[IRCServices] exceptions entries by IP & channel bans with bahamut

Kelmar K. Firesun kfiresun at ix.netcom.com
Fri Jan 19 16:19:21 PST 2001 

----- Original Message -----
From: Andy Smith <andy at strugglers.net>
To: <ircservices at ircservices.za.net>
Sent: Friday, January 19, 2001 2:15 PM
Subject: [IRCServices] exceptions entries by IP & channel bans with bahamut


> Entries on the exception list do not seem to work if you give the IP
address
> but the clients come online from a resolved host.  It'd be really nice to
be
> able to specify an exception entry such as 192.168.0.*  (it'd be even
nicer
> to be able to use proper CIDR notation too e.g. 192.168.0.0/24), any
chance
> of that happening?
>
> Secondly, Bahamut allows bans applied by IP address to affect the
hostnames
> that match, but chanserv unban <nick> doesn't take this into account.
This
> leads to a bit of confusion when people try to unban a nick from outside
the
> channel and it doesn't appear to be happening.  What are people's thoughts
> on this behaviour?
>

. o O ( It does!? )

I didn't see any evidence of that when I going thought the sources....
Does it allow 192.168.0.0/24 bans on a channel?  I know you could ban
on IPs for a long time but the ircds would only check if the user's
host did not resolve.

ANYHOW!  The answer your question, yes and no.  You CAN do it but you have
to change your ircds to transmit the IP addresses as well as the hostnames
of your users, which is something I know Bahamut doesn't do.  (I'm guessing
that each server checks the IP related bans locally, there for it works)


The last thing you'd want is to have services sit there and hang up for
a while as it performs 100s of DNS lookups (which might not resolve) on
each user on your network... Even then what one server things the IP of
one user might NOT be the IP that another server will resolve.

Here are two examples using a simple setup like so:
Server 1 is on the east side of the US which is connected to Server 2
on the west side of the US.  Server 2 is hosting a copy of Services
for this hypothetical IRC network.  Our User A is on the East side of
the US as well using a local ISP.  He'll be connecting to Server 1 because
it's geographically closer to him.

Example 1:
User A connects to Server 1.  Now let's just imagine that User A's ISP has
just changed it's block of IPs or it's DNS entries, but these entries
haven't propagated to Server 2's DNS records like they did to Server 1's.
One of two things will happen.  Services will have the wrong IP, or it
will not resolve at all, either way it's ban will not be effective if it
triggers at all.

Example 2:
User A connects to Server 1 who has a working DNS so Server 1 sends the
hostname to Server 2 for the user.  However, Server 2's DNS is down so
Services appears to "hang" while if finds out it can't resolve the hostname.
Now you can write an asynchronous DNS library (I've done it myself) but
either way you duplicate the problem above.

This is why you'd have to transmit the IP when the user connects.  Services
doesn't know to set the ban if it cannot match the bans.

Bryce Simonds (Kelmar K. Firesun)
IRC operator: dream.esper.net