* Remote k/d/x line active notices -- sno_globalkline.so
* Remote oper up notices -- sno_globaloper.so
* /whois notifications (snomask +W) -- sno_whois.so
+ * Oper-override (modehacking only) -- override.so
+ * Stop services kills -- no_kill_services.so
*/
#loadmodule "extensions/chm_adminonly.so";
#loadmodule "extensions/chm_operonly.so";
#loadmodule "extensions/sno_globalkline.so";
#loadmodule "extensions/sno_globaloper.so";
#loadmodule "extensions/sno_whois.so";
-
+#loadmodule "extensions/override.so";
+#loadmodule "extensions/no_kill_services.so";
+
/* serverinfo {}: Contains information about the server. (OLD M:) */
serverinfo {
/* name: the name of our server */
#vhost6 = "3ffe:80e8:546::2";
/* ssl_private_key: our ssl private key */
- ssl_private_key = "etc/test.key";
+ ssl_private_key = "etc/ssl.key";
/* ssl_cert: certificate for our ssl server */
- ssl_cert = "etc/test.cert";
+ ssl_cert = "etc/ssl.cert";
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
ssl_dh_params = "etc/dh.pem";
* /quote set maxclients <limit>
*/
default_max_clients = 1024;
+
+ /* nicklen: enforced nickname length (for this server only; must not
+ * be longer than the maximum length set while building).
+ */
+ nicklen = 30;
};
/* admin {}: contains admin information about the server. (OLD A:) */
*/
ping_time = 2 minutes;
- /* number per ident: the number of users per user@host networkwide
- * allowed to connect. Unidented connections are classified as
- * the same ident.
- */
- number_per_ident = 2;
+ /* number per ident: the number of users per user@host networkwide
+ * allowed to connect. Unidented connections are classified as
+ * the same ident.
+ */
+ number_per_ident = 2;
/* number per ip: the number of local users per host allowed */
number_per_ip = 3;
- /* number per ip global: the number of network wide connections
- * per host allowed for a user, including connections to the
- * local server.
- */
- number_per_ip_global = 5;
+ /* number per ip global: the number of network wide connections
+ * per host allowed for a user, including connections to the
+ * local server.
+ */
+ number_per_ip_global = 5;
/* cidr_ipv4_bitlen: Limits numbers of connections from a subnet size
*/
*/
connectfreq = 5 minutes;
- /* max number: the amount of servers to autoconnect to */
+ /* max number: the amount of servers to autoconnect to. if the number
+ * of servers in the class is or exceeds this, no more servers in the
+ * class are autoconnected. oper initiated connects are unaffected.
+ * this should usually be set to either 0 or 1. (autoconnecting from
+ * hubs to leaves may cause leaves to function as hubs by having
+ * multiple servers connected to them.)
+ */
max_number = 1;
/* sendq: servers need a higher sendq as they are sent more data */
/* listen {}: contain information about the ports ircd listens on (OLD P:) */
listen {
+ /* defer_accept: wait for clients to send IRC handshake data before
+ * accepting them. if you intend to use software which depends on the
+ * server replying first, such as BOPM, you should disable this feature.
+ * otherwise, you probably want to leave it on.
+ */
+ defer_accept = yes;
+
/* port: the specific port to listen on. if no host is specified
* before, it will listen on all available IPs.
*
sslport = 9000, 9001;
host = "3ffe:1234:a:b:c::d";
- port = 7002;
- sslport = 9002;
+ port = 7002;
+ sslport = 9002;
};
/* auth {}: allow users to connect to the ircd (OLD I:) */
user = "*@172.16.0.0/12";
user = "*test@123D:B567:*";
+ /* auth_user: This allows specifying a username:password instead of
+ * just a password in PASS, so that a fixed user@host is not
+ * necessary for a specific auth{} block.
+ */
+ #auth_user = "SomeUser";
+
/* password: an optional password that is required to use this block.
* By default this is not encrypted, specify the flag "encrypted" in
* flags = ...; below if it is.
