0
0
Fork 0
mirror of https://github.com/matrix-construct/construct synced 2025-01-19 11:01:54 +01:00
construct/doc/reference.conf
Simon Arlott d4214e9445
ircd: server connection configuration
Fix the server connection configuration so that it can simultaneously
handle a hostname/IPv4/IPv6 for connecting and a hostname/IPv4/IPv6
for binding. Maintains backwards compatibility for matching a hostname
with a mask.

Multiple host/vhost entries can be specified and the last value for
each address family is stored. Hostnames that resolve automatically
overwrite the IP address.

Server connections can now be made to either IPv4 or IPv6 at random
as well as preferring a specific address family.
2016-04-24 17:06:24 +01:00

1427 lines
47 KiB
Text

/* doc/reference.conf - charybdis Example configuration file
*
* Copyright (C) 2000-2002 Hybrid Development Team
* Copyright (C) 2002-2005 ircd-ratbox development team
* Copyright (C) 2005-2006 charybdis development team
*
* Written by ejb, wcampbel, db, leeh and others
*
*/
/* IMPORTANT NOTES:
*
* class {} blocks MUST be specified before anything that uses them. That
* means they must be defined before auth {} and before connect {}.
*
* auth {} blocks MUST be specified in order of precedence. The first one
* that matches a user will be used. So place spoofs first, then specials,
* then general access, then restricted.
*
* privset {} blocks MUST be specified before anything that uses them. That
* means they must be defined before operator {}.
*
* Both shell style (#) and C style comments are supported.
*
* Files may be included by either:
* .include "filename"
* .include <filename>
*
* Times/durations are written as:
* 12 hours 30 minutes 1 second
*
* Valid units of time:
* month, week, day, hour, minute, second
*
* Valid units of size:
* megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
*
* Sizes and times may be singular or plural.
*/
/* Extensions:
*
* Charybdis contains several extensions that are not enabled by default.
* To use them, uncomment the lines below.
*
* Channel mode +-A (admin only) -- chm_adminonly
* Channel mode +-O (oper only) -- chm_operonly
* Channel mode +-S (ssl only) -- chm_sslonly
* Emulates channel mode +-O (oper only) (+-iI $o) -- chm_operonly_compat
* Emulates channel mode +-R (quiet unreg) (+-q $~a) -- chm_quietunreg_compat
* Emulates channel mode +-S (ssl only) (+-b $~z) -- chm_sslonly_compat
* Channel mode +-M (disallow KICK on IRC ops) -- chm_operpeace
* Restrict channel creation to logged in users -- createauthonly
* Account bans (+b $a[:mask]) -- extb_account
* Banned from another channel (+b $j:mask) -- extb_canjoin
* Other-channel bans (+b $c:mask) -- extb_channel
* Combination extbans -- extb_combi
* Extended ban (+b $x:mask) -- extb_extgecos
* Hostmask bans (for combination extbans) -- extb_hostmask
* Oper bans (+b $o) -- extb_oper
* Realname (gecos) bans (+b $r:mask) -- extb_realname
* Server bans (+b $s:mask) -- extb_server
* SSL bans (+b $z) -- extb_ssl
* User mode bans (+b $u:modes) -- extb_usermode
* Helpops system (umode +H) -- helpops
* HURT system -- hurt
* New host mangling (umode +x) -- ip_cloaking_4.0
* Old host mangling (umode +h) -- ip_cloaking
* Dynamically extend channel limits -- m_extendchans
* Find channel forwards -- m_findforwards
* /identify support -- m_identify
* /locops support -- m_locops
* Opers cannot be invisible (umode +i) -- no_oper_invis
* Far connection notices (snomask +F) -- sno_farconnect
* Remote k/d/x line active notices -- sno_globalkline
* Remote oper up notices -- sno_globaloper
* Global nick-change notices -- sno_globalnickchange
* /whois notifications (snomask +W) -- sno_whois
* Oper-override (modehacking only) -- override
* Stop services kills -- no_kill_services
*/
#loadmodule "extensions/chm_adminonly";
#loadmodule "extensions/chm_operonly";
#loadmodule "extensions/chm_sslonly";
#loadmodule "extensions/chm_operonly_compat";
#loadmodule "extensions/chm_quietunreg_compat";
#loadmodule "extensions/chm_sslonly_compat";
#loadmodule "extensions/chm_operpeace";
#loadmodule "extensions/createauthonly";
#loadmodule "extensions/extb_account";
#loadmodule "extensions/extb_canjoin";
#loadmodule "extensions/extb_channel";
#loadmodule "extensions/extb_combi";
#loadmodule "extensions/extb_extgecos";
#loadmodule "extensions/extb_hostmask";
#loadmodule "extensions/extb_oper";
#loadmodule "extensions/extb_realname";
#loadmodule "extensions/extb_server";
#loadmodule "extensions/extb_ssl";
#loadmodule "extensions/extb_usermode";
#loadmodule "extensions/helpops";
#loadmodule "extensions/hurt";
#loadmodule "extensions/ip_cloaking_4.0";
#loadmodule "extensions/ip_cloaking";
#loadmodule "extensions/m_extendchans";
#loadmodule "extensions/m_findforwards";
#loadmodule "extensions/m_identify";
#loadmodule "extensions/m_locops";
#loadmodule "extensions/no_oper_invis";
#loadmodule "extensions/sno_farconnect";
#loadmodule "extensions/sno_globalkline";
#loadmodule "extensions/sno_globalnickchange";
#loadmodule "extensions/sno_globaloper";
#loadmodule "extensions/sno_whois";
#loadmodule "extensions/override";
#loadmodule "extensions/no_kill_services";
/* serverinfo {}: Contains information about the server. (OLD M:) */
serverinfo {
/* name: the name of our server */
name = "hades.arpa";
/* sid: the unique server id of our server. This must be three
* characters long. The first character must be a digit [0-9], the
* remaining two chars may be letters [A-Z] or digits [0-9].
