| 1 |
Everything you ever wanted to know about access.cnf and more |
|---|
| 2 |
|
|---|
| 3 |
|
|---|
| 4 |
The file "access.cnf" in the game/ subdirectory controls access to the |
|---|
| 5 |
MUSH. It's used to restrict which sites can conect to players or guests, |
|---|
| 6 |
create players, or register players by email. It can also flag a site |
|---|
| 7 |
as suspect; all players who connect from suspect sites have their |
|---|
| 8 |
SUSPECT flag set. |
|---|
| 9 |
|
|---|
| 10 |
This file replaces the older lockout.cnf and sites.cnf file; |
|---|
| 11 |
typing 'make access' will create a new access.cnf file from your |
|---|
| 12 |
lockout.cnf and sites.cnf files. |
|---|
| 13 |
|
|---|
| 14 |
FILE SYNTAX |
|---|
| 15 |
|
|---|
| 16 |
The syntax of the file is simple. Each line gives information about |
|---|
| 17 |
a host or host-pattern: |
|---|
| 18 |
|
|---|
| 19 |
[user@]host [dbref] [options] [# comment] |
|---|
| 20 |
|
|---|
| 21 |
host - the only required file, this is a hostname or a wildcard pattern |
|---|
| 22 |
to match. Examples: |
|---|
| 23 |
berkeley.edu - matches hostname berkeley.edu |
|---|
| 24 |
*.berkeley.edu - matches hostname <anystring>.berkeley.edu |
|---|
| 25 |
*berkeley.edu - matches either of the above |
|---|
| 26 |
* - matches all hosts |
|---|
| 27 |
user@ - if the host supports ident, and you trust the ident response, |
|---|
| 28 |
and you're sure that the link is fast enough that you'll always |
|---|
| 29 |
get an ident response in time, you can match for specific |
|---|
| 30 |
users. Example: johnq@netcom.com |
|---|
| 31 |
dbref - The dbref of a character to restrict the rule too. |
|---|
| 32 |
(Only makes sense for connect rules). Leave it out |
|---|
| 33 |
or use '-2' to match all characters. Leave out the '#' |
|---|
| 34 |
in the dbref. |
|---|
| 35 |
options - A space-separated list of options which apply to connections |
|---|
| 36 |
from the host. Described in detail below. |
|---|
| 37 |
comment - an optional comment |
|---|
| 38 |
|
|---|
| 39 |
Everything in the file is separate by a single space - don't use tabs. |
|---|
| 40 |
|
|---|
| 41 |
The file is read line-by-line, and the first match is used. This |
|---|
| 42 |
means that the order in which hosts are listed is very important. |
|---|
| 43 |
|
|---|
| 44 |
Also, since both hostnames and IPs are checked, some rules must take |
|---|
| 45 |
both into account. |
|---|
| 46 |
|
|---|
| 47 |
There is one special line in the file, which looks like this: |
|---|
| 48 |
|
|---|
| 49 |
@sitelock |
|---|
| 50 |
|
|---|
| 51 |
This line indicates where @sitelock'd sites will be inserted in |
|---|
| 52 |
the file. Hosts listed after this line can have their access |
|---|
| 53 |
options superseded by using @sitelock on-line. Hosts listed before |
|---|
| 54 |
this line can not have their access options overriden by @sitelock. |
|---|
| 55 |
If the line doesn't appear in the file, it will be added to the end |
|---|
| 56 |
of the file at startup. |
|---|
| 57 |
|
|---|
| 58 |
|
|---|
| 59 |
READING AND WRITING THE FILE |
|---|
| 60 |
|
|---|
| 61 |
The access.cnf file is read and cached at startup, and whenever the MUSH |
|---|
| 62 |
receives a HUP signal. |
|---|
| 63 |
|
|---|
| 64 |
The access.cnf file is written back to disk whenever @sitelock is used. |
|---|
| 65 |
|
|---|
| 66 |
|
|---|
| 67 |
OPTIONS |
|---|
| 68 |
|
|---|
| 69 |
The following options are available for each host in the file: |
|---|
| 70 |
|
|---|
| 71 |
create - People connecting from this host may 'create' players. |
|---|
| 72 |
!create - People connecting from this host may NOT 'create' players. |
|---|
| 73 |
connect - People may connect to their existing non-guest players. |
|---|
| 74 |
!connect - People may NOT connect to their existing non-guest players. |
|---|
| 75 |
guest - People may connect to guest players from this host. |
|---|
| 76 |
!guest - People may NOT connect to guest players from this host. |
|---|
| 77 |
none - shorthand for: !create !connect !guest |
|---|
| 78 |
default - shorthand for: create connect guest |
|---|
| 79 |
!god - God cannot connect from this host. |
|---|
| 80 |
!wizard - Wizards cannot connect from this host. |
|---|
| 81 |
!admin - Wizards and Royalty cannot connect from this host. |
|---|
| 82 |
register - People may use the 'register' command from this host. |
|---|
| 83 |
suspect - All players connected to from this host will be set SUSPECT |
|---|
| 84 |
deny_silent - Don't log failed create/connect/guest/register attempts |
|---|
| 85 |