* specify a host or a user@host to spoof to. This is free-form,
* just do everyone a favour and dont abuse it. (OLD I: = flag)
*/
- spoof = "I.still.hate.packets";
+ spoof = "I.still.hate.packets";
/* Possible flags in auth:
*
* jupe_exempt | exempt this user from generating
* warnings joining juped channels
* resv_exempt | exempt this user from resvs
- * flood_exempt | exempt this user from flood limits
- * USE WITH CAUTION.
+ * flood_exempt | exempt this user from flood limits
+ * USE WITH CAUTION.
* no_tilde (old - flag) | don't prefix ~ to username if no ident
* need_ident (old + flag) | require ident for user in this class
* need_ssl | require SSL/TLS for user in this class
auth {
user = "*@*";
class = "users";
-
- flags = need_ident;
};
/* privset{}: defines operator privilege sets. */
/* user: the user@host required for this operator. CIDR *is*
* supported now. auth{} spoofs work here, other spoofs do not.
- * multiple user="" lines are supported.
+ * multiple user="" lines are supported.
*/
user = "*god@*";
user = "*@127.0.0.1";
*
* encrypted: the password above is encrypted [DEFAULT]
* need_ssl: must be using SSL/TLS to oper up
- */
+ */
flags = encrypted;
/* privset: privileges set to grant */
send_password = "password";
accept_password = "anotherpassword";
+ /* fingerprint: if specified, the server's client certificate
+ * fingerprint will be checked against the specified fingerprint
+ * below.
+ */
+ #fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
+
/* port: the port to connect to this server on */
port = 6666;
* if applicable. Addresses starting with a colon get an extra
* zero prepended, for example: 0::1
*/
- host = "3ffd:dead:beef::1";
- send_password = "password";
- accept_password = "password";
- port = 6666;
+ host = "3ffd:dead:beef::1";
+ send_password = "password";
+ accept_password = "password";
+ port = 6666;
/* aftype: controls whether the connection uses "ipv4" or "ipv6".
* Default is ipv4.
*/
aftype = ipv6;
- class = "server";
+ class = "server";
};
connect "ssl.uplink.com" {
* unresv - allow removing xlines
* all - allow oper/server to do all of above.
* locops - allow locops - only used for servers who cluster
- * rehash - allow rehashing
+ * rehash - allow rehashing
* dline - allow setting perm/temp dlines
* tdline - allow setting temp dlines
* undline - allow removing dlines
use_except = yes;
/* forward: Enable/disable channel mode +f, a channel to forward
- * users to if they can't join because of +i etc.
+ * users to if they can't join because of +i etc. Also enables ban
+ * forwarding, <mask>$<channel>.
*/
use_forward = yes;
/* max chans: The maximum number of channels a user can join/be on. */
max_chans_per_user = 15;
- /* max bans: maximum number of +b/e/I/q modes in a channel */
- max_bans = 25;
+ /* max bans: maximum number of +b/e/I/q modes in a channel */
+ max_bans = 100;
- /* max bans: maximum number of +b/e/I/q modes in a +L channel */
- max_bans_large = 500;
+ /* max bans: maximum number of +b/e/I/q modes in a +L channel */
+ max_bans_large = 500;
- /* splitcode: split users, split servers and either no join on split
+ /* splitcode: split users, split servers and either no join on split
* or no create on split must be enabled for split checking.
* splitmode will be entered on either split users or split servers
* dropping below the limit.
* mode with a different key, kick all local users.
*
* note: this does not take +r, +b, +e and +I into account.
- *
- * warning: if there are any TS5 servers on the network, this
- * will cause ban desyncs if they send such an SJOIN and the
- * splitriders added any bans (our side will lose them, the TS5
- * side will accept them). we will send a notice to the channel
- * if this happens. most services do not send such SJOINs but
- * ratbox-services does.
*/
kick_on_split_riding = no;
* or non-ASCII).
*/
only_ascii_channels = no;
-
+
/* resv_forcepart: force any local users to part a channel
* when a RESV is issued.
*/
resv_forcepart = yes;
+
+ /* channel target change: restrict how many channels users can
+ * message per unit of time. IRC operators, channel operators and
+ * voiced users are exempt.
+ */
+ channel_target_change = yes;
+
+ /* disable local channels: if yes, then local channels will not be
+ * supported.