*
* This parameter must be specified for the server to start.
*/
sid = "42X";
/* description: the description of our server. '[' and ']' may not
* be used here for compatibility with older servers.
*/
description = "charybdis test server";
/* network info: the name and description of the network this server
* is on. Shown in the 005 reply and used with serverhiding.
*/
network_name = "MyNet";
/* vhost: the IP to bind to when we connect outward to ipv4 servers.
* This should be an ipv4 IP only.
*/
#vhost = "192.0.2.6";
/* vhost6: the IP to bind to when we connect outward to ipv6 servers.
* This should be an ipv6 IP only.
*/
#vhost6 = "2001:db7:2::6";
/* ssl_private_key: our ssl private key */
ssl_private_key = "etc/ssl.key";
/* ssl_cert: certificate for our ssl server */
ssl_cert = "etc/ssl.pem";
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
ssl_dh_params = "etc/dh.pem";
/* ssl_cipher_list: A list of ciphers, dependent on your TLS backend */
#ssl_cipher_list = "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL";
/* ssld_count: number of ssld processes you want to start, if you
* have a really busy server, using N-1 where N is the number of
* cpu/cpu cores you have might be useful. A number greater than one
* can also be useful in case of bugs in ssld and because ssld needs
* two file descriptors per SSL connection.
*/
ssld_count = 1;
/* default max clients: the default maximum number of clients
* allowed to connect. This can be changed once ircd has started by
* issuing:
* /quote set maxclients <limit>
*/
default_max_clients = 1024;
/* nicklen: enforced nickname length (for this server only; must not
* be longer than the maximum length set while building).
*/
nicklen = 30;
};
/* admin {}: contains admin information about the server. (OLD A:) */
admin {
name = "Smurf target";
description = "Main Server Administrator";
email = "<syn@packets.r.us>";
};
/* log {}: contains information about logfiles. */
log {
/* logfiles: the logfiles to use for specific activity. if these
* paths are defined, then ircd will log to them, otherwise it wont.
*
* The confs are, in order:
* - userlog: user exits
* - fuserlog: failed user connections
* - operlog: /oper usage
* - foperlog: failed /oper usage
* - serverlog: server connects/disconnects
* - klinelog: klines, etc
* - killlog: kills
* - operspylog: operspy usage
* - ioerrorlog: IO errors
*/
fname_userlog = "logs/userlog";
#fname_fuserlog = "logs/fuserlog";
fname_operlog = "logs/operlog";
#fname_foperlog = "logs/foperlog";
fname_serverlog = "logs/serverlog";
#fname_klinelog = "logs/klinelog";
fname_killlog = "logs/killlog";
fname_operspylog = "logs/operspylog";
#fname_ioerrorlog = "logs/ioerror";
};
/* class {}: contain information about classes for users (OLD Y:) */
class "users" {
/* class name must go above */
/* ping time: how often a client must reply to a PING from the
* server before they are dropped.
*/
ping_time = 2 minutes;
/* number per ident: the number of users per user@host networkwide
* allowed to connect. Unidented connections are classified as
* the same ident.
*/
number_per_ident = 2;
/* number per ip: the number of local users per host allowed */
number_per_ip = 3;
/* number per ip global: the number of network wide connections
* per host allowed for a user, including connections to the
* local server.
*/
number_per_ip_global = 5;
/* cidr_ipv4_bitlen: Limits numbers of connections from a subnet size
*/
cidr_ipv4_bitlen = 24;
/* cidr_ipv6_bitlen: Limits numbers of connections from a subnet size
* the following example makes the subnet /64 this is useful
* for IPv6 connections in particular
*/
cidr_ipv6_bitlen = 64;
/* number_per_cidr: Number of connections to allow from a subnet of the
* size given in cidr_ipv4_bitlen/cidr_ipv6_bitlen.
* 4 seems to be a good default to me.
*/
number_per_cidr = 4;
/* max number: the maximum number of users allowed in this class */
max_number = 100;
/* sendq: the amount of data allowed in a clients queue before
* they are dropped.
*/
sendq = 100 kbytes;
};
class "restricted" {
ping_time = 1 minute 30 seconds;
number_per_ip = 1;
max_number = 100;
sendq = 60kb;
};
class "opers" {
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 100;
sendq = 100kbytes;
};
class "server" {
ping_time = 5 minutes;
/* connectfreq: only used in server classes. specifies the delay
* between autoconnecting to servers.
*/
connectfreq = 5 minutes;
/* max number: the amount of servers to autoconnect to. if the number
* of servers in the class is or exceeds this, no more servers in the
* class are autoconnected. oper initiated connects are unaffected.
* this should usually be set to either 0 or 1. (autoconnecting from
* hubs to leaves may cause leaves to function as hubs by having
* multiple servers connected to them.)
*/
max_number = 1;
/* sendq: servers need a higher sendq as they are sent more data */
sendq = 2 megabytes;
};
/* listen {}: contain information about the ports ircd listens on (OLD P:) */
listen {
/* defer_accept: wait for clients to send IRC handshake data before
* accepting them. if you intend to use software which depends on the
* server replying first, such as BOPM, you should disable this feature.
* otherwise, you probably want to leave it on.
