/[svn]/ircd-hybrid/trunk/doc/reference.conf
ViewVC logotype

Contents of /ircd-hybrid/trunk/doc/reference.conf

Parent Directory Parent Directory | Revision Log Revision Log


Revision 7198 - (show annotations)
Sat Jan 30 20:20:25 2016 UTC (6 years, 3 months ago) by michael
File size: 39967 byte(s)
- Update reference.conf

1 /*
2 * This is an example configuration file for ircd-hybrid
3 *
4 * Copyright (c) 2000-2016 ircd-hybrid development team
5 *
6 * $Id$
7 */
8
9 /*
10 * ########################################################################
11 * IMPORTANT NOTE:
12 *
13 * auth {} blocks MUST be specified in order of precedence. The first one
14 * that matches a user will be used. So place spoofs first, then specials,
15 * then general access.
16 * ########################################################################
17 *
18 * Shell style (#), C++ style (//) and C style comments are supported.
19 *
20 * Files may be included by either:
21 * .include "filename"
22 * .include <filename>
23 *
24 * Times/durations are written as:
25 * 12 hours 30 minutes 1 second
26 *
27 * Valid units of time:
28 * year, month, week, day, hour, minute, second
29 *
30 * Valid units of size:
31 * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
32 *
33 * Sizes and times may be singular or plural.
34 */
35
36
37 /*
38 * serverinfo {}: contains information about the server
39 */
40 serverinfo {
41 /*
42 * name: the name of this server. This cannot be changed at runtime.
43 */
44 name = "server.example.net";
45
46 /*
47 * sid: a server's unique ID. This is three characters long and must
48 * be in the form [0-9][A-Z0-9][A-Z0-9]. The first character must be
49 * a digit, followed by 2 alpha-numerical letters.
50 *
51 * NOTE: The letters must be capitalized. This cannot be changed at runtime.
52 *
53 * A sid is automatically generated at runtime, if you want to configure
54 * a specific sid, uncomment the following line.
55 */
56 # sid = "0HY";
57
58 /*
59 * description: the description of the server.
60 */
61 description = "ircd-hybrid test server";
62
63 /*
64 * network_name, network_desc: the name and description of the network this
65 * server is on. Shown in the 005 reply and used with serverhiding.
66 */
67 network_name = "MyNet";
68 network_desc = "This is My Network";
69
70 /*
71 * hub: allow this server to act as a hub and have multiple servers
72 * connected to it.
73 */
74 hub = no;
75
76 /*
77 * vhost: the IP address to bind to when we connect outward to IPv4 servers.
78 * This should be an IPv4 address, or "*" for INADDR_ANY.
79 */
80 # vhost = "192.0.2.1";
81
82 /*
83 * vhost6: the IP address to bind to when we connect outward to IPv6 servers.
84 * This should be an IPv6 address, or "*" for in6addr_any.
85 */
86 # vhost6 = "2001:DB8::1";
87
88 /*
89 * default_max_clients: the default maximum number of clients allowed
90 * to connect. This can be changed from within IRC via /QUOTE SET MAX.
91 */
92 default_max_clients = 512;
93
94 /*
95 * max_nick_length: only applies to local clients. Must be in the
96 * range of 9 to 30. Default is 9 if nothing else is specified.
97 */
98 max_nick_length = 9;
99
100 /*
101 * max_topic_length: only applies to topics set by local clients.
102 * Must be in the range of 80 to 300. Default is 80 if nothing
103 * else is specified.
104 */
105 max_topic_length = 160;
106
107 /*
108 * rsa_private_key_file: the path to the file containing the
109 * RSA key. RSA keys with less than 2048 bits are no longer
110 * supported.
111 *
112 * Example commands to store a 2048 bit RSA key in rsa.key:
113 *
114 * OpenSSL/LibreSSL:
115 * openssl genrsa -out rsa.key 2048
116 *
117 * GnuTLS:
118 * certtool --generate-privkey --sec-param=medium --outfile rsa.key
119 *
120 * Once the RSA key is generated, it is highly recommended to lock down
121 * its file permissions:
122 *
123 * chown <ircd-user>.<ircd.group> rsa.key
124 * chmod 0600 rsa.key
125 */
126 # rsa_private_key_file = "etc/rsa.key";
127
128 /*
129 * ssl_certificate_file: the path to the file containing our
130 * SSL certificate for encrypted client connection.
131 *
132 * This assumes your private RSA key is stored in rsa.key. You
133 * MUST have an RSA key in order to generate the certificate.
134 *
135 * Example command:
136 *
137 * OpenSSL/LibreSSL:
138 * openssl req -new -days 365 -x509 -key rsa.key -out cert.pem
139 *
140 * GnuTLS:
141 * certtool --generate-self-signed --load-privkey rsa.key --outfile cert.pem
142 */
143 # ssl_certificate_file = "etc/cert.pem";
144
145 /*
146 * ssl_dh_param_file: path to the PEM encoded Diffie-Hellman
147 * parameter file. DH parameters are required when using
148 * ciphers with EDH (ephemeral Diffie-Hellman) key exchange.
149 *
150 * A DH parameter file can be created by running:
151 *
152 * OpenSSL/LibreSSL:
153 * openssl dhparam -out dhparam.pem 2048
154 *
155 * GnuTLS:
156 * certtool --generate-dh-params --sec-param=medium --outfile dhparam.pem
157 */
158 # ssl_dh_param_file = "etc/dhparam.pem";
159
160 /*
161 * ssl_dh_elliptic_curve: defines the curve to use for the
162 * Elliptic Curve Diffie-Hellman (ECDH) algorithm.
163 * Default is ANSI X9.62 prime256v1/secp256r1 if nothing else is specified.
