View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005274||unreal||documentation||public||2019-05-14 07:25||2019-08-26 18:20|
|Target Version||Fixed in Version|
|Summary||0005274: update default configuration file|
|Description||Moved from GitHub Issues, the following is from pegasus / the_myth:|
Added set::modes-on-join "+nt" to the current configuration to help users to keep their channel with sane defaults, when joining a non registered channel
Added set::restrict-usermodes "x" as being able to disable the default cloaking is a security risk
Changed set::allow-userhost-change to force-rejoin since the default always may lead to clients desynch
Added set::cloak-method ip since that way whe can still have the XXX.YYY.ZZZ.IP cloak without the need to disable DNS resolving
Added set::options::identd-check since it barely interfere with user connection and is helpful for public services that are properly configured, such as ZNC
That's all for now xD
|Tags||No tags attached.|
|3rd party modules|
I noticed a comment from Koragg the other day that "many of the settings are missing in the example conf" and the conclusion, I forgot the exact words, but that we developers overlooked this and/or are lazy. So let me comment on the intent of this example conf.
The idea of the example conf is NOT to have an example configuration file with ALL settings. Not even close. The idea is to show the settings that are often modified by our users. And some settings that simply MUST be modified, but those are only a few (eg: cloak-keys).
So, with regards to PeGaSuS / The_Myth. I agree with some, and not with others:
* modes-on-join: indeed, odd that this one is missing. Maybe it would be good have some general +f in there too, though, I'll think of something.
* set::restrict-usermodes: I don't agree with that, as discussed on IRC I think(? I forgot). In any case: yes you can trick users in doing -x, but you could just as well trick them into visiting an URL to get their IP, which is far easier. I think the user should be free - by default anyway - to do that.
* set::allow-userhost-change to force-rejoin, yeah... I think that time has come :). Modern clients won't even see the rejoin due to the chghost capability.
* set::cloak-method ip: I don't think so, that would be an unusual default setting. I agree why it can be useful, though, which is why the option exists in the first place :D
* set::options::identd-check: mixed feelings with me and the general public, this one we should definitely discuss. Either a commented out option to make it more visible, or enabled.
ZNC does not have IRCv3 chghost yet (good that clients don't see host cycles when they do support it) but a bug is open about it
07:52:14 I find that using cloak-method ip by default is useful because it hides your entire host incase it resolves ( which most home connections do)
07:52:58 This makes it tougher on decloaking bots as otherwise they just gotta crack *.2.3.4 instead of *.*.*.*
07:54:01 I agree that locking umode x shouldn't be the default (people should show their host if they wanna) and 99% of those who are not behind a shared service don't run identd
In UnrealIRCd 5 I have set modes-on-join to +nt in example.conf AND made it so by default (so this also affects existing setups). Leaving it empty by default contrasts with our "secure by default" principle.
Did not decide on the rest / unchanged atm...