*/
defer_accept = yes;
/* port: the specific port to listen on. if no host is specified
* before, it will listen on all available IPs.
*
* sslport: the specific port to listen ssl connections on. if no
* host is specified before, it will listen on all available IPs.
*
* ports are seperated via a comma, a range may be specified using ".."
*/
/* port: listen on all available IPs, ports 5000 and 6665 to 6669 */
port = 5000, 6665 .. 6669;
/* sslport: listen for ssl connections on all available IPs, port 9999 */
sslport = 9999;
/* host: set a specific IP/host the ports after the line will listen
* on. This may be ipv4 or ipv6.
*/
host = "192.0.2.6";
port = 7000, 7001;
sslport = 9000, 9001;
host = "2001:db8:2::6";
port = 7002;
sslport = 9002;
};
/* auth {}: allow users to connect to the ircd (OLD I:) */
auth {
/* user: the user@host allowed to connect. Multiple IPv4/IPv6 user
* lines are permitted per auth block. This is matched against the
* hostname and IP address (using :: shortening for IPv6 and
* prepending a 0 if it starts with a colon) and can also use CIDR
* masks.
*/
user = "*@198.51.100.0/24";
user = "*test@2001:db8:1:*";
/* auth_user: This allows specifying a username:password instead of
* just a password in PASS, so that a fixed user@host is not
* necessary for a specific auth{} block.
*/
#auth_user = "SomeUser";
/* password: an optional password that is required to use this block.
* By default this is not encrypted, specify the flag "encrypted" in
* flags = ...; below if it is.
*/
password = "letmein";
/* spoof: fake the users user@host to be be this. You may either
* specify a host or a user@host to spoof to. This is free-form,
* just do everyone a favour and dont abuse it. (OLD I: = flag)
*/
spoof = "I.still.hate.packets";
/* Possible flags in auth:
*
* encrypted | password is encrypted with mkpasswd
* spoof_notice | give a notice when spoofing hosts
* exceed_limit (old > flag) | allow user to exceed class user limits
* kline_exempt (old ^ flag) | exempt this user from k/g/xlines,
* | dnsbls, and proxies
* dnsbl_exempt | exempt this user from dnsbls
* proxy_exempt | exempt this user from proxies
* spambot_exempt | exempt this user from spambot checks
* shide_exempt | exempt this user from serverhiding
* jupe_exempt | exempt this user from generating
* warnings joining juped channels
* resv_exempt | exempt this user from resvs
* flood_exempt | exempt this user from flood limits
* USE WITH CAUTION.
* no_tilde (old - flag) | don't prefix ~ to username if no ident
* need_ident (old + flag) | require ident for user in this class
* need_ssl | require SSL/TLS for user in this class
* need_sasl | require SASL id for user in this class
* extend_chans | allow this user to join more channels than normal
*/
flags = kline_exempt, exceed_limit;
/* class: the class the user is placed in */
class = "opers";
};
auth {
/* redirect: the server and port to redirect a user to. A user does
* not have to obey the redirection, the ircd just suggests to them
* an alternative server.
*/
redirserv = "irc.example.net";
redirport = 6667;
user = "*.example.com";
/* class: a class is required even though it is not used */
class = "users";
};
auth {
user = "*@*";
class = "users";
};
/* privset{}: defines operator privilege sets. */
privset "local_op" {
/* privs: controls the activities and commands an oper is
* allowed to do on the server
*
* Available options:
*
* oper:local_kill: allows local users to be /KILL'd
* oper:global_kill: allows local and remote users to be /KILL'd
* oper:routing: allows remote SQUIT and CONNECT
* oper:kline: allows KLINE and DLINE
* oper:unkline: allows UNKLINE and UNDLINE
* snomask:nick_changes: allows oper to see nickchanges via snomask +n
* oper:rehash: allows oper to REHASH config
* oper:die: allows DIE and RESTART
* oper:admin: gives admin privileges. admins
* may (un)load modules and see various
* additional information.
* oper:hidden_admin: gives admin privileges except
* will not have the admin lines in
* whois.
* oper:xline: allows use of /quote xline/unxline
* oper:resv: allows /quote resv/unresv and cmode +LP
* oper:operwall: allows the oper to send/receive operwalls
* oper:spy: allows 'operspy' features to see through +s
* channels etc. see /quote help operspy
* oper:hidden: hides the oper from /stats p
* oper:remoteban: allows remote kline etc
* oper:mass_notice: allows sending wallops and mass notices
* oper:grant: allows using the GRANT command
*/
privs = oper:local_kill, oper:operwall;
};
privset "server_bot" {
/* extends: a privset to inherit in this privset */
extends = "local_op";
privs = oper:kline, oper:remoteban, snomask:nick_changes;
};
privset "global_op" {
extends = "local_op";
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban;
};
privset "admin" {
extends = "global_op";
privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:grant;
};
/* operator {}: defines ircd operators. (OLD O:) */
operator "god" {
/* name: the name of the oper must go above */
/* user: the user@host required for this operator. CIDR *is*
* supported now. auth{} spoofs work here, other spoofs do not.
* multiple user="" lines are supported.
*/
user = "*god@*";
user = "*@127.0.0.1";
/* password: the password required to oper. Unless ~encrypted is
* contained in flags = ...; this will need to be encrypted using
* mkpasswd, MD5 is supported
*/
password = "etcnjl8juSU1E";
/* rsa key: the public key for this oper when using Challenge.
* A password should not be defined when this is used, see
* doc/challenge.txt for more information.
*/
#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
/* fingerprint: if specified, the oper's client certificate
* fingerprint will be checked against the specified fingerprint
* below.
