| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| config:filter_files [2019/02/01 16:59] – Not that leading white-space is now significant. Other minor edits. digital man | config:filter_files [2023/12/18 19:51] (current) – [Filter Files] Note about file must end in LF digital man |
|---|
| Filter configuration (''[[dir:ctrl]]/*.cfg'') and trash can (''[[dir:text]]/*.can'') files allow the sysop to specify words (or any sequence of characters) that will be used to disallow clients, users, or their content. | Filter configuration (''[[dir:ctrl]]/*.cfg'') and trash can (''[[dir:text]]/*.can'') files allow the sysop to specify words (or any sequence of characters) that will be used to disallow clients, users, or their content. |
| |
| Each line in a filter file may contain a comparison sequence. Blank lines and lines beginning with a semicolon are ignored. | Each line in a filter file may contain a comparison pattern. Blank lines and lines beginning with a semicolon character ('';'') are ignored. Lines may contain up to 1000 characters. |
| |
| **Note**: | A tab (ASCII 9) character or a new-line (CR or CRLF) sequence will terminate (signify the end of) each comparison pattern. All characters between the first tab character and the new-line sequence may be considered metadata for the comparison pattern. |
| Prior to v3.17c, leading white-space in filter file lines was ignored. As of v3.17c, leading white-space *is* significant and can be used for filters such " *" to filter (reject) any matches that begin with a leading space character. | |
| |
| ===== Comparison Sequences ===== | To support the correct auto-addition of filters, it's important that **all comparison patterns end in a new-line sequence** (i.e. a non-empty file must end with an LF character). |
| * Sequences of alphabetic letters are treated case-insensitively | ===== Comparison Patterns ===== |
| * Sequences //beginning// with an exclamation mark (''!'') negate the match logic for that sequence | * Leading white-space characters are ignored |
| * Sequences //beginning// with an asterisk (''*'') match only if the characters following the ''*'' are found at the end of the comparison string | * Alphabetic character are compared case-insensitively |
| * Sequences //ending// with an asterisk (''*'') or caret (''^'') match only if the characters preceding are found at the beginning of the comparison string | * C-style string-literal backslash (''\'') [[wp>C_syntax#Strings|escape sequences]] are supported in patterns (as of v3.17c) |
| * Sequences //ending// with a tilde (''~'') match when the preceding string of characters are found //anywhere// within the comparison string | * Patterns //beginning// with an exclamation mark (''!'') negate the match logic for that pattern |
| * All other sequences are "exact match" string comparisons | * Patterns //ending// with a caret (''^'') match only if the preceding (left most) characters are found at the beginning of the comparison string ((The caret is a legacy pattern matching character made obsolete/redundant by the asterisk)) |
| | * Patterns //ending// with a tilde (''~'') match when the preceding string of characters are found //anywhere// within the comparison string |
| | * Patterns //including// an asterisk (''*'') will match when both the left and right string fragments (on either/both sides of the ''*'') match the comparison string (as of v3.19a) ((Additional (more than one) asterisks in a comparison pattern are not treated specially)) |
| | * All other patterns are "exact match" string comparisons |
| | |
| | **Note:**\\ |
| | There's no effective difference between the patterns "word^" and "word*". |
| | |
| Examples: | ==== Examples ==== |
| | * ''sysop'' in the ''name.can'' file would mean new users could not use the name "sysop". |
| | * ''sysop*'' would mean new users could not use names //beginning// with the word "sysop", like "sysop the" or "sysops". |
| | * ''sysop~'' would mean new users could not use names that have the word "sysop" //anywhere// in them, like "imthesysop" or "Joe Sysop". |
| |
| * ''sysop'' in the ''name.can'' file would mean users could not use the name "sysop". | === Match strings with the character sequence "viagra" anywhere within === |
| * ''sysop*'' would mean users could not use names beginning with the word "sysop", like "sysopa" or "sysops" etc. | viagra~ |
