X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/9b24cbdecc72337e825764f39cdf59ca23f41788..34b88b65713bdc5b4c02aee31fcf1035a005735b:/doc/reference.conf

diff --git a/doc/reference.conf b/doc/reference.conf
index 5c9bd0b5..5d37ed5e 100644
--- a/doc/reference.conf
+++ b/doc/reference.conf
@@ -28,15 +28,15 @@
  *
  * Times/durations are written as:
  *        12 hours 30 minutes 1 second
- *        
+ *
  * Valid units of time:
  *        month, week, day, hour, minute, second
  *
  * Valid units of size:
  *        megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
  *
- * Sizes and times may be singular or plural.  
- */ 
+ * Sizes and times may be singular or plural.
+ */
 
 /* Extensions:
  *
@@ -61,6 +61,7 @@
  * Realname (gecos) bans (+b $r:mask)                -- extb_realname
  * Server bans (+b $s:mask)                          -- extb_server
  * SSL bans (+b $z)                                  -- extb_ssl
+ * User mode bans (+b $u:modes)                      -- extb_usermode
  * Helpops system (umode +H)                         -- helpops
  * HURT system                                       -- hurt
  * New host mangling (umode +x)                      -- ip_cloaking_4.0
@@ -95,6 +96,7 @@
 #loadmodule "extensions/extb_realname";
 #loadmodule "extensions/extb_server";
 #loadmodule "extensions/extb_ssl";
+#loadmodule "extensions/extb_usermode";
 #loadmodule "extensions/helpops";
 #loadmodule "extensions/hurt";
 #loadmodule "extensions/ip_cloaking_4.0";
@@ -143,7 +145,7 @@ serverinfo {
 	 * This should be an ipv6 IP only.
 	 */
 	#vhost6 = "2001:db7:2::6";
-	
+
 	/* ssl_private_key: our ssl private key */
 	ssl_private_key = "etc/ssl.key";
 
@@ -245,7 +247,7 @@ class "users" {
 	 */
 	cidr_ipv6_bitlen = 64;
 
-	/* number_per_cidr:  Number of connections to allow from a subnet of the 
+	/* number_per_cidr:  Number of connections to allow from a subnet of the
 	 * size given in cidr_ipv4_bitlen/cidr_ipv6_bitlen.
 	 * 4 seems to be a good default to me.
 	 */
@@ -307,19 +309,19 @@ listen {
 	/* port: the specific port to listen on.  if no host is specified
 	 * before, it will listen on all available IPs.
 	 *
-	 * sslport: the specific port to listen ssl connections on. if no 
+	 * sslport: the specific port to listen ssl connections on. if no
 	 * host is specified before, it will listen on all available IPs.
 	 *
 	 * ports are seperated via a comma, a range may be specified using ".."
 	 */
-	
+
 	/* port: listen on all available IPs, ports 5000 and 6665 to 6669 */
 	port = 5000, 6665 .. 6669;
-	
+
 	/* sslport: listen for ssl connections on all available IPs, port 9999 */
 	sslport = 9999;
 
-	/* host: set a specific IP/host the ports after the line will listen 
+	/* host: set a specific IP/host the ports after the line will listen
 	 * on.  This may be ipv4 or ipv6.
 	 */
 	host = "192.0.2.6";
@@ -353,7 +355,7 @@ auth {
 	 * flags = ...; below if it is.
 	 */
 	password = "letmein";
-	
+
 	/* spoof: fake the users user@host to be be this.  You may either
 	 * specify a host or a user@host to spoof to.  This is free-form,
 	 * just do everyone a favour and dont abuse it. (OLD I: = flag)
@@ -361,12 +363,14 @@ auth {
 	spoof = "I.still.hate.packets";
 
 	/* Possible flags in auth:
-	 * 
+	 *
 	 * encrypted                  | password is encrypted with mkpasswd
 	 * spoof_notice               | give a notice when spoofing hosts
 	 * exceed_limit (old > flag)  | allow user to exceed class user limits
-	 * kline_exempt (old ^ flag)  | exempt this user from k/g/xlines&dnsbls
+	 * kline_exempt (old ^ flag)  | exempt this user from k/g/xlines,
+	 *                            | dnsbls, and proxies
 	 * dnsbl_exempt		      | exempt this user from dnsbls
+	 * proxy_exempt               | exempt this user from proxies
 	 * spambot_exempt	      | exempt this user from spambot checks
 	 * shide_exempt		      | exempt this user from serverhiding
 	 * jupe_exempt                | exempt this user from generating
@@ -381,7 +385,7 @@ auth {
 	 * extend_chans               | allow this user to join more channels than normal
 	 */
 	flags = kline_exempt, exceed_limit;
-	
+
 	/* class: the class the user is placed in */
 	class = "opers";
 };
@@ -393,7 +397,7 @@ auth {
 	 */
 	redirserv = "irc.example.net";
 	redirport = 6667;
-	
+
 	user = "*.example.com";
 