*/
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
/* umodes: the specific umodes this oper gets when they oper.
* If this is specified an oper will not be given oper_umodes
* These are described above oper_only_umodes in general {};
*/
#umodes = locops, servnotice, operwall, wallop;
/* snomask: specific server notice mask on oper up.
* If this is specified an oper will not be given oper_snomask.
*/
snomask = "+Zbfkrsuy";
/* flags: misc options for the operator. You may prefix an option
* with ~ to disable it, e.g. ~encrypted.
*
* Default flags are encrypted.
*
* Available options:
*
* encrypted: the password above is encrypted [DEFAULT]
* need_ssl: must be using SSL/TLS to oper up
*/
flags = encrypted;
/* privset: privileges set to grant */
privset = "admin";
};
/* connect {}: controls servers we connect to (OLD C:, N:, H:, L:) */
connect "irc.uplink.com" {
/* the name must go above */
/* host: the host or IP to connect to. If a hostname is used it
* must match the reverse dns of the server.
*/
host = "203.0.113.3";
/* vhost: the host or IP to bind to for this connection. If this
* is not specified, the default vhost (in serverinfo {}) is used.
*/
#vhost = "192.0.2.131";
/* passwords: the passwords we send (OLD C:) and accept (OLD N:).
* The remote server will have these passwords reversed.
*/
send_password = "password";
accept_password = "anotherpassword";
/* fingerprint: if specified, the server's client certificate
* fingerprint will be checked against the specified fingerprint
* below.
*/
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
/* port: the port to connect to this server on */
port = 6666;
/* hub mask: the mask of servers that this server may hub. Multiple
* entries are permitted
*/
hub_mask = "*";
/* leaf mask: the mask of servers this server may not hub. Multiple
* entries are permitted. Useful for forbidding EU -> US -> EU routes.
*/
#leaf_mask = "*.uk";
/* class: the class this server is in */
class = "server";
/* flags: controls special options for this server
* encrypted - marks the accept_password as being crypt()'d
* autoconn - automatically connect to this server
* compressed - compress traffic via ziplinks
* topicburst - burst topics between servers
* ssl - ssl/tls encrypted server connections
*/
flags = compressed, topicburst;
};
connect "ipv6.lame.server" {
host = "192.0.2.1";
host = "2001:db8:3::8";
send_password = "password";
accept_password = "password";
port = 6666;
/* aftype: controls whether the outgoing connection uses "ipv4" or "ipv6".
* Default is to try either at random.
*/
aftype = ipv6;
class = "server";
};
connect "ssl.uplink.com" {
/* Example of ssl server-to-server connection, ssl flag doesn't need
* compressed flag, 'cause it uses own compression
*/
host = "203.0.113.129";
send_password = "password";
accept_password = "anotherpassword";
port = 9999;
hub_mask = "*";
class = "server";
flags = ssl, topicburst;
};
/* cluster {}; servers that we propagate things to automatically.
* NOTE: This does NOT grant them privileges to apply anything locally,
* you must add a seperate shared block for that. Clustering will
* only be done for actions by LOCAL opers, that arent directed
* remotely.
*/
cluster {
/* name: the server to share with, this can be a wildcard and may be
* stacked.
*/
/* flags: list of what to share, all the name lines above this (up
* until another flags entry) will receive these flags.
*
* kline - share perm klines
* tkline - share temp klines
* unkline - share unklines
* locops - share locops
* xline - share perm xlines
* txline - share temp xlines
* unxline - share unxlines
* resv - share perm resvs
* tresv - share temp resvs
* unresv - share unresvs
* all - share all of the above
*/
/* share klines/unklines/xlines with *.lan */
name = "*.lan";
flags = kline, unkline, xline;
/* share locops with irc.ircd-ratbox.org and ircd.ircd-ratbox.org */
name = "irc.ircd-ratbox.org";
name = "ircd.ircd-ratbox.org";
flags = locops;
};
/* service{}: privileged servers (services). These servers have extra
* privileges such as setting login names on users and introducing clients
* with umode +S (unkickable, hide channels, etc). This does not allow them
* to set bans, you need a separate shared{} for that.
* Do not place normal servers here.
* There may be only one service{} block.
*/
service {
/* name: the server name. These may be stacked. */
name = "services.int";
};
/* shared {}: users that are allowed to place remote bans on our server.
* NOTE: These are ordered top down. The first one the user@host and server
* matches will be used. Their access will then be decided on that
* block and will not fall back to another block that matches.
*/
shared {
/* oper: the user@host and server the user must be on to set klines.
* The first field must be a user@host, the second field is an
* optional server. These may be stacked.
*/
/* flags: list of what to allow them to place, all the oper lines
* above this (up until another flags entry) will receive these
* flags. This *must* be present.
*
* kline - allow setting perm/temp klines
* tkline - allow setting temp klines
* unkline - allow removing klines
* xline - allow setting perm/temp xlines
* txline - allow setting temp xlines
* unxline - allow removing xlines
* resv - allow setting perm/temp resvs
* tresv - allow setting temp resvs
* unresv - allow removing xlines
* all - allow oper/server to do all of above.