+ */
+ disable_local_channels = no;
};
/* hidden: hide this server from a /links output on servers with
* flatten_links enabled. this allows hub servers to be hidden etc.
*/
- hidden = no;
+ hidden = no;
/* disable hidden: prevent servers hiding themselves from a
* /links ouput.
* They are used in pairs of one host/rejection reason.
*
* These settings should be adequate for most networks, and are (presently)
- * required for use on AthemeNet.
+ * required for use on StaticBox.
*
* Word to the wise: Do not use blacklists like SPEWS for blocking IRC
* connections.
* ${nick} - the user's nickname
* ${network-name} - the name of the network
*
+ * As of charybdis 3.4, a type parameter is supported, which specifies the
+ * address families the blacklist supports. IPv4 and IPv6 are supported.
+ * IPv4 is currently the default as few blacklists support IPv6 operation
+ * as of this writing.
+ *
+ * As of charybdis 3.5, a matches parameter is allowed; if omitted, any result
+ * is considered a match. If included, a comma-separated list of *quoted*
+ * strings is allowed to match queries. They may be of the format "0" to "255"
+ * to match the final octet (e.g. 127.0.0.1) or "127.x.y.z" to explicitly match
+ * an A record. The blacklist is only applied if it matches anything in the
+ * list. You may freely mix full IP's and final octets.
+ *
+ * Consult your blacklist provider for the meaning of these parameters; they
+ * are usually used to denote different ban types.
+ *
* Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be
* contacted, via email, at admins@2mbit.com before using these BLs.
* See <http://www.ahbl.org/services.php> for more information.
*/
blacklist {
- host = "dnsbl.dronebl.org";
- reject_reason = "${nick}, your IP (${ip}) is listed in DroneBL. For assistance, see http://dronebl.org/lookup_branded.do?ip=${ip}&network=${network-name}";
+ host = "rbl.efnetrbl.org";
+ type = ipv4;
+ reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";
# host = "ircbl.ahbl.org";
+# type = ipv4;
# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for having an open proxy. In order to protect ${network-name} from abuse, we are not allowing connections with open proxies to connect.";
#
# host = "tor.ahbl.org";
+# type = ipv4;
# reject_reason = "${nick}, your IP (${ip}) is listed as a TOR exit node. In order to protect ${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network.";
+#
+ /* Example of a blacklist that supports both IPv4 and IPv6 and using matches */
+# host = "foobl.blacklist.invalid";
+# matches = "4", "6", "127.0.0.10";
+# type = ipv4, ipv6;
+# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect";
};
/*
*/
disable_fake_channels = no;
- /* tkline_expire_notices: give a notice to opers when a tkline
- * expires
- */
- tkline_expire_notices = no;
+ /* tkline_expire_notices: give a notice to opers when a tkline
+ * expires
+ */
+ tkline_expire_notices = no;
/* floodcount: the default value of floodcount that is configurable
* via /quote set floodcount. This is the amount of lines a user
* may send to any other user/channel in one second.
*/
- default_floodcount = 10;
+ default_floodcount = 10;
/* failed oper notice: send a notice to all opers on the server when
* someone tries to OPER and uses the wrong password, host or ident.
*/
dots_in_ident=2;
- /* min nonwildcard: the minimum non wildcard characters in k/d/g lines
+ /* min nonwildcard: the minimum non wildcard characters in k/d/g lines
* placed via the server. klines hand placed are exempt from limits.
* wildcard chars: '.' '*' '?' '@'
*/
*/
min_nonwildcard_simple = 3;
- /* max accept: maximum allowed /accept's for +g usermode */
- max_accept = 20;
+ /* max accept: maximum allowed /accept's for +g usermode */
+ max_accept = 20;
/* max monitor: the maximum amount of nicknames a client may have in
* their monitor (server-side notify) list.
max_nick_time = 20 seconds;
max_nick_changes = 5;
- /* anti spam time: the minimum time a user must be connected before
+ /* anti spam time: the minimum time a user must be connected before
* custom quit messages are allowed.
