View Issue Details

IDProjectCategoryView StatusLast Update
0005005unrealircdpublic2024-07-12 11:41
ReporterHeXiLeD Assigned Tosyzop  
PrioritynormalSeverityfeatureReproducibilityN/A
Status resolvedResolutionfixed 
PlatformAnyOSAnyOS VersionAny
Product Version4.0.13 
Fixed in Version6.1.7 
Summary0005005: Block or allow access list to the ircd with geoip
DescriptionI would like to suggest a feature that is quite handy in certain situations.
This feature goes beyond the traditional blacklist_block (https://www.unrealircd.org/docs/Blacklist_block)

The purpose is to be able to prevent or allow access based on country tld.

Should be flexible in order to allow/deny or deny/allow as necessary.

A good example can be given with reference to the nginx httpd.

-------------------------------------------------

example: default allow all but deny listed

        geoip_country /usr/share/GeoIP/GeoIP.dat;
        map $geoip_country_code $allowed_country {
        default yes;
        AE no;
        AF no;
        AL no;
        CN no;
       }

example: default deny all but deny listed

        geoip_country /usr/share/GeoIP/GeoIP.dat;
        map $geoip_country_code $allowed_country {
        default no;
        CH yes;
        DK yes;
        UK yes;
        NL yes;
       }

-------------------------------------------------

Example: configurable options for the conf:

 #Access policy
               Default "deny" # Options are "allow|deny";
 
 #Exempted country list from default policy
               Exemptions {
                            CH yes; # tld yes|no
                            DK yes;
                            UK yes;
                            NL yes;
                          };
 
-------------------------------------------------

Given the chosen default policy, the yes|no exemption could also be simplified without the need of yes|no.
               Exemptions { CH, DK, UK, NL };

Side note: flexibility is important.
Steps To ReproduceN/A
Tagsaccess lists, geoip, ircd, privacy, security
3rd party modules

Relationships

related to 0004429 resolvedsyzop Ideas - Country Name Support 

Activities

syzop

2017-11-01 10:22

administrator   ~0019940

I like this request, but I'm not working on it at the moment.

syzop

2021-11-01 16:45

administrator   ~0022149

GeoIP support is in UnrealIRCd 6. You can for example ban ~country:UK. There's no "ban all except <these countries>" though.

syzop

2024-07-12 11:41

administrator   ~0023259

Most of this was already done in 6.0.0. But now that the ban user::mask is a mask item in (to be released) 6.0.7 you can do all variations that were mentioned here...

In the past you had to use extended server bans, now you can use the direct mask item / security group style:

ban user {
    mask {
        country { NL; FR; }
    }
    reason "I hate the Dutch and the French";
}

require authentication {
    mask {
        country { NL; FR; }
    }
    reason "I hate the Dutch and the French. But you may still connect if you have an account";
}


And ban all except can be done like:
ban user {
    mask {
        mask *;
        exclude-country { NL; DE; FR; }
    }
    reason "Users are not allowed from this country";
}

(.. and similar in require authentication)

Issue History

Date Modified Username Field Change
2017-09-11 21:51 HeXiLeD New Issue
2017-09-11 21:51 HeXiLeD Tag Attached: ircd
2017-09-11 21:51 HeXiLeD Tag Attached: security
2017-09-11 21:51 HeXiLeD Tag Attached: access lists
2017-09-11 21:51 HeXiLeD Tag Attached: geoip
2017-09-11 21:51 HeXiLeD Tag Attached: privacy
2017-11-01 10:22 syzop Status new => confirmed
2017-11-01 10:22 syzop Note Added: 0019940
2018-12-09 10:01 syzop Relationship added related to 0004429
2021-11-01 16:45 syzop Note Added: 0022149
2024-07-12 11:41 syzop Assigned To => syzop
2024-07-12 11:41 syzop Status confirmed => resolved
2024-07-12 11:41 syzop Resolution open => fixed
2024-07-12 11:41 syzop Fixed in Version => 6.1.7
2024-07-12 11:41 syzop Note Added: 0023259