* locops - allow locops - only used for servers who cluster
* rehash - allow rehashing
* dline - allow setting perm/temp dlines
* tdline - allow setting temp dlines
* undline - allow removing dlines
* grant - allow granting operator status
* die - allow remote DIE/RESTART
* module - allow remote module commands
* none - disallow everything
*/
/* allow flame@*.leeh.co.uk on server irc.ircd-ratbox.org and
* allow leeh@*.leeh.co.uk on server ircd.ircd-ratbox.org to kline
*/
oper = "flame@*.leeh.co.uk", "irc.ircd-ratbox.org";
oper = "leeh@*.leeh.co.uk", "ircd.ircd-ratbox.org";
flags = kline;
/* you may forbid certain opers/servers from doing anything */
oper = "irc@vanity.oper", "*";
oper = "*@*", "irc.vanity.server";
oper = "irc@another.vanity.oper", "bigger.vanity.server";
flags = none;
/* or allow everyone to place temp klines */
oper = "*@*";
flags = tkline;
};
/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */
exempt {
ip = "192.0.2.0/24";
/* these may be stacked */
ip = "127.0.0.1";
};
/* The channel block contains options pertaining to channels */
channel {
/* invex: Enable/disable channel mode +I, a n!u@h list of masks
* that can join a +i channel without an invite.
*/
use_invex = yes;
/* except: Enable/disable channel mode +e, a n!u@h list of masks
* that can join a channel through a ban (+b).
*/
use_except = yes;
/* forward: Enable/disable channel mode +f, a channel to forward
* users to if they can't join because of +i etc. Also enables ban
* forwarding, <mask>$<channel>.
*/
use_forward = yes;
/* knock: Allows users to request an invite to a channel that
* is locked somehow (+ikl). If the channel is +p or you are banned
* the knock will not be sent.
*/
use_knock = yes;
/* knock delay: The amount of time a user must wait between issuing
* the knock command.
*/
knock_delay = 5 minutes;
/* knock channel delay: How often a knock to any specific channel
* is permitted, regardless of the user sending the knock.
*/
knock_delay_channel = 1 minute;
/* max chans: The maximum number of channels a user can join/be on. */
max_chans_per_user = 15;
/* max chans (large): The extended maximum number of channels a user can join. */
max_chans_per_user_large = 60;
/* max bans: maximum number of +b/e/I/q modes in a channel */
max_bans = 100;
/* max bans: maximum number of +b/e/I/q modes in a +L channel */
max_bans_large = 500;
/* splitcode: split users, split servers and either no join on split
* or no create on split must be enabled for split checking.
* splitmode will be entered on either split users or split servers
* dropping below the limit.
*
* you may force splitmode to be permanent by /quote set splitmode on
*/
/* split users: when the usercount is lower than this level, consider
* ourselves split. this must be set for automatic splitmode
*/
default_split_user_count = 0;
/* split servers: when the amount of servers that have acknowledged
* theyve finished bursting is lower than this, consider ourselves
* split. this must be set for automatic splitmode
*/
default_split_server_count = 0;
/* split: no create: disallow users creating channels on split */
no_create_on_split = no;
/* split: no join: disallow users joining channels at all on a split */
no_join_on_split = no;
/* burst topicwho: when bursting topics, also burst the topic setter */
burst_topicwho = yes;
/* kick on split riding: kick users riding splits to join +i or +k
* channels. more precisely, if a bursting server sends an SJOIN
* for a channel with a lower TS with either a +i mode or a +k
* mode with a different key, kick all local users.
*
* note: this does not take +r, +b, +e and +I into account.
*/
kick_on_split_riding = no;
/* only ascii channels: disable local users joining channels
* containing characters outside the range 33-126 (non-printable
* or non-ASCII).
*/
only_ascii_channels = no;
/* resv_forcepart: force any local users to part a channel
* when a RESV is issued.
*/
resv_forcepart = yes;
/* channel target change: restrict how many channels users can
* message per unit of time. IRC operators, channel operators and
* voiced users are exempt.
*/
channel_target_change = yes;
/* disable local channels: if yes, then local channels will not be
* supported.
*/
disable_local_channels = no;
/* autochanmodes: the channel modes that should be automatically set
* when a channel is created.
*/
autochanmodes = "+nt";
/* displayed_usercount: the minimum amount of users on a channel before it
* is displayed in LIST. this parameter can be overridden using ELIST parameters,
* such as LIST >0.
*/
displayed_usercount = 3;
/* strip_topic_colors: whether or not color codes in TOPIC should be stripped. */
strip_topic_colors = no;
};
/* The serverhide block contains the options regarding serverhiding */
serverhide {
/* flatten links: this option will hide various routing information
* and make all servers in /links appear that they are linked to
* this server.
*/
flatten_links = no;
/* links delay: how long to wait before showing splits or new
* servers in a flattened /links output.
*/
links_delay = 5 minutes;
/* hidden: hide this server from a /links output on servers with
* flatten_links enabled. this allows hub servers to be hidden etc.
*/
hidden = no;
/* disable hidden: prevent servers hiding themselves from a
* /links ouput.
*/
disable_hidden = no;
};
/* These are the blacklist settings.
* You can have multiple combinations of host and rejection reasons.
* They are used in pairs of one host/rejection reason.
*
* These settings should be adequate for most networks.
*
* Word to the wise: Do not use blacklists like SPEWS for blocking IRC
* connections.
*
* As of charybdis 2.2, you can do some keyword substitution on the rejection
* reason. The available keyword substitutions are:
*
* ${ip} - the user's IP
* ${host} - the user's canonical hostname
* ${dnsbl-host} - the dnsbl hostname the lookup was done against
* ${nick} - the user's nickname
* ${network-name} - the name of the network
*
* As of charybdis 3.4, a type parameter is supported, which specifies the
* address families the blacklist supports. IPv4 and IPv6 are supported.
* IPv4 is currently the default as few blacklists support IPv6 operation
* as of this writing.
