Allow block

Allow blocks specify who may connect to this server. You can have multiple allow blocks.

Syntax
allow { /* NOTE THAT YOU MUST SPECIFY EITHER 'ip' OR 'hostname', BUT NOT BOTH */ ip ; hostname ;

/* Other mandatory options: */ class ; maxperip ;

/* All the rest is optional: */ password  { ; }; /* OPTIONAL */ ipv6-clone-mask ; /* OPTIONAL */ redirect-server ; /* OPTIONAL */ redirect-port ; /* OPTIONAL */ options { ;           ;            ...        }; };

Do you have multiple allow blocks? Then note that they will be read upside down, so you need specific host/ip allow blocks AFTER your general *@* allow blocks.

ip & hostname
You need to specify either ip or hostname which will be matched against the IP or hostname (DNS) of the user who is connecting. For example ip *; will match everyone and hostname *.uk; will match only people with a host ending in ".uk".

IMPORTANT : If you simply want to match any user, then use ip *;. You should not use hostname *; as this will match only users with a hostname, and not everyone may have a hostname (unresolvable IP).

class
Specifies the class name that connections using this allow block will be placed into.

maxperip
With maxperip you specify how many connections may come from each IP. For example maxperip 4; means that only 4 clients may connect per-IP to this server.

password
If you set a password then everyone who connects to your server will need to use this password to connect (the ones matching allow::ip / allow::hostname anyway). This can be used if you have some sort of private server.

ipv6-clone-mask
This option controls clone detection and is basically IPv6's variant of maxperip. If you don't have IPv6 enabled then this option has no effect. If two clients connect from different IPv6 addresses but only the last few bits are different, there is almost a guarantee that both clients are really one person. This option only affects the enforcement of allow::maxperip. For example, if you set this option to 128, then each IPv6 address will be considered unique. Because of current IP allocation policies, it is recommended that your most general allow block use a value of 64. Since 64 is already the default in set::default-ipv6-clone-mask you probably don't need to change this.

redirect-server & redirect-port
When the class is full (class::maxclients) we will redirect new users to this server. This requires support from the IRC client side, popular clients like mIRC support this.

redirect-server specifies the server name and redirect-port the port (6667 by default).

options
This gives you flexibility in allow block matching. Valid options are:
 * useip: always display IP instead of hostname
 * noident: don't use ident but use username specified by client
 * ssl / require-ssl: only match if this client is connected via SSL
 * sasl / require-sasl: only match if this client is connected via SSL
 * nopasscont: continue matching if no password was given, this so you can put clients in special classes if they supply a password.

Example 1: generic block and specific block
allow { ip *; class clients; maxperip 3; };

allow { ip *@1.2.3.*; class clients; password "f00Ness"; maxperip 25; };

Example 2: only allow users with SASL
This example will show how to only allow users in who passed SASL authentication.

NOTE: This requires UnrealIRCd 4.0.18 or newer allow { ip *; class clients; maxperip 3; options { require-sasl; }; };