164 *
165 * A list of supported curves by OpenSSL can be obtained by running:
166 *
167 * openssl ecparam -list_curves
168 *
169 * This directive currently doesn't do anything with GnuTLS support.
170 */
171 # ssl_dh_elliptic_curve = "secp521r1";
172
173 /*
174 * ssl_cipher_list: list of ciphers to support on _this_ server.
175 * Can be used to enforce specific ciphers for incoming SSL/TLS
176 * connections. If a client (which also includes incoming server
177 * connections) is not capable of using any of the ciphers listed
178 * here, the connection will simply be rejected.
179 *
180 * A list of supported ciphers can be obtained by running:
181 *
182 * OpenSSL/LibreSSL:
183 * openssl ciphers -tls1 -v
184 *
185 * GnuTLS:
186 * gnutls-cli --list
187 *
188 * Multiple ciphers are separated by colons. The order of preference is
189 * from left to right.
190 */
191 # ssl_cipher_list = "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:AES256-SHA";
192
193 /*
194 * ssl_message_digest_algorithm: defines what cryptographic hash function
195 * to use for generating fingerprint hashes of X.509 certificates.
196 * Default is SHA-256 if nothing else is specified.
197 *
198 * A list of supported message digest algorithms can be obtained by running:
199 *
200 * OpenSSL/LibreSSL:
201 * openssl list-message-digest-algorithms
202 *
203 * GnuTLS:
204 * gnutls-cli --list
205 */
206 # ssl_message_digest_algorithm = "sha256";
207 };
208
209 /*
210 * admin {}: contains administrative information about the server
211 */
212 admin {
213 name = "Smurf target";
214 description = "Main Server Administrator";
215 email = "<admin@server.example.net>";
216 };
217
218 /*
219 * class {}: contains information about classes for users
220 */
221 class {
222 /* name: the name of the class. */
223 name = "users";
224
225 /*
226 * ping_time: how often a client must reply to a PING from the
227 * server before they are dropped.
228 */
229 ping_time = 90 seconds;
230
231 /*
232 * number_per_ip: how many local users are allowed to connect
233 * from a single IP address (optional)
234 */
235 number_per_ip = 2;
236
237 /*
238 * max_local: how many local users are allowed to connect
239 * from a single ident@host (optional)
240 */
241 max_local = 2;
242
243 /*
244 * max_global: network-wide limit of users per ident@host (optional)
245 */
246 max_global = 10;
247
248 /*
249 * max_number: the maximum number of users allowed in this class (optional)
250 */
251 max_number = 100;
252
253 /*
254 * The following lines are optional and allow you to define
255 * how many users can connect from one /NN subnet.
256 */
257 cidr_bitlen_ipv4 = 24;
258 cidr_bitlen_ipv6 = 120;
259 number_per_cidr = 16;
260
261 /*
262 * sendq: the amount of data allowed in a client's send queue before
263 * they are dropped.
264 */
265 sendq = 100 kbytes;
266
267 /*
268 * recvq: the amount of data allowed in a client's receive queue before
269 * they are dropped for flooding. Defaults to 2560 if the chosen value
270 * isn't within the range of 512 to 8000.
271 */
272 recvq = 2560 bytes;
273 };
274
275 class {
276 name = "opers";
277 ping_time = 90 seconds;
278 number_per_ip = 10;
279 max_number = 100;
280 sendq = 100 kbytes;
281
282 /*
283 * max_channels: maximum number of channels users in this class can join.
284 */
285 max_channels = 60;
286
287 /*
288 * min_idle: minimum idle time that is shown in WHOIS.
289 */
290 min_idle = 3 hours;
291
292 /*
293 * max_idle: maximum idle time that is shown in WHOIS.
294 */
295 max_idle = 8 hours;
296
297 /*
298 * flags:
299 *
300 * random_idle - a fake idle time is set randomly between
301 * min_idle and max_idle
302 * hide_idle_from_opers - the fake idle time will also be shown to operators
303 */
304 flags = random_idle, hide_idle_from_opers;
305 };
306
307 class {
308 name = "server";
309 ping_time = 90 seconds;
310
311 /*
312 * connectfreq: only used in server classes. Specifies the delay
313 * between autoconnecting to servers.
314 */
315 connectfreq = 5 minutes;
316
317 /* max number: the number of servers to autoconnect to. */
318 max_number = 1;
319
320 /* sendq: servers need a higher sendq as they send more data. */
321 sendq = 2 megabytes;
322 };
323
324 /*
325 * motd {}: Allows the display of a different MOTD to a client
326 * depending on its origin. Applies to local users only.
327 */
328 motd {
329 /*
330 * mask: multiple mask entries are permitted. Mask can either be
331 * a class name or a hostname. CIDR is supported.
332 */
333 mask = "*.at";
334 mask = "*.de";
335 mask = "*.ch";
336
337 /*
338 * file: path to the actual motd file.
339 */
340 file = "etc/german.motd";
341 };
342
343 /*
344 * listen {}: contains information about the ports ircd listens on
345 */
346 listen {
347 /*
348 * port: the port to listen on. If no host is specified earlier in the
349 * listen {} block, it will listen on all available IP addresses.
350 *
351 * Ports are separated by commas; a range may be specified using ".."
352 */
353
354 /* port: listen on all available IP addresses, ports 6665 to 6669. */
355 port = 6665 .. 6669;
356
357 /*
358 * Listen on 192.0.2.2/6697 with SSL enabled and hidden from STATS P
359 * unless you are an administrator.
360 *
361 * NOTE: The "flags" directive always has to come before "port".
362 *
363 * Currently available flags are:
364 *
365 * ssl - Port may only accept TLS/SSL connections
366 * server - Only server connections are permitted
367 * hidden - Port is hidden from /stats P, unless you're an admin
368 */
369 flags = hidden, ssl;
370 host = "192.0.2.2";
371 port = 6697;
372
373 /*
374 * host: set a specific IP address to listen on using the
375 * subsequent port definitions. This may be IPv4 or IPv6.