| * ''sysop~'' would mean users could not use names that have the word "sysop" anywhere in them, like "imthesysop" or "Joe Sysop". | |
| | === Match strings beginning with the character sequence "[adv]" === |
| | [adv]* |
| | |
| | === Match strings beginning with a space === |
| | \ * |
| | |
| | === Match the string "administrator", exactly (but case-insensitively) === |
| | administrator |
| | |
| | === Match strings that do not begin with the character sequence: "the " === |
| | !the * |
| |
| ===== IPv4 CIDR Notation ===== | ==== IPv4 CIDR Notation ==== |
| |
| An additional comparison format was introduced in v3.17 (Feb-9-2017) specifically for partial (ranges of) IPv4 address matching following standard [[wp>Classless_Inter-Domain_Routing]] (CIDR) notation. For example, rather than using the comparison string "192.168.1.*" to match all IP addresses that begin with the first 3 octets of 192, 168, and 1, you could specify the same thing using CIDR notation: | An additional comparison format was introduced in v3.17 (Feb-9-2017) specifically for partial (ranges of) IPv4 address matching following standard [[wp>Classless_Inter-Domain_Routing]] (CIDR) notation. For example, rather than using the comparison string "192.168.1.*" to match all IP addresses that begin with the first 3 octets of 192, 168, and 1, you could specify the same thing using CIDR notation: |
| |
| IPv6 CIDR notation is not supported at this time. | IPv6 CIDR notation is not supported at this time. |
| | |
| ===== Trash Can Files ===== | ===== Trash Can Files ===== |
| |
| |
| ^Filename / Page ^Default Contents^Rejection Message((Rejection message files are only used/displayed by the terminal server))^Description^ | ^Filename / Page ^Default Contents^Rejection Message((Rejection message files are only used/displayed by the terminal server))^Description^ |
| |''[[email.can]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/text/email.can|email.can]]|''[[bademail.msg]]''|Disallowed (source or destination) e-mail addresses (see also ''[[twitlist.cfg]]'')| | |''[[email.can]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/text/email.can|email.can]]|''[[bademail.msg]]''|Disallowed (source or destination) e-mail addresses (see also ''[[twitlist.cfg]]'')| |
| |''[[file.can]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/text/file.can|file.can]]|''[[badfile.msg]]''|Disallowed filenames for upload| | |''[[file.can]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/text/file.can|file.can]]|''[[badfile.msg]]''|Disallowed filenames for upload| |
| |''[[host.can]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/text/host.can|host.can]]|''[[badhost.msg]]''|Disallowed hostnames for inbound connections (when hostname lookups are enabled)| | |''[[host.can]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/text/host.can|host.can]]|''[[badhost.msg]]''|Disallowed hostnames for inbound connections (when hostname lookups are enabled) and content| |
| |''[[ip.can]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/text/ip.can|ip.can]]|''[[badip.msg]]''|Disallowed IP addresses for inbound connections| | |''[[ip.can]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/text/ip.can|ip.can]]|''[[badip.msg]]''|Disallowed IP addresses for inbound connections and content (e.g. messages)| |
| |''[[ip-silent.can]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/text/ip-silent.can|ip-silent.can]]| |Silently-ignored IP addresses for inbound connections| | |''[[ip-silent.can]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/text/ip-silent.can|ip-silent.can]]| |Silently-ignored IP addresses for inbound connections| |
| |''[[name.can]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/text/name.can|name.can]]|''[[badname.msg]]''|Disallowed user login name/alias (see also [[howto:block-hackers]])| | |''[[name.can]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/text/name.can|name.can]]|''[[badname.msg]]''|Disallowed user login name/alias (see also [[howto:block-hackers]])| |
| |''[[password.can]]'' | [[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/text/password.can|password.can]]|''[[badpassword.msg]]''|Disallowed user passwords| | |''[[password.can]]'' | [[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/text/password.can|password.can]]|''[[badpassword.msg]]''|Disallowed user passwords| |