regexp - Use regexp match rather than glob matching for the pattern |
|---|
| 86 |
|
|---|
| 87 |
If no options are given, the host is treated as if option "none" |
|---|
| 88 |
were used. If at least one option is listed, it's assumed that |
|---|
| 89 |
hosts can do anything (create, connect, guest) that they are |
|---|
| 90 |
not prohibited from. |
|---|
| 91 |
|
|---|
| 92 |
|
|---|
| 93 |
EXAMPLE SCENARIOS |
|---|
| 94 |
|
|---|
| 95 |
Here are some typical ways you might want to set up your file: |
|---|
| 96 |
|
|---|
| 97 |
1. Totally ban specific sites, allow all others |
|---|
| 98 |
|
|---|
| 99 |
*badsite.com -2 none |
|---|
| 100 |
*.twink.edu -2 none |
|---|
| 101 |
|
|---|
| 102 |
This will totally lock out those sites (like lockout.cnf) |
|---|
| 103 |
|
|---|
| 104 |
|
|---|
| 105 |
2. Allow specific sites and no others. Note that you must list both |
|---|
| 106 |
hostname-matching patterns and ip address-matching patterns, because |
|---|
| 107 |
if either fails to match a rule that allows connection, the connection |
|---|
| 108 |
will be refused. This is true in general when writing positive rules. |
|---|
| 109 |
|
|---|
| 110 |
*.berkeley.edu -2 default |
|---|
| 111 |
128.32.* -2 default |
|---|
| 112 |
* -2 none |
|---|
| 113 |
|
|---|
| 114 |
People may connect from .berkeley.edu (128.32.) sites only. |
|---|
| 115 |
|
|---|
| 116 |
|
|---|
| 117 |
3. Allow connection but not creation from some sites |
|---|
| 118 |
|
|---|
| 119 |
*.twink.edu -2 !create |
|---|
| 120 |
|
|---|
| 121 |
This is equivalent to the former function of sites.cnf |
|---|
| 122 |
|
|---|
| 123 |
|
|---|
| 124 |
4. Allow connection but not creation or guest-connection from some sites |
|---|
| 125 |
|
|---|
| 126 |
*.twink.edu -2 !guest !create |
|---|
| 127 |
|
|---|
| 128 |
|
|---|
| 129 |
5. Require that a given site use the 'register' command to register |
|---|
| 130 |
players by email. |
|---|
| 131 |
|
|---|
| 132 |
*.twink.edu -2 !create register |
|---|
| 133 |
|
|---|
| 134 |
Using !create prevents people from using the usual create command. |
|---|
| 135 |
Adding register allows them to uset the register command. |
|---|
| 136 |
|
|---|
| 137 |
|
|---|
| 138 |
6. Disable creation from twink.edu sites, and don't let Wizards |
|---|
| 139 |
override this rule with @sitelock |
|---|
| 140 |
|
|---|
| 141 |
*.twink.edu -2 !create |
|---|
| 142 |
@sitelock |
|---|
| 143 |
|
|---|
| 144 |
Because the rule appears above "@sitelock", and @sitelock rules appear |
|---|
| 145 |
below "@sitelock", the rule will always be checked before any |
|---|
| 146 |
@sitelock rules. |
|---|
| 147 |
|
|---|
| 148 |
|
|---|
| 149 |
7. Disable creation from twink.edu sites, but allow Wizards to |
|---|
| 150 |
later override this rule with @sitelock |
|---|
| 151 |
|
|---|
| 152 |
@sitelock |
|---|
| 153 |
*.twink.edu -2 !create |
|---|
| 154 |
|
|---|
| 155 |
Because the rule appears below "@sitelock", new @sitelock rules |
|---|
| 156 |
(which will be added immediately following "@sitelock") will precede |
|---|
| 157 |
it, and will be checked first. |
|---|
| 158 |
|
|---|
| 159 |
8. God can only be connected to from one specific account on the |
|---|
| 160 |
server, and nowhere else. Wizards cannot override it. This requires |
|---|
| 161 |
you to connect to 'localhost <port>' from a given account on the |
|---|
| 162 |
same server the mush runs on. If the server doesn't support ident, |
|---|
| 163 |
remove 'username@' so that anyone on the server can connect. |
|---|
| 164 |
|
|---|
| 165 |
username@localhost 1 connect |
|---|
| 166 |
username@127.0.0.1 1 connect |
|---|
| 167 |
* -2 !god |
|---|
| 168 |
@sitelock |
|---|
| 169 |
|
|---|
| 170 |
9. A complex example: |
|---|
| 171 |
|
|---|
| 172 |
a) Allow anybody from localhost.berkeley.edu complete access |
|---|
| 173 |
b) Force people from *.twink.edu to use registration, and set their |
|---|
| 174 |
players SUSPECT |
|---|
| 175 |
c) Completely ban *badsite.com, and don't log attempts to connect |
|---|
| 176 |
d) Don't allow jerk@netcom.com to connect to Guests |
|---|
| 177 |
e) Allow people from somesite.org to connect to Guests only. |
|---|
| 178 |
f) Allow @sitelock to override c-e above |
|---|
| 179 |
|
|---|
| 180 |
localhost.berkeley.edu -2 default |
|---|
| 181 |
127.0.0.1 -2 default |
|---|
| 182 |
*.twink.edu -2 !create register suspect |
|---|
| 183 |
@sitelock |
|---|
| 184 |
*badsite.com -2 none deny_silent |
|---|
| 185 |
jerk@netcom.com -2 !guest |
|---|
| 186 |
somesite.org -2 !connect !create guest |
|---|
| 187 |
|
|---|
| 188 |
|
|---|
| 189 |
|
|---|