376 */
377 host = "192.0.2.3";
378 port = 7000, 7001;
379
380 host = "2001:DB8::2";
381 port = 7002;
382 };
383
384 /*
385 * auth {}: allow users to connect to the ircd
386 */
387 auth {
388 /*
389 * user: the user@host allowed to connect. Multiple user
390 * lines are permitted within each auth {} block.
391 */
392 user = "*@192.0.2.0/24";
393 user = "*test@2001:DB8:*";
394
395 /* password: an optional password that is required to use this block. */
396 password = "letmein";
397
398 /*
399 * encrypted: controls whether the auth password above has been
400 * encrypted. Default is 'no' if nothing else is specified.
401 */
402 encrypted = yes;
403
404 /*
405 * spoof: fake the user's host to this. This is free-form, just do
406 * everyone a favor and don't abuse it. ('=' prefix on /stats I)
407 */
408 spoof = "I.still.hate.packets";
409
410 /* class: the class the user is placed in. */
411 class = "opers";
412
413 /*
414 * need_password - don't allow users who haven't supplied the correct | ('&' prefix on /stats I if disabled)
415 * password to connect using another auth {} block
416 * need_ident - require the user to have identd to connect | ('+' prefix on /stats I)
417 * spoof_notice - enable spoofing notification to admins
418 * exceed_limit - allow a user to exceed class limits | ('>' prefix on /stats I)
419 * kline_exempt - exempt this user from k-lines | ('^' prefix on /stats I)
420 * xline_exempt - exempt this user from x-lines | ('!' prefix on /stats I)
421 * resv_exempt - exempt this user from resvs | ('$' prefix on /stats I)
422 * no_tilde - remove ~ from a user with no ident | ('-' prefix on /stats I)
423 * can_flood - allow this user to exceed flood limits | ('|' prefix on /stats I)
424 * webirc - enables WEBIRC authentication for web-based | ('<' prefix on /stats I)
425 * clients such as Mibbit
426 */
427 flags = need_password, spoof_notice, exceed_limit, kline_exempt,
428 xline_exempt, resv_exempt, no_tilde, can_flood;
429 };
430
431 auth {
432 /*
433 * redirserv, redirport: the server and port to redirect a user to.
434 * A user does not have to obey the redirection; the ircd just
435 * suggests an alternative server for them.
436 */
437 redirserv = "server2.example.net";
438 redirport = 6667;
439
440 user = "*@*.ch";
441
442 /* class: a class is required even though it is not used. */
443 class = "users";
444 };
445
446 auth {
447 user = "*@*";
448 class = "users";
449 flags = need_ident;
450 };
451
452 /*
453 * operator {}: defines ircd operators
454 */
455 operator {
456 /* name: the name of the operator */
457 name = "sheep";
458
459 /*
460 * user: the user@host required for this operator. Multiple user
461 * lines are permitted within each operator {} block.
462 */
463 user = "*sheep@192.0.2.0/26";
464 user = "*@192.0.2.240/28";
465
466 /*
467 * password: the password required to oper. By default this will need
468 * to be encrypted by using the provided mkpasswd tool.
469 * The availability of various password hashing algorithms may vary
470 * depending on the system's crypt(3) implementation.
471 */
472 password = "$5$x5zof8qe.Yc7/bPp$5zIg1Le2Lsgd4CvOjaD20pr5PmcfD7ha/9b2.TaUyG4";
473
474 /*
475 * encrypted: controls whether the oper password above has been
476 * encrypted. Default is 'yes' if nothing else is specified.
477 */
478 encrypted = yes;
479
480 /*
481 * ssl_certificate_fingerprint: enhances security by additionally checking
482 * the oper's client certificate fingerprint against the specified
483 * fingerprint below.
484 *
485 * Hint: your users can use the following commands to obtain a SHA-256 hash
486 * of their ssl certificate:
487 *
488 * OpenSSL/LibreSSL:
489 * openssl x509 -sha256 -noout -fingerprint -in cert.pem | sed -e 's/^.*=//;s/://g'
490 *
491 * GnuTLS:
492 * certtool -i < cert.pem | egrep -A 1 'SHA256 fingerprint'
493 */
494 # ssl_certificate_fingerprint = "4C62287BA6776A89CD4F8FF10A62FFB35E79319F51AF6C62C674984974FCCB1D";
495
496 /*
497 * ssl_connection_required: client must be connected over SSL/TLS
498 * in order to be able to use this operator {} block.
499 * Default is 'no' if nothing else is specified.
500 */
501 ssl_connection_required = no;
502
503 /* class: the class the oper joins when they successfully OPER. */
504 class = "opers";
505
506 /*
507 * whois: allows to override the default RPL_WHOISOPERATOR numeric
508 * string shown in /whois.
509 * This string is propagated to all servers on the network.
510 */
511 # whois = "is a Smurf Target (IRC Operator)";
512
513 /*
514 * umodes: the default user modes opers get when they successfully OPER.
515 * If defined, it will override oper_umodes settings in general {}.