 	/* class: a class is required even though it is not used */
@@ -468,13 +472,13 @@ operator "god" {
 	user = "*@127.0.0.1";
 
 	/* password: the password required to oper.  Unless ~encrypted is
-	 * contained in flags = ...; this will need to be encrypted using 
+	 * contained in flags = ...; this will need to be encrypted using
 	 * mkpasswd, MD5 is supported
 	 */
 	password = "etcnjl8juSU1E";
 
 	/* rsa key: the public key for this oper when using Challenge.
-	 * A password should not be defined when this is used, see 
+	 * A password should not be defined when this is used, see
 	 * doc/challenge.txt for more information.
 	 */
 	#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
@@ -763,7 +767,7 @@ channel {
 	default_split_user_count = 0;
 
 	/* split servers: when the amount of servers that have acknowledged
-	 * theyve finished bursting is lower than this, consider ourselves 
+	 * theyve finished bursting is lower than this, consider ourselves
 	 * split.  this must be set for automatic splitmode
 	 */
 	default_split_server_count = 0;
@@ -852,8 +856,7 @@ serverhide {
  * You can have multiple combinations of host and rejection reasons.
  * They are used in pairs of one host/rejection reason.
  *
- * These settings should be adequate for most networks, and are (presently)
- * required for use on StaticBox.
+ * These settings should be adequate for most networks.
  *
  * Word to the wise: Do not use blacklists like SPEWS for blocking IRC
  * connections.
@@ -878,7 +881,7 @@ serverhide {
  * to match the final octet (e.g. 127.0.0.1) or "127.x.y.z" to explicitly match
  * an A record. The blacklist is only applied if it matches anything in the
  * list. You may freely mix full IP's and final octets.
- * 
+ *
  * Consult your blacklist provider for the meaning of these parameters; they
  * are usually used to denote different ban types.
  */
@@ -894,6 +897,67 @@ blacklist {
 #	reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect";
 };
 
+/* These are the OPM settings.
+ * This is similar to the functionality provided by BOPM. It will scan incoming
+ * connections for open proxies by connecting to clients and attempting several
+ * different open proxy handshakes. If they connect back to us (via a dedicated
+ * listening port), and send back the data we send them, they are considered
+ * an open proxy. For politeness reasons (users may be confused by the incoming
+ * connection attempts if they are logging incoming connections), the user is
+ * notified upon connect if they are being scanned.
+ *
+ * WARNING:
+ * These settings are considered experimental, and as of this writing, the
+ * Charybdis scanner is not as comprehensive as the one available in HOPM. Only
+ * basic SOCKS4 and SOCKS5 scanning is performed on a few well-known ports. You
+ * may disable the open proxy scanning feature by deleting this block if you are
+ * uncomfortable with this.
+ */
+opm {
+	/* IPv4 address to listen on. This must be a publicly facing IP address
+	 * to be effective.
+	 * If omitted, it defaults to serverinfo::vhost.
+	 */
+	#listen_ipv4 = "127.0.0.1";
+
+	/* IPv4 port to listen on.
+	 * This should not be the same as any existing listeners.
+	 */
+	#port_ipv4 = 32000;
+
+	/* IPv6 address to listen on. This must be a publicly facing IP address
+	 * to be effective.
+	 * If omitted, it defaults to serverinfo::vhost6.
+	 */
+	#listen_ipv6 = "0::1";
+
+	/* IPv6 port to listen on.
+	 * This should not be the same as any existing listeners.
+	 */
+	#port_ipv6 = 32000;
+
+	/* You can also set a port directive which will set both the IPv4 and
+	 * IPv6 ports at once.
+	 */
+	port = 32000;
+
+	/* These are the ports to scan for SOCKS4 proxies on. They may overlap
+	 * with other scan types. Sensible defaults are given below.
+	 */
+	socks4_ports = 80, 443, 1080, 8000, 8080, 10800;
+
+	/* These are the ports to scan for SOCKS5 proxies on. They may overlap
+	 * with other scan types. Sensible defaults are given below.
+	 */
+	socks5_ports = 80, 443, 1080, 8000, 8080, 10800;
+
+	/* These are the ports to scan for HTTP connect proxies on (plaintext).
+	 * They may overlap with other scan types. Sensible defaults are given
+	 * below.
+	 */
+	httpconnect_ports = 80, 8080, 8000;
+};
+
 /*
  * Alias blocks allow you to define custom commands. (Old m_sshortcut.c)
  * They send PRIVMSG to the given target. A real command takes
@@ -1010,7 +1074,7 @@ general {
 	 */
 	default_floodcount = 10;
 