*
* As of charybdis 3.5, a matches parameter is allowed; if omitted, any result
* is considered a match. If included, a comma-separated list of *quoted*
* strings is allowed to match queries. They may be of the format "0" to "255"
* to match the final octet (e.g. 127.0.0.1) or "127.x.y.z" to explicitly match
* an A record. The blacklist is only applied if it matches anything in the
* list. You may freely mix full IP's and final octets.
*
* Consult your blacklist provider for the meaning of these parameters; they
* are usually used to denote different ban types.
*/
blacklist {
host = "rbl.efnetrbl.org";
type = ipv4;
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";
/* Example of a blacklist that supports both IPv4 and IPv6 and using matches */
# host = "foobl.blacklist.invalid";
# matches = "4", "6", "127.0.0.10";
# type = ipv4, ipv6;
# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect";
};
/* These are the OPM settings.
* This is similar to the functionality provided by BOPM. It will scan incoming
* connections for open proxies by connecting to clients and attempting several
* different open proxy handshakes. If they connect back to us (via a dedicated
* listening port), and send back the data we send them, they are considered
* an open proxy. For politeness reasons (users may be confused by the incoming
* connection attempts if they are logging incoming connections), the user is
* notified upon connect if they are being scanned.
*
* WARNING:
* These settings are considered experimental. Only the most common proxy types
* are checked for (Charybdis is immune from POST and GET proxies). If you are
* not comfortable with experimental code, remove or comment out the *entire*
* block below to disable the proxy scanner.
*/
opm {
/* IPv4 address to listen on. This must be a publicly facing IP address
* to be effective.
* If omitted, it defaults to serverinfo::vhost.
*/
#listen_ipv4 = "127.0.0.1";
/* IPv4 port to listen on.
* This should not be the same as any existing listeners.
*/
#port_ipv4 = 32000;
/* IPv6 address to listen on. This must be a publicly facing IP address
* to be effective.
* If omitted, it defaults to serverinfo::vhost6.
*/
#listen_ipv6 = "::1";
/* IPv6 port to listen on.
* This should not be the same as any existing listeners.
*/
#port_ipv6 = 32000;
/* You can also set the listen_port directive which will set both the
* IPv4 and IPv6 ports at once.
*/
listen_port = 32000;
/* This sets the timeout in seconds before ending open proxy scans.
* Values less than 1 or greater than 60 are ignored.
* It is advisable to keep it as short as feasible, so clients do not
* get held up by excessively long scan times.
*/
timeout = 5;
/* These are the ports to scan for SOCKS4 proxies on. They may overlap
* with other scan types. Sensible defaults are given below.
*/
socks4_ports = 80, 443, 1080, 8000, 8080, 10800;
/* These are the ports to scan for SOCKS5 proxies on. They may overlap
* with other scan types. Sensible defaults are given below.
*/
socks5_ports = 80, 443, 1080, 8000, 8080, 10800;
/* These are the ports to scan for HTTP CONNECT proxies on (plaintext).
* They may overlap with other scan types. Sensible defaults are given
* below.
*/
httpconnect_ports = 80, 8080, 8000;
/* These are the ports to scan for HTTPS CONNECT proxies on (SSL).
* They may overlap with other scan types. Sensible defaults are given
* below.
*/
httpsconnect_ports = 443, 4443;
};
/*
* Alias blocks allow you to define custom commands. (Old m_sshortcut.c)
* They send PRIVMSG to the given target. A real command takes
* precedence above an alias.
*/
alias "NickServ" {
/* the name must go above */
/* target: the target nick (must be a network service) or
* user@server (cannot be this server, only opers can use
* user starting with "opers" reliably, interpreted on the target
* server only so you may need to use nick@server instead)
*/
target = "NickServ";
};
alias "ChanServ" {
target = "ChanServ";
};
alias "OperServ" {
target = "OperServ";
};
alias "MemoServ" {
target = "MemoServ";
};
alias "NS" {
target = "NickServ";
};
alias "CS" {
target = "ChanServ";
};
alias "OS" {
target = "OperServ";
};
alias "MS" {
target = "MemoServ";
};
/* The general block contains many of the options that were once compiled
* in options in config.h. The general block is read at start time.
*/
general {
/* hide error messages: defines whether error messages from
* servers that are not deemed fully safe are hidden or not.
* These can sometimes contain IPs and can have an adverse
* effect on server ip hiding. Set to:
* yes: hide from opers and admin
* opers: hide from opers only
* no: do not hide error messages
* Admins on other servers count as opers.
*/
hide_error_messages = opers;
/* hide spoof ips: hide the real ips of auth{} spoofed users
* If disabled, local opers can see them.
* Dynamic spoofs (e.g. set by services) are unaffected by this;
* any oper (local and remote) can see the real ip.
*/
hide_spoof_ips = yes;
/* default umodes: umodes to set upon connection
* If you have enabled the ip_cloaking extension, and you wish for
* incoming clients to be set +h or +x upon connection, add +h or +x to the umode
* string below.
*/
default_umodes = "+i";
/* default operstring: defines the default oper response
* in /whois queries, eg "is an IRC Operator".
* After startup use /quote set operstring to change.
*/
default_operstring = "is an IRC Operator";
/* default adminstring: defines the default admin response
* in /whois queries, eg "is a Server Administrator".
* After startup use /quote set adminstring to change.
*/
default_adminstring = "is a Server Administrator";
/* servicestring: defines the response for opered services (+S)
* in /whois queries, eg "is a Network Service".
* This is updated on rehash.
*/
servicestring = "is a Network Service";
/*
* Nick of the network's SASL agent. Used to check whether services are here,
* SASL credentials are only sent to its server. Needs to be a service.