516 * Available user modes:
517 *
518 * +b - bots - See bot and drone flooding notices
519 * +c - cconn - Client connection/quit notices
520 * +D - deaf - Don't receive channel messages
521 * +d - debug - See debugging notices
522 * +e - external - See remote server connection and split notices
523 * +F - farconnect - Remote client connection/quit notices
524 * +f - full - See auth {} block full notices
525 * +G - softcallerid - Server Side Ignore for users not on your channels
526 * +g - callerid - Server Side Ignore (for privmsgs etc)
527 * +H - hidden - Hides IRC operator status to other users
528 * +i - invisible - Not shown in NAMES or WHO unless you share a channel
529 * +j - rej - See rejected client notices
530 * +k - skill - See server generated KILL messages
531 * +l - locops - See LOCOPS messages
532 * +n - nchange - See client nick changes
533 * +p - hidechans - Hides channel list in WHOIS
534 * +q - hideidle - Hides idle and signon time in WHOIS
535 * +R - nononreg - Only receive private messages from registered clients
536 * +s - servnotice - See general server notices
537 * +u - unauth - See unauthorized client notices
538 * +w - wallop - See server generated WALLOPS
539 * +y - spy - See LINKS, STATS, TRACE notices etc.
540 */
541 umodes = locops, servnotice, wallop;
542
543 /*
544 * flags: controls the activities and commands an oper is
545 * allowed to do on the server. All flags default to 'no'.
546 * Available flags:
547 *
548 * admin - gives administrator privileges | ('A' flag)
549 * close - allows CLOSE | ('B' flag)
550 * connect - allows local CONNECT | ('C' flag)
551 * connect:remote - allows remote CONNECT | ('D' flag)
552 * die - allows DIE | ('E' flag)
553 * dline - allows DLINE | ('F' flag)
554 * globops - allows GLOBOPS | ('G' flag)
555 * join:resv - allows to JOIN resv {} channels | ('H' flag)
556 * kill - allows to KILL local clients | ('I' flag)
557 * kill:remote - allows remote users to be /KILL'd | ('J' flag)
558 * kline - allows KLINE | ('K' flag)
559 * locops - allows LOCOPS | ('L' flag)
560 * module - allows MODULE | ('M' flag)
561 * nick:resv - allows to use NICK on resv {} nicks | ('N' flag)
562 * opme - allows OPME | ('O' flag)
563 * rehash - allows oper to REHASH config | ('P' flag)
564 * rehash:remote - allows oper to remotely REHASH config | ('Q' flag)
565 * remoteban - allows remote KLINE/UNKLINE | ('R' flag)
566 * restart - allows RESTART | ('S' flag)
567 * resv - allows RESV | ('T' flag)
568 * set - allows SET | ('U' flag)
569 * squit - allows local SQUIT | ('V' flag)
570 * squit:remote - allows remote SQUIT | ('W' flag)
571 * undline - allows UNDLINE | ('X' flag)
572 * unkline - allows UNKLINE | ('Y' flag)
573 * unresv - allows UNRESV | ('Z' flag)
574 * unxline - allows UNXLINE | ('a' flag)
575 * wallops - allows WALLOPS | ('b' flag)
576 * xline - allows XLINE | ('c' flag)
577 */
578 flags = admin, connect, connect:remote, die, globops, kill, kill:remote,
579 kline, module, rehash, restart, set, unkline, unxline, xline;
580 };
581
582 /*
583 * connect {}: define a server to connect to
584 */
585 connect {
586 /* name: the name of the server. */
587 name = "uplink.example.net";
588
589 /*
590 * host: the host or IP address to connect to. If a hostname is used it
591 * must match the reverse DNS of the server.
592 */
593 host = "192.0.2.4";
594
595 /*
596 * vhost: the IP address to bind to when making outgoing connections to
597 * servers.
598 * serverinfo::vhost and serverinfo::vhost6 will be overridden
599 * by this directive.
600 */
601 vhost = "192.0.2.5";
602
603 /*
604 * send_password, accept_password: the passwords to send and accept.
605 * The remote server will have these passwords swapped.
606 */
607 send_password = "password";
608 accept_password = "anotherpassword";
609
610 /*
611 * encrypted: controls whether the accept_password above has been
612 * encrypted.
613 */
614 encrypted = no;
615
616 /* port: the port to connect to this server on. */
617 port = 6666;
618
619 /*
620 * hub_mask: the mask of servers that this server may hub. Multiple
621 * entries are permitted.
622 */
623 hub_mask = "*";
624
625 /*
626 * leaf_mask: the mask of servers this server may not hub. Multiple
627 * entries are permitted. Useful for forbidding EU -> US -> EU routes.
628 */
629 # leaf_mask = "*.uk";
630
631 /* class: the class this server is in. */
632 class = "server";
633
634 /*
635 * ssl_cipher_list: list of ciphers that the server we are connecting to
636 * must support. If the server is not capable of using any of the ciphers
637 * listed below, the connection will simply be rejected.
638 * Can be used to enforce stronger ciphers, even though this option
639 * is not necessarily required to establish a SSL/TLS connection.
640 *
641 * Multiple ciphers are separated by colons. The order of preference
642 * is from left to right.
643 */
644 # ssl_cipher_list = "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:AES256-SHA";
645
646 /*
647 * ssl_certificate_fingerprint: enhances security by additionally checking
648 * the server's client certificate fingerprint against the specified
649 * fingerprint below.
650 */
651 # ssl_certificate_fingerprint = "4C62287BA6776A89CD4F8FF10A62FFB35E79319F51AF6C62C674984974FCCB1D";
652
653 /*
654 * autoconn - controls whether we autoconnect to this server or not,
655 * dependent on class limits. By default, this is disabled.
656 * ssl - Initiates a TLS/SSL connection.
657 */
658 # flags = autoconn, ssl;
659 };
660
661 connect {
662 name = "ipv6.example.net";
663 host = "2001:DB8::3";
664 send_password = "password";
665 accept_password = "password";
666 port = 6666;
667
668 /*
669 * aftype: controls whether the connection uses "ipv4" or "ipv6".
670 * Default is ipv4.
