Tip of the day: You can use a SSL/TLS certificate fingerprint instead of passwords.

Restrict commands

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

The set::restrict-commands block allows you to restrict a certain command to users. You can use selection criteria such as: how users are connected, if they are identified to Services or if they are using WebIRC block, and their reputation score. IRCOps can always bypass any restrictions.

If you are using UnrealIRCd 6.0.3 or older then see the old syntax which works slightly different.

Syntax

set {
        restrict-commands {
                name-of-command {
                        except {
                                connect-time 60; /* optional */
                                /* there are many more options */
                        }
                }
        }

Within the set::restrict-commands you create a block with the name of the command, such as links. There are also 4 special command types: private-message, private-notice, channel-message and channel-notice that will under the hood restrict PRIVMSG and NOTICE.

Under each command block you can have an except block which tells which users may still use the command (have an exception):

  • connect-time will impose the restriction for the specified time (eg: 60 meaning 60 seconds). This can be useful against spammers since they usually spam quickly after connecting (before they are catched by opers or channel operators).
  • identified yes will exempt the restrictions to users who are identified to Services, in other words: are authenticated users. These users normally went through a registration procedure that provides sufficient (but minimal) trust that they can use the command straight away, without any connect delay restrictions.
  • webirc yes will exempt the restrictions to users who are connecting via a WebIRC block. If you set this option, then you trust such users enough, that they can use the command straight away, without any connect delay restrictions.
  • websocket yes will exempt the restrictions to users who are connecting via a websocket. If you set this option, then you trust such users enough, that they can use the command straight away, without any connect delay restrictions. Since floodbots can theoretically use websockets, this may not be a great idea. This option is only available in UnrealIRCd 6.0.7 and higher
  • tls yes will exempt the restrictions to users who are connecting via a SSL/TLS. If you set this option, then you trust such users enough, that they can use the command straight away, without any connect delay restrictions. Since floodbots can use TLS, this is not really recommended as an exemption.
  • reputation-score means that if the reputation score is equal or above this number then the user bypasses this restriction.
  • There are many more options, such as mask, ip, country, account, security-group, etc. You can use all options that are listed under Mask item.

If you don't have an except block, then the command is disabled for everyone (except IRCOps).

Examples

Completely disable a command

set {
        restrict-commands {
                /* Completely disable the command 'somecommand': */
                somecommand {
                }
        }
}

Or even just: 

set {
        restrict-commands {
                /* Completely disable the command 'somecommand': */
                somecommand;
        }
}

Only allow identified users

set {
        restrict-commands {
                /* Only allow identified users to use LINKS: */
                links {
                        except {
                                identified yes;
                        }
                }
        }
}

Impose a connect-delay

set {
        restrict-commands {
                /* Impose a connect-delay restriction for LIST, but with exceptions */
                list {
                        except {
                                connect-time 60; /* after 60 seconds you can use LIST */
                                webirc yes; /* or immediately, if you are using a WEBIRC gateway */
                                identified yes; /* or immediately, if you are identified to services */
                                reputation-score 24; /* or immediately, if you have a reputation score of 24 or more */
                        }
                }

                /* Impose a similar restriction for INVITE, with exceptions */
                invite {
                        except {
                                connect-time 120;
                                identified yes;
                                reputation-score 24;
                        }
                }
        }
}

Restrict messaging

set {
        restrict-commands {
                /* In addition to the ability to restrict any command,
                 * such as shown above. There are also 4 special types
                 * that you can restrict. These are "private-message",
                 * "private-notice", "channel-message" and "channel-notice".
                 */
                private-message {
                      except { connect-time 10; }
                }
                private-notice {
                      except { connect-time 10; }
                }
        }
}

Old syntax

If you are using an older UnrealIRCd version, 6.0.3 or older, then here is some example configuration: 

set {
        restrict-commands {
                /* completely disable this command: */
                somecommand {
                }

                /* only allow this for identified users: */
                links {
                        exempt-identified yes;
                }

                /* only allow this for webirc users: */
                join {
                        exempt-webirc yes;
                }

                /* impose a connect-delay restriction, but with exemptions */
                list {
                        connect-delay 60;
                        exempt-webirc yes;
                        exempt-identified yes;
                        exempt-reputation-score 24;
                }

                /* impose a connect-delay restriction with no exemptions (except ircops) */
                invite {
                        connect-delay 120;
                }
                private-message {
                        connect-delay 10;
                }
        }
}

Explanation of the options in UnrealIRCd versions older than 6.0.4:

The option connect-delay will impose the restriction for the specified time (eg: 60 meaning 60 seconds). This can be useful against spammers since they usually spam quickly after connecting (before they are catched by opers or channel operators). If you don't set a connect-delay then the command will be disabled for all users, unless you specified any exemptions (see next). The value must be between 1 and 3600 seconds.

The option exempt-identified will exempt the restrictions to users who are identified to Services, in other words: are authenticated users. These users normally went through a registration procedure that provides sufficient (but minimal) trust that they can use the command straight away, without any connect delay restrictions.

The option exempt-webirc will exempt the restrictions to users who are connecting via a WebIRC block. If you set this option, then you trust such users enough, that they can use the command straight away, without any connect delay restrictions.

The option exempt-tls will exempt the restrictions to users who are connecting via a SSL/TLS. If you set this option, then you trust such users enough, that they can use the command straight away, without any connect delay restrictions.

The option exempt-reputation-score means that if the reputation score is equal or above this number then the user bypasses this restriction.

Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=Restrict_commands&oldid=13099"