*
* Defaults to SaslServ if unspecified.
*/
sasl_service = "SaslServ";
/* disable fake channels: disable local users joining fake versions
* of channels, eg #foo^B^B. Disables bold, mirc colour, reverse,
* underline and hard space. (ASCII 2, 3, 22, 31, 160 respectively).
*/
disable_fake_channels = no;
/* tkline_expire_notices: give a notice to opers when a tkline
* expires
*/
tkline_expire_notices = no;
/* floodcount: the default value of floodcount that is configurable
* via /quote set floodcount. This is the amount of lines a user
* may send to any other user/channel in one second.
*/
default_floodcount = 10;
/* failed oper notice: send a notice to all opers on the server when
* someone tries to OPER and uses the wrong password, host or ident.
*/
failed_oper_notice = yes;
/* dots in ident: the amount of '.' characters permitted in an ident
* reply before the user is rejected.
*/
dots_in_ident = 2;
/* min nonwildcard: the minimum non wildcard characters in k/d/g lines
* placed via the server. klines hand placed are exempt from limits.
* wildcard chars: '.' '*' '?' '@'
*/
min_nonwildcard = 4;
/* min nonwildcard simple: the minimum non wildcard characters in
* xlines/resvs placed via the server.
* wildcard chars: '*' '?'
*/
min_nonwildcard_simple = 3;
/* max accept: maximum allowed /accept's for +g usermode */
max_accept = 20;
/* max monitor: the maximum amount of nicknames a client may have in
* their monitor (server-side notify) list.
*/
max_monitor = 100;
/* nick flood: enable the nickflood control code */
anti_nick_flood = yes;
/* nick flood: the nick changes allowed in the specified period */
max_nick_time = 20 seconds;
max_nick_changes = 5;
/* anti spam time: the minimum time a user must be connected before
* custom quit messages are allowed.
*/
anti_spam_exit_message_time = 5 minutes;
/* ts delta: the time delta allowed between server clocks before
* a warning is given, or before the link is dropped. all servers
* should run ntpdate/rdate to keep clocks in sync
*/
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
/* client exit: prepend a user's quit message with "Quit: " */
client_exit = yes;
/* collision fnc: change user's nick to their UID instead of
* killing them, if possible. This setting only applies to nick
* collisions detected on this server. Only enable this if
* all servers on the network allow remote nicks to start with
* a digit.
*/
collision_fnc = yes;
/* resv fnc: change a user's nick to a nick they have recently used
* (or their UID, if no such nick can be found) when a resv matching
* them is set by services. Only enable this if all servers on the
* network allow remote nicks to start with a digit.
*/
resv_fnc = yes;
/* global snotices: send out certain snotices (most +b, +f, +y,
* some +s) to other servers via ENCAP SNOTE. Received SNOTEs are
* displayed unconditionally.
*/
global_snotices = yes;
/* dline reason: show the user the dline reason when they connect
* and are dlined.
*/
dline_with_reason = yes;
/* kline delay: delay the checking of klines until a specified time.
* Useful if large kline lists are applied often to prevent the
* server eating CPU.
*/
kline_delay = 0 seconds;
/* kline reason: show the user the reason why they are k/dlined
* on exit. may give away who set k/dline when set via tcm.
*/
kline_with_reason = yes;
/* kline reason: make the users quit message on channels this
* reason instead of the oper's reason.
*/
kline_reason = "Connection closed";
/* identify to services via server password
* if auth{} block had no password but the user specified a
* server password anyway, send a PRIVMSG to <identify_service>
* with as text <identify_command> <password>.
*/
identify_service = "NickServ@services.int";
identify_command = "IDENTIFY";
/* non redundant klines: flag and ignore redundant klines */
non_redundant_klines = yes;
/* warn no nline: warn opers about servers that try to connect but
* we dont have a connect {} block for. Twits with misconfigured
* servers can get really annoying with this enabled.
*/
warn_no_nline = yes;
/* use propagated bans: KLINE, XLINE and RESV set fully propagated bans.
* That means the bans are part of the netburst and restarted/split
* servers will get them, but they will not apply to 3.2 and older
* servers at all.
*/
use_propagated_bans = yes;
/* stats e disabled: disable stats e. useful if server ips are
* exempted and you dont want them listing on irc.
*/
stats_e_disabled = no;
/* stats c oper only: make stats c (connect {}) oper only */
stats_c_oper_only = no;
/* stats h oper only: make stats h (hub_mask/leaf_mask) oper only */
stats_h_oper_only = no;
/* stats y oper only: make stats y (class {}) oper only */
stats_y_oper_only = no;
/* stats o oper only: make stats o (opers) oper only */
stats_o_oper_only = yes;
/* stats P oper only: make stats P (ports) oper only
* NOTE: users doing stats P will never be given the ips that the
* server listens on, simply the ports.
*/
stats_P_oper_only = no;
/* stats i oper only: make stats i (auth {}) oper only. set to:
* yes: show users no auth blocks, made oper only.
* masked: show users first matching auth block
* no: show users all auth blocks.
*/
stats_i_oper_only = masked;
/* stats k/K oper only: make stats k/K (klines) oper only. set to:
* yes: show users no auth blocks, made oper only
* masked: show users first matching auth block
* no: show users all auth blocks.