671 */
672 aftype = ipv6;
673 class = "server";
674 };
675
676 /*
677 * cluster {}: servers that share klines/unkline/xline/unxline/resv/unresv/locops
678 * automatically
679 */
680 cluster {
681 /*
682 * name: the server to share with; this can take wildcards
683 *
684 * NOTE: only local actions will be clustered, meaning that if
685 * the server receives a shared kline/unkline/etc, it
686 * will not be propagated to clustered servers.
687 *
688 * Remote servers are not necessarily required to accept
689 * clustered lines, they need a shared {} block for *THIS*
690 * server in order to accept them.
691 */
692 name = "*.example.net";
693
694 /*
695 * type: list of what to share; options are as follows:
696 * dline - share dlines
697 * undline - share undlines
698 * kline - share klines
699 * unkline - share unklines
700 * xline - share xlines
701 * unxline - share unxlines
702 * resv - share resvs
703 * unresv - share unresvs
704 * locops - share locops
705 * all - share all of the above (default)
706 */
707 type = kline, unkline, locops, xline, resv;
708 };
709
710 /*
711 * shared {}: users that are allowed to remote kline
712 *
713 * NOTE: This can effectively be used for remote klines.
714 * Please note that there is no password authentication
715 * for users setting remote klines. You must also be
716 * /oper'd in order to issue a remote kline.
717 */
718 shared {
719 /*
720 * name: the server the user must be connected to in order to set klines.
721 * If this is not specified, the user will be allowed to kline from all
722 * servers.
723 */
724 name = "irc2.example.net";
725
726 /*
727 * user: the user@host mask that is allowed to set klines. If this is
728 * not specified, all users on the server above will be allowed to set
729 * a remote kline.
730 */
731 user = "oper@my.host.is.spoofed";
732
733 /*
734 * type: list of what to share, options are as follows:
735 * dline - allow oper/server to dline
736 * undline - allow oper/server to undline
737 * kline - allow oper/server to kline
738 * unkline - allow oper/server to unkline
739 * xline - allow oper/server to xline
740 * unxline - allow oper/server to unxline
741 * rehash - allow oper/server to rehash
742 * resv - allow oper/server to resv
743 * unresv - allow oper/server to unresv
744 * locops - allow oper/server to locops - only used for servers that cluster
745 * all - allow oper/server to do all of the above (default)
746 */
747 type = kline, unkline, resv;
748 };
749
750 /*
751 * kill {}: users that are not allowed to connect
752 * Oper issued klines will be added to the specified kline database
753 */
754 kill {
755 user = "bad@*.example.net";
756 reason = "Obviously hacked account";
757 };
758
759 /*
760 * deny {}: IP addresses that are not allowed to connect
761 * (before DNS/ident lookup)
762 * Oper issued dlines will be added to the specified dline database
763 */
764 deny {
765 ip = "192.0.2.0/28";
766 reason = "Reconnecting vhosted bots";
767 };
768
769 /*
770 * exempt {}: IP addresses that are exempt from deny {} and Dlines
771 */
772 exempt {
773 ip = "192.0.2.240/28";
774
775 /* The 'ip' directives can be stacked */
776 ip = "10.0.0.0/8";
777 ip = "fc00::/7";
778 };
779
780 /*
781 * resv {}: nicks and channels users may not use/join
782 */
783 resv { mask = "clone*"; reason = "Clone bots"; };
784 resv { mask = "Global"; reason = "Reserved for services"; };
785 resv { mask = "ChanServ"; reason = "Reserved for services"; };
786 resv { mask = "NickServ"; reason = "Reserved for services"; };
787 resv { mask = "OperServ"; reason = "Reserved for services"; };
788 resv { mask = "MemoServ"; reason = "Reserved for services"; };
789 resv { mask = "BotServ"; reason = "Reserved for services"; };
790 resv { mask = "HelpServ"; reason = "Reserved for services"; };
791 resv { mask = "HostServ"; reason = "Reserved for services"; };
792 resv { mask = "StatServ"; reason = "Reserved for services"; };
793 resv { mask = "#*services*"; reason = "Reserved for services"; };
794
795 resv {
796 /*
797 * mask: masks starting with a '#' are automatically considered
798 * as channel name masks.
799 */
800 mask = "#helsinki";
801 reason = "Channel is reserved for Finnish inhabitants";
802
803 /*
804 * exempt: can be either a ISO 3166 alpha-2 two letter country
805 * code, or a nick!user@host mask. CIDR is supported. Exempt
806 * entries can be stacked.
807 */
808 exempt = "FI";
809 };
810
811 /*
812 * gecos {}: used for banning users based on their "realname".
813 */
814 gecos {
815 name = "*sex*";
816 reason = "Possible spambot";
817 };
818
819 gecos {
820 name = "sub7server";
821 reason = "Trojan drone";
822 };
823
824 /*
825 * service {}: specifies a server which may act as a network service
826 *
827 * NOTE: it is very important that every server on the network
828 * has the same service {} block.
