| Tip of the day: The Security article gives hands-on tips on how to deal with drone attacks, flooding, spammers, (D)DoS and more. |
Link block
If you are linking servers we recommend you to follow our Tutorial: Linking servers instead. The link block is, however, shown below for reference.
Syntax
link <server-name> {
/* Below, often you will have both an incoming { } and outgoing { } sub-block.
* However you may also choose to have only 1 of them if you always link in the same direction.
*/
incoming {
mask 1.2.3.*;
};
outgoing {
bind-ip <ip-to-bind-to>; /* optional now */
hostname irc1.some.net; /* may also be an IP */
file /tmp/some.socket; /* if connecting to a UNIX domain socket (rarely used) */
port 6697;
options { tls; autoconnect; }; /* optional, but recommended */
tls-options { protocols "TLSv1.2"; }; /* optional, only set this if you know what you are doing. */
};
password "some-password"; /* either a plaintext password that's the same for both sides or an SSL fingerprint (or certificate) */
verify-certificate [yes|no]; /* optional, default is 'no' but is less secure */
hub <hub-mask>; /* optional */
leaf <leaf-mask>; /* optional */
leaf-depth <depth>; /* optional */
class <class-name>;
ciphers <ssl-ciphers>; /* optional */
options {
quarantine; /* is a generic option. optional. */
};
};
Note that you need link::incoming and/or link::outgoing. So at least one of them is required.
server-name
The server-name in your link <server-name> { block specifies the name of the server, that is the name you have specified in me::name on the other side of the link.
Incoming
incoming::mask
Only servers matching this (IP) mask may use this link block.
Outgoing
outgoing::hostname
Hostname of the server to connect. This could be the same as the server-name, but it may also be an IP or a different DNS name.
outgoing::port
Port of the other server to connect to
outgoing::file
Unix domain socket of the server to connect to. This is rarely used, so if you don't know what this is then don't use it.
outgoing::options (optional)
The following two options are available:
- tls: connect to an SSL/TLS-only-port. If you use this, then be sure that the outgoing::port you specify is in fact a SSL/TLS-only port. Meaning: the server on the other side of the link must have listen::options::tls turned on for that port.
- autoconnect: automatically connect to the server (or try to every XX seconds, anyway).
If you have multiple link blocks and wonder about autoconnect priority and ordering, see the set::server-linking::autoconnect-strategy setting. - insecure: by default UnrealIRCd will attempt to 'upgrade' a connection to use SSL/TLS in order to get encrypted server links. This disables that functionality. Not recommended!
outgoing::tls-options (optional)
Valid options are all the SSL settings that also exist in set::tls. Normally you don't change such settings on a per link block basis, but it is possible.
For example you can set the permitted SSL protocols and ciphers:
link xyz {
...
outgoing {
tls-options {
protocols "TLSv1.2";
ciphers "AES256";
};
};
};
outgoing::bind-ip (optional)
Bind to this IP before connecting to the other server. The IP to bind to must be available on the machine (must not be an IP of another machine).
General link block settings
password
Password or other method to use to verify the authenticity of the link. This must be either: 1) a plaintext password that must be the same on both sides of the link, OR 2) an SSL/TLS fingerprint, which is our recommended and safest way to link, see our Tutorial.
verify-certificate
When set to 'yes' this will enable SSL/TLS certificate checking to make sure that:
- The SSL/TLS certificate of the server you are linking with is valid and issued by a trusted Certificate Authority (eg: Let's Encrypt or some bought certificate)
- The name in the link block matches the name(s) in the certificate (eg: if you're linking with irc1.test.net and it presents a certificate for irc2.someotherdomain.org it will fail)
Enable this if you (can) meet these criteria. It will protect you from active traffic interception attacks.
hub
The value is a mask of what servers this hub may connect (ex: *.my.net).
leaf
The value is a mask of what servers this hub may not connect.
leaf-depth
The value specifies the depth (number of hops) this server may have beneath it. For example, 1 means the server can't have any links under it (a leaf), 2 means it can link servers but those servers can't link anything under them (that is, this hub can only link leaves). A value of 0 means no limit, and is the default.
class
The class this server is put into (see Class block), often a separate server class is used for this.
options
There's only one generic option:
- quarantine: This link may have no IRC Operators on it. If someone attempts to become OPER on the link they are de-oper'ed. Note that this does not provide true security: a person controlling a server can still modify the source and load any modules they want, thus still 'be able to do anything' if they have bad intentions.
For other link options see the link::outgoing block.
Example
See also
- set::server-linking::autoconnect-strategy: If you have multiple link blocks with autoconnect, what autoconnect strategy should be used.
- ULines block: Define special servers (for Services only, not for UnrealIRCd servers)
- Distributing user load and doing server maintenance