Tip of the day: Check out Special users on how to give trusted users/bots more rights without making them IRCOp.

Except ban block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

The except ban block allows you to exempt users from things like GLINEs, blacklists, spamfilter restrictions, etc. This is useful when you want an ISP banned, but still want specific users to be able to connect. IRCOps also often exempt their own IP to make sure they are never accidentally banned.

You can also use the /ELINE command on IRC to add/remove exemptions dynamically (which are stored in a permanent database, tkldb). Just run the ELINE command on IRC to see the syntax.

Syntax

except ban {
	mask ...;
	type { .... }; /* this is optional */
};

mask

The mask specifies the mask to be exempt from banning. It is recommended to use IP addresses in the mask if possible (eg: *@192.168.*) rather than hostnames (eg: *@*.someisp.xx).
In the mask you can use a hostname, or even Extended server bans, but then the except ban { } will be ineffective against exempting from ZLINE and GZLINE for technical reasons (when bans and except ban { } blocks are processed no DNS lookup and no ident lookup has been done yet).

In UnrealIRCd 6.0.4 and later you can use all the functionality of a Mask item here, so you can also exempt based on mask { account XYZ; }, certfp, security-group, etc. See also the examples further down.

type

Valid types are:

Type Meaning
kline Exempt from K-Line (KLINE)
gline Exempt from G-Line (GLINE)
zline Exempt from Z-Line (ZLINE)
gzline Exempt from Global Z-Line (GZLINE)
shun Exempt from Shun (SHUN)
spamfilter Can bypass spamfilters
qline Can bypass banned nick restrictions (QLINE)
blacklist Don't do any blacklist checking
connect-flood Exempt from set::anti-flood::connect-flood and set::max-unknown-connections-per-ip
maxperip Can bypass allow::maxperip restrictions
antirandom Bypass antirandom module
antimixedutf8 Bypass antimixedutf8 module
ban-version Bypass ban version { } blocks
handshake-data-flood Do not place ZLINE when client is flooding before registration phase
all All of the above, except qline

If you do not specify any type, then the exception defaults to: kline + gline + zline + gzline + shun.

A note on maxperip: If you give someone a maxperip exception and you use Services then services may have a session limit too. If you see kills/quits with the reason Session limit exceeded then you know it is not UnrealIRCd doing this but anope or other services. We recommend disabling the os_session module in your services since it is unneeded with UnrealIRCd.

Examples: 6.0.4 or later

The following examples are for UnrealIRCd 6.0.4 or later. If you use an older version skip to 6.0.3 or before.

Exempt by IP

To exempt an IP you should use except ban::mask::ip as it is the safest and fastest method:

// Single IP:
except ban {
	mask { ip 192.168.*; }
}

// Multiple IP's:
except ban {
	mask { ip { 192.168.*; 10.*; 127.*; } }
}

Exempt by security-group

Say, you have created a security group called irccloud with a list of IP's, then you can use:

except ban {
	mask { security-group irccloud; }
        type { blacklist; connect-flood; handshake-data-flood; maxperip; }
}

Exempt by certificate fingerprint

This would allow the user with the certficate fingerprint 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef, to bypass KLINE and GLINE server bans and spamfilter restrictions.

except ban {
	mask { certfp 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef; }
	type {
		kline;
		gline;
		spamfilter;
	}
}

Exempt by services account name

This would allow the user with a services account of ExampleAccount1 and ExampleAccount2 to bypass spamfilter restrictions:

except ban {
	mask { account { ExampleAccount1; ExampleAccount2; } }
	type {
		spamfilter;
	}
}

Examples: 6.0.3 or before

The following examples are for UnrealIRCd 6.0.3 or before. If you use a newer version then skip to 6.0.4 or later.

Exempt by IP

except ban {
	mask *@192.168.*;
	mask *@192.0.2.5;
}

except ban {
	mask { *@192.168.*; *@10.*; *@127.*; }
}

Exempt by certificate fingerprint

This would allow the user with the certficate fingerprint 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef, to bypass KLINE and GLINE server bans and spamfilter restrictions.

except ban {
	mask ~certfp:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef;
	type {
		kline;
		gline;
		spamfilter;
	}
}

Exempt by services account name

This would allow the user with a services account of ExampleAccount to bypass spamfilter restrictions:

except ban {
	mask ~account:ExampleAccount;
	type {
		spamfilter;
	}
}