829 */
830 service {
831 name = "service.example.net";
832 name = "stats.example.net";
833 };
834
835 /*
836 * pseudo {}: adds pseudo/custom commands also known as service aliases
837 */
838 pseudo {
839 /* command: the actual command/alias. */
840 command = "IDENTIFY";
841
842 /* prepend: optional text that can be prepended before the user's message. */
843 prepend = "IDENTIFY ";
844
845 /* name: the service name, used for error messages. */
846 name = "NickServ";
847
848 /* target: the actual target where this message should be sent to. */
849 target = "NickServ@service.example.net";
850 };
851
852 pseudo {
853 command = "CHANSERV";
854 name = "ChanServ";
855 target = "ChanServ@service.example.net";
856 };
857
858 pseudo {
859 command = "CS";
860 name = "ChanServ";
861 target = "ChanServ@service.example.net";
862 };
863
864 pseudo {
865 command = "NICKSERV";
866 name = "NickServ";
867 target = "NickServ@service.example.net";
868 };
869
870 pseudo {
871 command = "NS";
872 name = "NickServ";
873 target = "NickServ@service.example.net";
874 };
875
876 pseudo {
877 command = "MEMOSERV";
878 name = "MemoServ";
879 target = "MemoServ@service.example.net";
880 };
881
882 pseudo {
883 command = "MS";
884 name = "MemoServ";
885 target = "MemoServ@service.example.net";
886 };
887
888 pseudo {
889 command = "OPERSERV";
890 name = "OperServ";
891 target = "OperServ@service.example.net";
892 };
893
894 pseudo {
895 command = "OS";
896 name = "OperServ";
897 target = "OperServ@service.example.net";
898 };
899
900 pseudo {
901 command = "HOSTSERV";
902 name = "HostServ";
903 target = "HostServ@service.example.net";
904 };
905
906 pseudo {
907 command = "HS";
908 name = "HostServ";
909 target = "HostServ@service.example.net";
910 };
911
912 pseudo {
913 command = "BOTSERV";
914 name = "BotServ";
915 target = "BotServ@service.example.net";
916 };
917
918 pseudo {
919 command = "BS";
920 name = "BotServ";
921 target = "BotServ@service.example.net";
922 };
923
924 /*
925 * channel {}: the channel block contains options pertaining to channels
926 */
927 channel {
928 /*
929 * disable_fake_channels: this option, if set to 'yes', will
930 * disallow clients from creating or joining channels that have one
931 * of the following ASCII characters in their name:
932 *
933 * 2 | bold
934 * 3 | mirc color
935 * 15 | plain text
936 * 22 | reverse
937 * 29 | italic
938 * 31 | underline
939 * 160 | non-breaking space
940 */
941 disable_fake_channels = yes;
942
943 /*
944 * invite_client_count, invite_client_time: how many INVITE commands
945 * are permitted per client per invite_client_time.
946 */
947 invite_client_count = 10;
948 invite_client_time = 5 minutes;
949
950 /*
951 * invite_delay_channel: how often an INVITE to any specific channel
952 * is permitted, regardless of the user sending the INVITE.
953 */
954 invite_delay_channel = 5 seconds;
955
956 /*
957 * knock_client_count, knock_client_time: how many KNOCK commands
958 * are permitted per client per knock_client_time.
959 */
960 knock_client_count = 1;
961 knock_client_time = 5 minutes;
962
963 /*
964 * knock_delay_channel: how often a KNOCK to any specific channel
965 * is permitted, regardless of the user sending the KNOCK.
966 */
967 knock_delay_channel = 1 minute;
968
969 /*
970 * max_channels: the maximum number of channels a user can join/be on.
971 * This is a default value which can be overriden with class {} blocks.
972 */
973 max_channels = 25;
974
975 /* max_bans: maximum number of +b/e/I modes in a channel. */
976 max_bans = 100;
977
978 /*
979 * default_join_flood_count, default_join_flood_time:
980 * how many joins in how many seconds constitute a flood. Use 0 to disable.
981 * +b opers will be notified. These are only default values which can be
982 * changed via "/QUOTE SET JFLOODCOUNT" and "/QUOTE SET JFLOODTIME".
983 */
984 default_join_flood_count = 18;
985 default_join_flood_time = 6 seconds;
986 };
987
988 /*
989 * serverhide {}: the serverhide block contains the options regarding
990 * to server hiding. For more information regarding server hiding,
991 * please see doc/serverhide.txt
992 */
993 serverhide {
994 /*
995 * disable_remote_commands: disable users issuing commands
996 * on remote servers.
997 */
998 disable_remote_commands = no;
999
1000 /*
1001 * flatten_links: this option will show all servers in /links appear
1002 * as though they are linked to this current server.
1003 */
1004 flatten_links = no;
1005
1006 /*
1007 * flatten_links_delay: how often to update the links file when it is
1008 * flattened.
1009 */
1010 flatten_links_delay = 5 minutes;
1011
1012 /*
1013 * flatten_links_file: path to the flatten links cache file.
1014 */
1015 flatten_links_file = "var/lib/links.txt";
1016
1017 /*
1018 * hidden: hide this server from a /links output on servers that
1019 * support it. This allows hub servers to be hidden etc.
1020 */
1021 hidden = no;
1022
1023 /*
1024 * hide_servers: hide remote servernames everywhere and instead use
1025 * hidden_name and network_desc.
1026 */
1027 hide_servers = no;
1028
1029 /*
1030 * hide_services: define this if you want to hide the location of
1031 * services servers that are specified in the service {} block.
1032 */
1033 hide_services = no;
1034
1035 /*
1036 * hidden_name: use this as the servername users see if hide_servers = yes.
1037 */
1038 hidden_name = "*.example.net";
1039
1040 /*
1041 * hide_server_ips: if this is disabled, opers will be unable to see
1042 * servers' IP addresses and will be shown a masked IP address; admins
1043 * will be shown the real IP address.
1044 *
1045 * If this is enabled, nobody can see a server's IP address.
1046 * *This is a kludge*: it has the side effect of hiding the IP addresses
1047 * everywhere, including logfiles.
1048 *
1049 * We recommend you leave this disabled, and just take care with who you
1050 * give administrator privileges to.
1051 */
1052 hide_server_ips = no;
1053 };
1054
1055 /*
1056 * general {}: the general block contains many of the options that were once
1057 * compiled in options in config.h
1058 */
1059 general {
1060 /*
1061 * cycle_on_host_change: sends a fake QUIT/JOIN combination
1062 * when services change the hostname of a specific client.