| |''[[phone.can]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/text/phone.can|phone.can]]|''[[badphone.msg]]''|Disallowed phone numbers for new users| | |''[[phone.can]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/text/phone.can|phone.can]]|''[[badphone.msg]]''|Disallowed phone numbers for new users| |
| |''[[subject.can]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/text/subject.can|subject.can]]|''[[badsubject.msg]]''|Disallowed subjects in posted messages| | |''[[subject.can]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/text/subject.can|subject.can]]|''[[badsubject.msg]]''|Disallowed subjects in posted messages| |
| | |
| | **New in Synchronet v3.20:**\\ |
| | Comparison patterns in ''.can'' files may contain metadata as tab-delimited ''key=value'' pairs. The keys supported are: |
| | ^ Key ^ Description ^ |
| | |''t'' | Date/time stamp of filter addition (in ISO-8601 format) | |
| | |''e'' | Expiration date/time (in ISO-8601 format) | |
| | |''p'' | Protocol used (informational only) | |
| | |''r'' | Reason for filtering (informational only) | |
| | |''u'' | User name/identification at time of filtering (informational only) | |
| | |''h'' | Host name of client (informational only) | |
| |
| ===== Other Filter Files ===== | ===== Other Filter Files ===== |
| |
| ^Filename / Page ^Default Contents^Description^ | ^Filename / Page ^Default Contents^Description^ |
| |''[[spamblock.cfg]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/ctrl/spamblock.cfg|spamblock.cfg]]|Hostnames and IP addresses blocked from sending e-mail to the [[server:mail|Mail Server]] (see also ''spamblock_exempt.cfg'')| | |''[[spamblock.cfg]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/ctrl/spamblock.cfg|spamblock.cfg]]|Hostnames and IP addresses blocked from sending e-mail to the [[server:mail|Mail Server]] (see also ''spamblock_exempt.cfg'')| |
| |''[[twitlist.cfg]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/ctrl/twitlist.cfg|twitlist.cfg]]|Disallowed (source or destination) e-mail addresses (enclosed in <angle brackets>) or names (see also ''[[email.can]]'')| | |''[[twitlist.cfg]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/ctrl/twitlist.cfg|twitlist.cfg]]|Disallowed (source or destination) e-mail/netmail addresses or names (see also ''[[email.can]]'')| |
| |
| ===== Filter Exemption Files ===== | ===== Filter Exemption Files ===== |
| |
| ^Filename / Page ^Default Contents^Description^ | ^Filename / Page ^Default Contents^Description^ |
| |''[[ipfilter_exempt.cfg]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/ctrl/ipfilter_exempt.cfg|ipfilter_exempt.cfg]]| Hostnames and IP addresses that are considered exempt from temporary bans and permanent filtering (added Oct-17-2016)| | |''[[ipfilter_exempt.cfg]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/ctrl/ipfilter_exempt.cfg|ipfilter_exempt.cfg]]| Hostnames and IP addresses that are considered exempt from temporary bans and permanent filtering (added Oct-17-2016)| |
| |''[[dnsbl_exempt.cfg]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/ctrl/dnsbl_exempt.cfg|dnsbl_exempt.cfg]]|Hostnames and IP addresses and e-mail address (enclosed in <angle brackets>) which are to be exempt from positive DNS-based Blacklist results in the [[server:mail|Mail Server]] (see also ''dns_blacklist.cfg'')| | |''[[dnsbl_exempt.cfg]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/ctrl/dnsbl_exempt.cfg|dnsbl_exempt.cfg]]|Hostnames and IP addresses and e-mail address (enclosed in <angle brackets>) which are to be exempt from positive DNS-based Blacklist results in the [[server:mail|Mail Server]] (see also ''dns_blacklist.cfg'')| |
| |''[[spamblock_exempt.cfg]]'' |[[http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/ctrl/spamblock_exempt.cfg|spamblock_exempt.cfg]]|Hostnames and IP addresses which are not to be blocked from sending e-mail to the [[server:mail|Mail Server]] (see also ''spamblock.cfg'')| | |''[[spamblock_exempt.cfg]]'' |[[https://gitlab.synchro.net/sbbs/sbbs/-/raw/master/ctrl/spamblock_exempt.cfg|spamblock_exempt.cfg]]|Hostnames and IP addresses which are not to be blocked from sending e-mail to the [[server:mail|Mail Server]] (see also ''spamblock.cfg'')| |
| |
| |
| * [[:config:|Configuration]] | * [[:config:|Configuration]] |
| |
| {{tag>filter abuse spam}} | |
| | {{tag>configuration security abuse spam cfg can}} |
| |
