** DarkFire IRCd ** Table of Contents ================= * DarkFire Verification System - An Overview * New Changes! (df-1.3.5 and df-1.3.6) * Configuring DVS - DVS_URL - DVS_STATUS - DVS_TIMEOUT * IRC Commands - DVS * Technical Details - How a Client Receives the DVSLIMIT Flag - Setting up Classes for DVS - What Happens to a Client with DVSLIMIT - Services Status and DVSLIMIT - DVS Restrictions - Determining if Services is Online * How to Disable DVS * About this Document DarkFire Verification System - An Overview ========================================== DVS is intended to create a more secure network by requiring all clients to identify themselves before using the network. To use this feature on a network other than DarkFire, the following must be true: * Your network has working services that set users +r when they identify * You must be willing to prevent users from using your network unless they identify (Prior to df-1.3.5) * All servers on your network must have DVS enabled More information at http://ircd.darkfire.net/dvs/ (http://dfircd.sf.net/dvs/) New Changes! (df-1.3.5 and df-1.3.6) ==================================== DVS now has different levels of operation. 0 - Off 1 - Limited (Implicit only) 2 - Expanded (Only excepted clients are exempt) 3 - Full (All clients receive DVS status) Status is based on class (Y:lines) and I:lines. Please see the document on Ilines for more information. The method by which DVS status is initially set is no longer done on a server-by-server basis. Now, the NICK command contains information whether the client should or should not have the flag (based on local settings, namely the configuration of the user's class). As of df-1.3.6, services status is no longer taken into account when assigning the dvs flag. When services are offline, the flag has no effect. Upon services returning, the user then has 10 minutes to identify. If services is not online when the user's 10 minutes is up, the counter is reset (and since services is not online, they are able to use the network). Configuring DVS =============== There are important settings toward the top of include/config.h. If you are trying to disable DVS, see below. DVS_URL ------- When a client connects, they are given a URL with information regarding DVS and how to use it on the network. By default, this is http://www.darkfire.net/dvs/. However, if you are not linking to the DarkFire IRC Network, you will want to change this. A good website to use is located at http://dfircd.sf.net/dvs. You may use this as a basis for your own (or to link to it) if you wish. #define DVS_URL "http://some.address/information/about/dvs" DVS_STATUS ---------- This is the default level of operation. See the technical details below under "How a client receives the DVSLIMIT flag" for more information. DVS_TIMEOUT ----------- This is the amount of time (in seconds) that a client has to identifying (yes, there are exceptions). A warning is sent to the user after 1/2 of this time. See "Setting up Classes for DVS" under "Technical Details" for information on creating special classes. IRC Commands ============ These commands can be sent by a server (such as services) or by an oper with the super (S) flag. DVS --- Syntax: /DVS [0|1|2|3] Syntax: /DVS [LOCK|UNLOCK] Syntax: /DVS [0|1|2|3] [LOCK|UNLOCK] Changes the DVS status and/oror the DVS Lock status. Technical Details ================= Before diving into the details, there are a few flags that need to be stated up front. If the user has the DVSLIMIT flag, he is eligible for "DVS Restrictions" (described below). The dvstime variable is the latest time the client became eligible for DVS Restrictions (again, see below). The DVSWARN flag refers to a warning being sent after the user has been restricted. How a Client Receives the DVSLIMIT Flag --------------------------------------- When a client connects to a server, the client is first examined on the basis of being pre-exempted. I.e., they are already an oper, a registered nick, or ULined. This is highly unlikely, but in the even of some weird hack, we don't want then to be flagged DVSLIMIT. Next, the DVS level is taken into consideration. If the level is... * Off (0), the user is not flagged DVSLIMIT. * Limited (1), the user is only flagged DVSLIMIT if the user's class has FORCE DVS enabled. (See below regarding "Setting up Classes for DVS") * Expanded (2), the user is flagged DVSLIMIT unless the user's class has EXEMPT DVS enabled. (Again, see below) * Full (3), the user is flagged DVSLIMIT. Setting up Classes for DVS -------------------------- When a client connects, it receives the class listed in the I:line of best (sometimes first) fit. Classes are established via Y:lines. A basic class 1 (the normal client class) Y:line is Y:1:90:0:10:100000 The syntax is Y::::: In order to create a class with the "FORCE DVS" option (see the above section if you don't know what this means), change the "connect frequency|dvs" field from 0 to 10. To make a class with the "EXEMPT DVS" option, change it to 20. Therefore, a good set of client I:lines is as follows (you will need others for servers). Y:1:90:0:10:100000 Y:2:90:10:1024:100000 Y:3:90:20:1024:100000 Give class 1 to almost all clients. Class 2 should be used for problem hosts, such as those that may be prone to clones, floodbots, spambots, etc. Class 3 is ideal for local intranets. For example, the addresses on a particular router, college LAN, or even an at-home LAN if that is the situation. What Happens to a Client with DVSLIMIT -------------------------------------- The DVSLIMIT flag is automatically removed if/when: * The user is set +r (for example, after identifying to services) * The user is set +o (aftering becoming a global IRCop) If the said client is still DVSLIMIT after the DVS_TIMEOUT (default is 10min), they will be killed. A temporary Akill (10min) will be added unless there is a validated client from the same address. A warning is sent to the user at 1/2 of this time (default is 5min). Disclaimer: times are not exact and may vary up to +20 seconds. Services Status and DVSLIMIT ---------------------------- When a user connects and services are online, its dvstime is the time it connects. Otherwise, its dvstime is the first time it is seen as being eligible for DVS Restrictions (they have DVSLIMIT and services are online). Users have "DVS_TIMEOUT" seconds from "dvstime" in order to identify or oper. If, upon completing "DVS_TIMEOUT" services is not online, the counter is reset. The counter is NOT reset if services go offline and return prior to the timeout. While services is offline, DVSLIMIT clients may use the network as normal. Note: As of df-1.3.7, if services is offline but DVSLOCK is enabled, the user will be restricted as if services were online. DVS Restrictions ---------------- While a user has DVSLIMIT and services is online, the client may only use the following commands: * PING/PONG * OPER * PRIVMSG/NOTICE to a ULined client (i.e. services) * NICKSERV, MEMOSERV< CHANSERV, OPERSERV, SERVICES, IDENTIFY (aliases to communicate with services) * NICK (to change to your registered nickname) * JOIN (Channels are buffered. The joins are actually executed when the DVSLIMIT flag is removed. * LIST (The first list is saved and sent to the user when DVSLIMIT is removed, subsequent lists are ignored while under DVSLIMIT) The DVSLIMIT flag is shown in /whois of a client when services is online. Other (DVS unrestricted) clients may not message any DVSLIMIT client unless they are either ULined (services) or are an IRCop themselves. Determining if Services is Online --------------------------------- This is based solely on the presence of the server "SERVICES_NAME" as given during the ./config script. To change this, see include/options.h How to Disable DVS ================== To disable the DarkFire Verification System: * Edit the file include/config.h * Find the line (in the DVS section): #define USE_DVS 1 * Replace the above line with: #undef USE_DVS * Compile your IRCd as usual (see INSTALL) About this Document =================== This manual was last updated on January 21st, 2004 and is current with df-1.3.7.