1063 */
1064 cycle_on_host_change = yes;
1065
1066 /* max_watch: maximum WATCH entries a client can have. */
1067 max_watch = 50;
1068
1069 /* max_accept: maximum allowed /accept's for +g user mode. */
1070 max_accept = 50;
1071
1072 /*
1073 * dline_min_cidr: the minimum required length of a CIDR bitmask
1074 * for IPv4 based D-lines.
1075 */
1076 dline_min_cidr = 16;
1077
1078 /*
1079 * dline_min_cidr6: the minimum required length of a CIDR bitmask
1080 * for IPv6 based D-lines.
1081 */
1082 dline_min_cidr6 = 48;
1083
1084 /*
1085 * kline_min_cidr: the minimum required length of a CIDR bitmask
1086 * for IPv4 based K-lines.
1087 */
1088 kline_min_cidr = 16;
1089
1090 /*
1091 * kline_min_cidr6: the minimum required length of a CIDR bitmask
1092 * for IPv6 based K-lines.
1093 */
1094 kline_min_cidr6 = 48;
1095
1096 /*
1097 * invisible_on_connect: whether to automatically set user mode +i
1098 * on connecting users.
1099 */
1100 invisible_on_connect = yes;
1101
1102 /*
1103 * kill_chase_time_limit: KILL chasing is a feature whereby a KILL
1104 * issued for a user who has recently changed nickname will be applied
1105 * automatically to the new nick. kill_chase_time_limit is the maximum
1106 * time following a nickname change that this chasing will apply.
1107 */
1108 kill_chase_time_limit = 30 seconds;
1109
1110 /*
1111 * ignore_bogus_ts: ignore bogus timestamps from other servers.
1112 * Yes, this will desync the network, but it will allow chanops
1113 * to resync with a valid non TS 0.
1114 *
1115 * This should be enabled network wide, or not at all.
1116 */
1117 ignore_bogus_ts = no;
1118
1119 /*
1120 * disable_auth: completely disable ident lookups; if you enable this,
1121 * be careful of what you set need_ident to in your auth {} blocks.
1122 */
1123 disable_auth = no;
1124
1125 /*
1126 * tkline_expire_notices: enables or disables temporary kline/xline
1127 * expire notices.
1128 */
1129 tkline_expire_notices = no;
1130
1131 /*
1132 * default_floodcount: the default value of floodcount that is configurable
1133 * via /quote set floodcount. This is the number of lines a user may send
1134 * to any other user/channel in one second. Set to 0 to disable.
1135 */
1136 default_floodcount = 10;
1137
1138 /*
1139 * failed_oper_notice: send a notice to all opers on the server when
1140 * someone tries to OPER and uses the wrong password, host or ident.
1141 */
1142 failed_oper_notice = yes;
1143
1144 /*
1145 * dots_in_ident: the number of '.' characters permitted in an ident
1146 * reply before the user is rejected.
1147 */
1148 dots_in_ident = 2;
1149
1150 /*
1151 * min_nonwildcard: the minimum number of non-wildcard characters in
1152 * k/d lines placed via the server. K-lines hand-placed are exempt from
1153 * this limit.
1154 * Wildcard characters: '.', ':', '*', '?'
1155 */
1156 min_nonwildcard = 4;
1157
1158 /*
1159 * min_nonwildcard_simple: the minimum number of non-wildcard characters
1160 * in gecos bans. Wildcard characters: '*', '?'
1161 */
1162 min_nonwildcard_simple = 3;
1163
1164 /* anti_nick_flood: enable the nickflood control code. */
1165 anti_nick_flood = yes;
1166
1167 /*
1168 * max_nick_changes, max_nick_time: the number of nick changes allowed in
1169 * the specified period.
1170 */
1171 max_nick_changes = 5;
1172 max_nick_time = 20 seconds;
1173
1174 /*
1175 * away_count, away_time: how many AWAY commands are permitted per
1176 * client per away_time.
1177 */
1178 away_count = 2;
1179 away_time = 10 seconds;
1180
1181 /*
1182 * anti_spam_exit_message_time: the minimum time a user must be connected
1183 * before custom quit messages are allowed.
1184 */
1185 anti_spam_exit_message_time = 5 minutes;
1186
1187 /*
1188 * ts_warn_delta, ts_max_delta: the time delta allowed between server
1189 * clocks before a warning is given, or before the link is dropped.
1190 * All servers should run ntpdate/rdate to keep clocks in sync.
1191 */
1192 ts_warn_delta = 3 seconds;
1193 ts_max_delta = 15 seconds;
1194
1195 /*
1196 * warn_no_connect_block: warn opers about servers that try to connect
1197 * but for which we don't have a connect {} block. Twits with
1198 * misconfigured servers can become really annoying with this enabled.
1199 */
1200 warn_no_connect_block = yes;
1201
1202 /*
1203 * stats_e_disabled: set this to 'yes' to disable "STATS e" for both
1204 * operators and administrators. Doing so is a good idea in case
1205 * there are any exempted (exempt {}) server IP addresses you don't
1206 * want to see leaked.
1207 */
1208 stats_e_disabled = no;
1209
1210 /* stats_m_oper_only: make /stats m/M (messages) oper only. */
1211 stats_m_oper_only = yes;
1212
1213 /* stats_o_oper_only: make stats o (opers) oper only. */
1214 stats_o_oper_only = yes;
1215
1216 /* stats_P_oper_only: make stats P (ports) oper only. */
1217 stats_P_oper_only = yes;
1218
1219 /* stats_u_oper_only: make stats u (uptime) oper only. */
1220 stats_u_oper_only = no;
1221
1222 /*
1223 * stats_i_oper_only: make stats i (auth {}) oper only. Set to:
1224 * yes - show users no auth {} blocks, made oper only
1225 * masked - show users the first matching auth {} block
1226 * no - show users all auth {} blocks
1227 */
1228 stats_i_oper_only = yes;
1229
1230 /*
1231 * stats_k_oper_only: make stats k/K (klines) oper only. Set to:
1232 * yes - show users no klines, made oper only
1233 * masked - show users the first matching kline
1234 * no - show users all klines
1235 */
1236 stats_k_oper_only = yes;
1237
1238 /*
1239 * caller_id_wait: time between notifying a +g user that somebody
1240 * is messaging them.