-	/* failed oper notice: send a notice to all opers on the server when 
+	/* failed oper notice: send a notice to all opers on the server when
 	 * someone tries to OPER and uses the wrong password, host or ident.
 	 */
 	failed_oper_notice = yes;
@@ -1082,19 +1146,19 @@ general {
 	 * displayed unconditionally.
 	 */
 	global_snotices = yes;
-	
-	/* dline reason: show the user the dline reason when they connect 
+
+	/* dline reason: show the user the dline reason when they connect
 	 * and are dlined.
 	 */
 	dline_with_reason = yes;
-	
+
 	/* kline delay: delay the checking of klines until a specified time.
 	 * Useful if large kline lists are applied often to prevent the
 	 * server eating CPU.
 	 */
 	kline_delay = 0 seconds;
 
-	/* kline reason: show the user the reason why they are k/dlined 
+	/* kline reason: show the user the reason why they are k/dlined
 	 * on exit.  may give away who set k/dline when set via tcm.
 	 */
 	kline_with_reason = yes;
@@ -1116,7 +1180,7 @@ general {
 	non_redundant_klines = yes;
 
 	/* warn no nline: warn opers about servers that try to connect but
-	 * we dont have a connect {} block for.  Twits with misconfigured 
+	 * we dont have a connect {} block for.  Twits with misconfigured
 	 * servers can get really annoying with this enabled.
 	 */
 	warn_no_nline = yes;
@@ -1146,7 +1210,7 @@ general {
 	stats_o_oper_only=yes;
 
 	/* stats P oper only: make stats P (ports) oper only
-	 * NOTE: users doing stats P will never be given the ips that the 
+	 * NOTE: users doing stats P will never be given the ips that the
 	 * server listens on, simply the ports.
 	 */
 	stats_P_oper_only=no;
@@ -1220,8 +1284,8 @@ general {
 
 	/* REMOVE ME.  The following line checks you've been reading. */
 	havent_read_conf = yes;
-	
-	/* max targets: the maximum amount of targets in a single 
+
+	/* max targets: the maximum amount of targets in a single
 	 * PRIVMSG/NOTICE.  set to 999 NOT 0 for unlimited.
 	 */
 	max_targets = 4;
@@ -1235,7 +1299,7 @@ general {
 	 *
 	 * +g - callerid   - Server Side Ignore
 	 * +D - deaf       - Don't see channel messages
-	 * +i - invisible  - Not shown in NAMES or WHO unless you share a 
+	 * +i - invisible  - Not shown in NAMES or WHO unless you share a
 	 *                   a channel
 	 * +l - locops     - See LOCOPS messages
 	 * +Q - noforward  - Unaffected by channel forwarding
@@ -1244,7 +1308,7 @@ general {
 	 * +w - wallop     - See oper and server generated WALLOPS
 	 * +z - operwall   - See operwalls
 	 */
-	 
+
 	/* oper only umodes: usermodes only opers may set */
 	oper_only_umodes = operwall, locops, servnotice;
 
@@ -1256,7 +1320,7 @@ general {
 	oper_snomask = "+s";
 
 	/* compression level: level of compression for compressed links between
-	 * servers.  
+	 * servers.
 	 *
 	 * values are between: 1 (least compression, fastest)
 	 *                and: 9 (most compression, slowest).
@@ -1337,7 +1401,7 @@ general {
 };
 
 modules {
-	/* module path: paths to search for modules specified below and 
+	/* module path: paths to search for modules specified below and
 	 * in /modload.
 	 */
 	path = "/usr/local/ircd/modules";