*/
stats_k_oper_only = masked;
/* map oper only: make /map oper only */
map_oper_only = no;
/* operspy admin only: make operspy notices to +Z admin only */
operspy_admin_only = no;
/* operspy dont care user info: treat /who mask as if there was
* an '!' always; do not log or server notice about operspy
* /who mask, /masktrace and /scan. channel information is still
* protected. */
operspy_dont_care_user_info = no;
/* caller id wait: time between notifying a +g user that somebody
* is messaging them.
*/
caller_id_wait = 1 minute;
/* pace wait simple: time between use of less intensive commands
* (HELP, remote WHOIS, WHOWAS)
*/
pace_wait_simple = 1 second;
/* pace wait: time between more intensive commands
* (ADMIN, INFO, LIST, LUSERS, MOTD, STATS, VERSION)
*/
pace_wait = 10 seconds;
/* short motd: send clients a notice telling them to read the motd
* instead of forcing a motd to clients who may simply ignore it.
*/
short_motd = no;
/* ping cookies: require clients to respond exactly to a ping command,
* can help block certain types of drones and FTP PASV mode spoofing.
*/
ping_cookie = no;
/* connect timeout: sets how long we should wait for a connection
* request to succeed
*/
connect_timeout = 30 seconds;
/* ident timeout: Amount of time (in seconds) that the IRCd will
* wait for a user to respond to an ident request.
*/
default_ident_timeout = 5;
/* disable auth: disables identd checking */
disable_auth = no;
/* no oper flood: increase flood limits for opers. */
no_oper_flood = yes;
/* REMOVE ME. The following line checks you've been reading. */
havent_read_conf = yes;
/* max targets: the maximum amount of targets in a single
* PRIVMSG/NOTICE. set to 999 NOT 0 for unlimited.
*/
max_targets = 4;
/* use_whois_actually: send clients requesting a whois a numeric
* giving the real IP of non-spoofed clients to prevent DNS abuse.
*/
use_whois_actually = yes;
/* usermodes configurable: a list of usermodes for the options below
*
* +g - callerid - Server Side Ignore
* +D - deaf - Don't see channel messages
* +i - invisible - Not shown in NAMES or WHO unless you share a
* a channel
* +l - locops - See LOCOPS messages
* +Q - noforward - Unaffected by channel forwarding
* +R - regonlymsg - No messages from unindentified
* +s - servnotice - See server notices
* +w - wallop - See oper and server generated WALLOPS
* +z - operwall - See operwalls
*/
/* oper only umodes: usermodes only opers may set */
oper_only_umodes = operwall, locops, servnotice;
/* oper umodes: default usermodes opers get when they /oper */
oper_umodes = locops, servnotice, operwall, wallop;
/* oper snomask: default snomask opers get when they /oper,
* provided they have umode +s set */
oper_snomask = "+s";
/* compression level: level of compression for compressed links between
* servers.
*
* values are between: 1 (least compression, fastest)
* and: 9 (most compression, slowest).
*/
#compression_level = 6;
/* burst_away: This enables bursting away messages to servers.
* With this disabled, we will only propogate AWAY messages
* as users send them, but never burst them. Be warned though
* enabling this could increase the size of a burst significantly
* for a large network, like EFnet.
*/
burst_away = yes;
/* nick delay: This locks nicks of split clients for the given time
* or until a remote client uses the nick. This significantly
* reduces nick collisions on short splits but it can be annoying.
* To make things as fair as possible, this should be the same on
* all servers. If you enable this, the suggested value is 15 minutes.
*/
nick_delay = 0 seconds;
/* reject time: the amount of rejections through klines/dlines etc
* allowed in the given time before the rejection is cached and
* a pseudo temp dline is placed
*/
reject_ban_time = 1 minute;
reject_after_count = 3;
/* reject duration: the amount of time to cache the rejection */
reject_duration = 5 minutes;
/* throttle_duration: Amount of time that throttling will be applied to an IP
* address.
*/
throttle_duration = 60;
/* throttle_count: Number of connections within throttle_duration that it takes
* for throttling to take effect */
throttle_count = 4;
/* client flood_max_lines: maximum number of lines in a clients queue before
* they are dropped for flooding.
*/
client_flood_max_lines = 20;
/* Flood control settings. DO NOT CHANGE THESE without extensive discussion
* and testing by someone who knows exactly what they do.
*
* These settings replicate charybdis-3.3 behaviour.
*/
client_flood_burst_rate = 40;
client_flood_burst_max = 5;
client_flood_message_time = 1;
client_flood_message_num = 2;
/* max_ratelimit_tokens: the maximum number of ratelimit tokens that one
* user can accumulate. This attempts to limit the amount of outbound
* bandwidth one user can consume. Do not change unless you know what
* you're doing.
*/
max_ratelimit_tokens = 30;
/* away_interval: the minimum interval between AWAY commands. One
* additional AWAY command is allowed, and only marking as away
* counts.
*/
away_interval = 30;
/* certfp_method: the method that should be used for computing certificate fingerprints.
* Acceptable options are sha1, sha256, spki_sha256, sha512 and spki_sha512. Networks
* running versions of charybdis prior to charybdis 3.5 MUST use sha1 for certfp_method.
*
* The spki_* variants operate on the SubjectPublicKeyInfo of the certificate, which does
* not change unless the private key is changed. This allows the fingerprint to stay
* constant even if the certificate is reissued.
*/
certfp_method = sha1;
/* hide_opers_in_whois: if set to YES, then oper status will be hidden in /WHOIS output. */
hide_opers_in_whois = no;
};
modules {
/* module path: paths to search for modules specified below and
* in /modload.
*/
path = "/usr/local/ircd/modules";
path = "/usr/local/ircd/modules/autoload";
/* module: the name of a module to load on startup/rehash */
#module = "some_module";
};