1241 */
1242 caller_id_wait = 1 minute;
1243
1244 /*
1245 * opers_bypass_callerid: allows operators to bypass +g and message
1246 * anyone who has it set.
1247 */
1248 opers_bypass_callerid = no;
1249
1250 /*
1251 * pace_wait_simple: minimum time required between use of less
1252 * intensive commands
1253 * (ADMIN, HELP, LUSERS, VERSION, remote WHOIS)
1254 */
1255 pace_wait_simple = 1 second;
1256
1257 /*
1258 * pace_wait: minimum time required between use of more intensive commands
1259 * (INFO, LINKS, MAP, MOTD, STATS, WHO, WHOWAS)
1260 */
1261 pace_wait = 10 seconds;
1262
1263 /*
1264 * short_motd: send clients a notice telling them to read the MOTD
1265 * instead of forcing an MOTD to clients who may simply ignore it.
1266 */
1267 short_motd = no;
1268
1269 /*
1270 * ping_cookie: require clients to respond exactly to a PING command,
1271 * can help block certain types of drones and FTP PASV mode spoofing.
1272 */
1273 ping_cookie = no;
1274
1275 /* no_oper_flood: increase flood limits for opers. */
1276 no_oper_flood = yes;
1277
1278 /*
1279 * max_targets: the maximum number of targets in a single
1280 * PRIVMSG/NOTICE. Set to 999 NOT 0 for unlimited.
1281 */
1282 max_targets = 4;
1283
1284 /*
1285 * user modes configurable: a list of user modes for the options below
1286 *
1287 * +b - bots - See bot and drone flooding notices
1288 * +c - cconn - Client connection/quit notices
1289 * +D - deaf - Don't receive channel messages
1290 * +d - debug - See debugging notices
1291 * +e - external - See remote server connection and split notices
1292 * +F - farconnect - Remote client connection/quit notices
1293 * +f - full - See auth {} block full notices
1294 * +G - softcallerid - Server Side Ignore for users not on your channels
1295 * +g - callerid - Server Side Ignore (for privmsgs etc)
1296 * +H - hidden - Hides IRC operator status to other users
1297 * +i - invisible - Not shown in NAMES or WHO unless you share a channel
1298 * +j - rej - See rejected client notices
1299 * +k - skill - See server generated KILL messages
1300 * +l - locops - See LOCOPS messages
1301 * +n - nchange - See client nick changes
1302 * +p - hidechans - Hides channel list in WHOIS
1303 * +q - hideidle - Hides idle and signon time in WHOIS
1304 * +R - nononreg - Only receive private messages from registered clients
1305 * +s - servnotice - See general server notices
1306 * +u - unauth - See unauthorized client notices
1307 * +w - wallop - See server generated WALLOPS
1308 * +y - spy - See LINKS, STATS, TRACE notices etc.
1309 */
1310
1311 /* oper_only_umodes: user modes only operators may set. */
1312 oper_only_umodes = bots, cconn, debug, external, farconnect, full, hidden,
1313 locops, nchange, rej, skill, spy, unauth;
1314
1315 /* oper_umodes: default user modes operators get when they successfully OPER. */
1316 oper_umodes = bots, locops, servnotice, wallop;
1317
1318 /*
1319 * throttle_count: the maximum number of connections from the same
1320 * IP address allowed in throttle_time duration.
1321 */
1322 throttle_count = 1;
1323
1324 /*
1325 * throttle_time: the minimum amount of time required between
1326 * connections from the same IP address. exempt {} blocks are
1327 * excluded from this throttling.
1328 * Offers protection against flooders who reconnect quickly.
1329 * Set to 0 to disable.
1330 */
1331 throttle_time = 2 seconds;
1332 };
1333
1334 modules {
1335 /*
1336 * path: other paths to search for modules specified below
1337 * and in "/module load".
1338 */
1339 path = "lib/ircd-hybrid/modules";
1340 # path = "lib/ircd-hybrid/modules/extra";
1341 path = "lib/ircd-hybrid/modules/autoload";
1342
1343 /* module: the name of a module to load on startup/rehash. */
1344 # module = "some_module.la";
1345 };
1346
1347 /*
1348 * log {}: contains information about logfiles.
1349 */
1350 log {
1351 /* Do you want to enable logging to ircd.log? */
1352 use_logging = yes;
1353
1354 file {
1355 type = oper;
1356 name = "var/log/oper.log";
1357 size = unlimited;
1358 };
1359
1360 file {
1361 type = user;
1362 name = "var/log/user.log";
1363 size = 50 megabytes;
1364 };
1365
1366 file {
1367 type = kill;
1368 name = "var/log/kill.log";
1369 size = 50 megabytes;
1370 };
1371
1372 file {
1373 type = kline;
1374 name = "var/log/kline.log";
1375 size = 50 megabytes;
1376 };
1377
1378 file {
1379 type = dline;
1380 name = "var/log/dline.log";
1381 size = 50 megabytes;
1382 };
1383
1384 file {
1385 type = xline;
1386 name = "var/log/xline.log";
1387 size = 50 megabytes;
1388 };
1389
1390 file {
1391 type = resv;
1392 name = "var/log/resv.log";
1393 size = 50 megabytes;
1394 };
1395
1396 file {
1397 type = debug;
1398 name = "var/log/debug.log";
1399 size = 50 megabytes;
1400 };
1401 };

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28