View Issue Details

IDProjectCategoryView StatusLast Update
0005506unrealircdpublic2022-05-15 15:17
Reporterwestor Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Product Version5.0.0 
Summary0005506: Add "except-webirc;" in Blacklist + Restrict-commands + Connthrottle modules
DescriptionHello,

I wanna suggest an except option if it is possible to be added into Blacklist and Restrict-commands and Connthrottle modules especially for webirc NEW USERS, and i am gonna explain why it is very useful that missing right now.

In blacklist module, when a webirc (new user) is trying to connect but matched in that module in a specific DNSBL but that dnsbl is useful, there is not a way right now to except this user instead of /ELINE and this is not 100% correctly because it may not be someone from the admin team online to add it.

In restrict-commands, when you wanna protect your network by restricting some of USERCMDS due connecting right now there is not any option to except webirc new users in result to match them too, so if you add for example JOIN in restrict command on connect for 10s it matches and webirc clients, this could be solved if "exempt-webirc yes;" exists.

In connthrottle, when it is enabled due high proxy attack it will reject and the webirc (new users) to connect too, in this case if "webirc-bypass yes;" under known-users exists would solve it.

- Thanks!
TagsNo tags attached.
3rd party modules

Activities

syzop

2020-01-02 16:40

administrator   ~0021193

Dropping as target for 5.0.1, sorry.

syzop

2022-05-14 19:24

administrator   ~0022483

Last edited: 2022-05-14 19:25

This issue inspired me to not to duplicate the same code but to extend security-group functionality to "mask" and "except".
I have now added/transformed: antirandom, antimixedutf8, connthrottle and restrict-commands to accept the same items as exist in the security-group block, see https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#unrealircd-604-git

For restrict-commands see the updated examples in example.conf: https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/conf/examples/example.conf#L500-L530
And same for connthrottle: https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/conf/examples/example.conf#L546-L564

You can now use the following within an except block there: webirc yes;

The blacklist { } block still needs to be done (for per-blacklist basis), and except ban { } too (for exempting all blacklists).
In the meantime you can use this though:
except ban { mask ~security-group:webirc-users; type blacklist; }

And then later I will make this work (IT DOES NOT WORK YET):
except ban { mask { webirc yes; } type blacklist; }

syzop

2022-05-15 15:17

administrator   ~0022486

commit c0374862632867e3bafa41e27ee1136fe0ded73c (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD)
Author: Bram Matthys <syzop@vulnscan.org>
Date: Sun May 15 15:13:19 2022 +0200

    Add blacklist::except for exempting users from individual blacklists,
    this is a https://www.unrealircd.org/docs/Mask_item so very flexible.
    
    Note that most people would want to use except ban { } instead to
    simply exempt from ALL blacklists. (that one does not yet have the
    flexible mask capability though.. but it wil have it soon..)

Issue History

Date Modified Username Field Change
2019-12-23 17:37 westor New Issue
2019-12-28 09:45 syzop Target Version => 5.0.1
2020-01-02 16:40 syzop Target Version 5.0.1 =>
2020-01-02 16:40 syzop Note Added: 0021193
2020-01-10 08:42 syzop Priority high => normal
2022-05-14 19:24 syzop Note Added: 0022483
2022-05-14 19:25 syzop Note Edited: 0022483
2022-05-15 15:17 syzop Note Added: 0022486