*/
- anti_spam_exit_message_time = 5 minutes;
+ anti_spam_exit_message_time = 5 minutes;
/* ts delta: the time delta allowed between server clocks before
* a warning is given, or before the link is dropped. all servers
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
- /* client exit: prepend a users quit message with "Client exit: " */
+ /* client exit: prepend a user's quit message with "Quit: " */
client_exit = yes;
/* collision fnc: change user's nick to their UID instead of
*/
collision_fnc = yes;
+ /* resv fnc: change a user's nick to a nick they have recently used
+ * (or their UID, if no such nick can be found) when a resv matching
+ * them is set by services. Only enable this if all servers on the
+ * network allow remote nicks to start with a digit.
+ */
+ resv_fnc = yes;
+
/* global snotices: send out certain snotices (most +b, +f, +y,
* some +s) to other servers via ENCAP SNOTE. Received SNOTEs are
* displayed unconditionally.
*/
warn_no_nline = yes;
- /* use propagated bans: KLINE sets fully propagated bans. That means
- * the klines are part of the netburst and restarted/split servers
- * will get them, but they will not apply to 3.2 and older servers
- * at all.
+ /* use propagated bans: KLINE, XLINE and RESV set fully propagated bans.
+ * That means the bans are part of the netburst and restarted/split
+ * servers will get them, but they will not apply to 3.2 and older
+ * servers at all.
*/
use_propagated_bans = yes;
*/
stats_k_oper_only=masked;
- /* map oper only: make /map oper only */
- map_oper_only = no;
+ /* map oper only: make /map oper only */
+ map_oper_only = no;
/* operspy admin only: make operspy notices to +Z admin only */
operspy_admin_only = no;
*/
connect_timeout = 30 seconds;
+ /* ident timeout: Amount of time (in seconds) that the IRCd will
+ * wait for a user to respond to an ident request.
+ */
+ default_ident_timeout = 5;
+
/* disable auth: disables identd checking */
disable_auth = no;
*/
max_targets = 4;
- /* client flood: maximum number of lines in a clients queue before
- * they are dropped for flooding.
+ /* use_whois_actually: send clients requesting a whois a numeric
+ * giving the real IP of non-spoofed clients to prevent DNS abuse.
*/
- client_flood = 20;
-
- /* use_whois_actually: send clients requesting a whois a numeric
- * giving the real IP of non-spoofed clients to prevent DNS abuse.
- */
- use_whois_actually = yes;
+ use_whois_actually = yes;
/* usermodes configurable: a list of usermodes for the options below
*
*/
#compression_level = 6;
- /* burst_away: This enables bursting away messages to servers.
- * With this disabled, we will only propogate AWAY messages
- * as users send them, but never burst them. Be warned though
- * enabling this could increase the size of a burst significantly
- * for a large network, like EFnet.
- */
- burst_away = yes;
+ /* burst_away: This enables bursting away messages to servers.
+ * With this disabled, we will only propogate AWAY messages
+ * as users send them, but never burst them. Be warned though
+ * enabling this could increase the size of a burst significantly
+ * for a large network, like EFnet.
+ */
+ burst_away = yes;
/* nick delay: This locks nicks of split clients for the given time
* or until a remote client uses the nick. This significantly
/* throttle_count: Number of connections within throttle_duration that it takes
* for throttling to take effect */
throttle_count = 4;
+
+ /* client flood_max_lines: maximum number of lines in a clients queue before
+ * they are dropped for flooding.
+ */
+ client_flood_max_lines = 20;
+
+ /* Flood control settings. DO NOT CHANGE THESE without extensive discussion
+ * and testing by someone who knows exactly what they do.
+ *
+ * These settings replicate charybdis-3.3 behaviour.
+ */
+ client_flood_burst_rate = 40;
+ client_flood_burst_max = 5;
+ client_flood_message_time = 1;
+ client_flood_message_num = 2;
+
+ /* max_ratelimit_tokens: the maximum number of ratelimit tokens that one
+ * user can accumulate. This attempts to limit the amount of outbound
+ * bandwidth one user can consume. Do not change unless you know what
+ * you're doing.
+ */
+ max_ratelimit_tokens = 30;
+
+ /* away_interval: the minimum interval between AWAY commands. One
+ * additional AWAY command is allowed, and only marking as away
+ * counts.
+ */
+ away_interval = 30;
};
modules {