Link block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

If you are linking servers we recommend you to follow our Tutorial: Linking servers instead. The link block is, however, shown below for reference.

Syntax

link <server-name> {
    /* Below, often you will have both an incoming { } and outcoming { } sub-block.
     * However you may also choose to have only 1 of them if you always link in the same direction.
     */
    incoming {
        mask 1.2.3.*;
    };
    outgoing {
        bind-ip <ip-to-bind-to>; /* optional now */
        hostname irc1.some.net; /* may also be an IP */
        port 6697;
        options { ssl; autoconnect; }; /* optional, but recommended */
        ssl-options { protocols "TLSv1.2"; }; /* optional, only set this if you know what you are doing. */
    };
    password "some-password"; /* either a plaintext password that's the same for both sides or an SSL fingerprint (or certificate) */
    verify-certificate [yes|no]; /* optional, default is 'no' but is less secure */
    hub <hub-mask>; /* optional */
    leaf <leaf-mask>; /* optional */
    leaf-depth <depth>; /* optional */
    class <class-name>;
    ciphers <ssl-ciphers>; /* optional */
    options {
        quarantine; /* is a generic option. optional. */
    };
};

Required items

Note that you need link::incoming and/or link::outgoing. So at least one of them is required.

server-name

The server-name in your link <server-name> { block specifies the name of the server, that is the name you have specified in me::name on the other side of the link.

incoming

incoming::mask

Only servers matching this (IP) mask may use this link block.

outgoing

outgoing::hostname

Hostname of the server to connect. This could be the same as the server-name, but it may also be an IP or a different DNS name.

outgoing::port

Port of the other server to connect to

outgoing::options (optional)

The following two options are available:

  • insecure: by default UnrealIRCd will attempt to 'upgrade' a connection to use SSL/TLS in order to get encrypted server links. An alternative is to use the ssl option below which will also ensure SSL/TLS. If both of these methods fail then we reject the link. You can use this option, insecure, to still allow linking with non-SSL/TLS servers, but we do not recommend it.
  • ssl: connect to an SSL/TLS-only-port. If you use this, then be sure that the outgoing::port you specify is in fact a SSL-only port. Meaning: the server on the other side of the link must have listen::options::ssl turned on for that port.
  • autoconnect: automatically connect to the server (or try to every XX seconds, anyway)
outgoing::ssl-options (optional)

This is new as of UnrealIRCd 4.0.10. Valid options are all the SSL settings that also exist in set::ssl. For example you can set the permitted SSL protocols and ciphers:

link xyz {
        ...
        outgoing {
                ssl-options {
                        protocols "TLSv1.2";
                        ciphers "AES256";
                };
        };
};
outgoing::bind-ip (optional)

Bind to this IP before connecting to the other server. The IP to bind to must be available on the machine (must not be an IP of another machine).

password

Password or other method to use to verify the authenticity of the link. This must be either: 1) a plaintext password that must be the same on both sides of the link, OR 2) an SSL fingerprint, which is our recommended and safest way to link, see our Tutorial.

verify-certificate

This option is new in UnrealIRCd 4.0.14

When set to 'yes' this will enable SSL certificate checking to make sure that:

  • The SSL certificate of the server you are linking with is valid and issued by a trusted Certificate Authority (eg: Let's Encrypt or some bought certificate)
  • The name in the link block matches the name(s) in the certificate (eg: if you're linking with irc1.test.net and it presents a certificate for irc2.someotherdomain.org it will fail)

Enable this if you (can) meet these criteria. It will protect you from active traffic interception attacks.

hub

The value is a mask of what servers this hub may connect (ex: *.my.net).

leaf

The value is a mask of what servers this hub may not connect.

leaf-depth

The value specifies the depth (number of hops) this server may have beneath it. For example, 1 means the server can't have any links under it (a leaf), 2 means it can link servers but those servers can't link anything under them (that is, this hub can only link leaves). A value of 0 means no limit, and is the default.

class

The class this server is put into (see Class block), often a separate server class is used for this.

options

There's only one generic option:

  • quarantine: This link may have no IRC Operators on it. If someone attempts te become OPER on the link they are de-oper'ed. Note that this does not provide true security: a person controlling a server can still modify the source and load any modules they want, thus still 'be able to do anything' if they have bad intentions.

For other link options see the link::outgoing block.

Example

See Tutorial: Linking servers