to use allow::options::reject-on-auth-failure as described below:

allow { ip *@*; class clients; maxperip 2; }
allow { ip *@*.nl; password "tehdutch"; class clients; maxperip 2; options { reject-on-auth-failure; } }

In this case anyone with a hostname of *.nl must provide the password tehdutch. If they don't, they will be rejected access and cannot connect to the server.

NOTE: This option is only available in UnrealIRCd 5.0.8 and later.

ipv6-clone-mask[edit]

This option controls clone detection and is basically IPv6's variant of maxperip. If you don't have IPv6 enabled then this option has no effect. If two clients connect from different IPv6 addresses but only the last few bits are different, there is almost a guarantee that both clients are really one person. This option only affects the enforcement of allow::maxperip. For example, if you set this option to 128, then each IPv6 address will be considered unique. Because of current IP allocation policies, it is recommended that your most general allow block use a value of 64. Since 64 is already the default in set::default-ipv6-clone-mask you probably don't need to change this.

redirect-server & redirect-port[edit]

When the class is full (class::maxclients) we will redirect new users to this server. This requires support from the IRC client side, popular clients like mIRC support this but this feature is broken in case of SSL/TLS so is likely of little use in the modern world.

redirect-server specifies the server name and redirect-port the port (6667 by default).

options[edit]

One option gives you additional flexibility for matching:

  • ssl: Only match if this client is connected via SSL.

Meaning, if this doesn't match, UnrealIRCd jumps to next allow block.

There are also two other options that don't have anything to do with matching but will affect the user/host:

  • useip: Always display IP instead of hostname.
  • noident: Don't use ident but use username specified by client.

And, finally, there's one special option that is rarely used:

  • reject-on-auth-failure: Reject the user if the password is not provided or does not match. See also #password above for a longer explanation.

Example[edit]

Example 1: generic block and specific block[edit]

allow {
	ip *;
	class clients;
	maxperip 3;
};

allow {
	ip 1.2.3.*;
	class clients;
	maxperip 25;
};