Tip of the day: You can exempt users dynamically from server bans, spamfilter, maxperip and other restrictions with the ELINE command on IRC.
|
Except ban block
The except ban block allows you to exempt users from things like GLINEs, blacklists, spamfilter restrictions, etc. This is useful when you want an ISP banned, but still want specific users to be able to connect. IRCOps also often exempt their own IP to make sure they are never accidentally banned.
You can also use the /ELINE command on IRC to add/remove exemptions dynamically (which are stored in a permanent database, tkldb). Just run the ELINE command on IRC to see the syntax.
Syntax
except ban {
mask ...;
type { .... }; /* this is optional */
};
mask
The mask specifies the mask to be exempt from banning. It is recommended to use IP addresses in the mask if possible (eg: *@192.168.*) rather than hostnames (eg: *@*.someisp.xx).
In the mask you can use a hostname, or even Extended server bans, but then the except ban { } will be ineffective against exempting from ZLINE and GZLINE for technical reasons (when bans and except ban { } blocks are processed no DNS lookup and no ident lookup has been done yet).
In UnrealIRCd 6.0.4 and later you can use all the functionality of a Mask item here, so you can also exempt based on mask { account XYZ; }, certfp, security-group, etc. See also the examples further down.
type
Valid types are:
| Type | Meaning |
|---|---|
| kline | Exempt from K-Line (KLINE) |
| gline | Exempt from G-Line (GLINE) |
| zline | Exempt from Z-Line (ZLINE) |
| gzline | Exempt from Global Z-Line (GZLINE) |
| shun | Exempt from Shun (SHUN) |
| spamfilter | Can bypass spamfilters |
| qline | Can bypass banned nick restrictions (QLINE) |
| blacklist | Don't do any blacklist checking |
| connect-flood | Exempt from set::anti-flood::connect-flood and set::max-unknown-connections-per-ip |
| maxperip | Can bypass allow::maxperip restrictions |
| antirandom | Bypass antirandom module |
| antimixedutf8 | Bypass antimixedutf8 module |
| ban-version | Bypass ban version { } blocks |
| handshake-data-flood | Do not place ZLINE when client is flooding before registration phase |
| all | All of the above, except qline |
If you do not specify any type, then the exception defaults to: kline + gline + zline + gzline + shun.
A note on maxperip: If you give someone a maxperip exception and you use Services then services may have a session limit too. If you see kills/quits with the reason Session limit exceeded then you know it is not UnrealIRCd doing this but anope or other services. We recommend disabling the os_session module in your services since it is unneeded with UnrealIRCd.
Examples: 6.0.4 or later
The following examples are for UnrealIRCd 6.0.4 or later. If you use an older version skip to 6.0.3 or before.
Exempt by IP
To exempt an IP you should use except ban::mask::ip as it is the safest and fastest method:
// Single IP:
except ban {
mask { ip 192.168.*; }
}
// Multiple IP's:
except ban {
mask { ip { 192.168.*; 10.*; 127.*; } }
}
Exempt by security-group
Say, you have created a security group called irccloud with a list of IP's, then you can use:
except ban {
mask { security-group irccloud; }
type { blacklist; connect-flood; handshake-data-flood; maxperip; }
}
Exempt by certificate fingerprint
This would allow the user with the certficate fingerprint 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef,
to bypass KLINE and GLINE server bans and spamfilter restrictions.
except ban {
mask { certfp 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef; }
type {
kline;
gline;
spamfilter;
}
}
Exempt by services account name
This would allow the user with a services account of ExampleAccount1 and ExampleAccount2 to bypass spamfilter restrictions:
except ban {
mask { account { ExampleAccount1; ExampleAccount2; } }
type {
spamfilter;
}
}
Examples: 6.0.3 or before
The following examples are for UnrealIRCd 6.0.3 or before. If you use a newer version then skip to 6.0.4 or later.
Exempt by IP
except ban {
mask *@192.168.*;
mask *@192.0.2.5;
}
except ban {
mask { *@192.168.*; *@10.*; *@127.*; }
}
Exempt by certificate fingerprint
This would allow the user with the certficate fingerprint 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef,
to bypass KLINE and GLINE server bans and spamfilter restrictions.
except ban {
mask ~certfp:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef;
type {
kline;
gline;
spamfilter;
}
}
Exempt by services account name
This would allow the user with a services account of ExampleAccount to bypass spamfilter restrictions:
except ban {
mask ~account:ExampleAccount;
type {
spamfilter;
}
}