-
-
Notifications
You must be signed in to change notification settings - Fork 151
Rules
Rules are for defining network rules for applications and global rules.
You can set a rule per app, and add different preset rules to the app rule.
If app's action is "Block", then it will be blocked immediately.
If app's action is "Allow", then you can set various restrictions before allowing it.
So because of some restrictions the app's connection will be blocked. If no restriction applied, then the app's connection will be allowed.
- Rule's text can contain Filters, separated with new line (
\n) - Filter can contain Filter Functions, separated with
: - Filter can contain Sub-Filters, wrapped by
{and} - Filter Function can contain optional name and values
- Filter Function's values can be wrapped by
(and), separated with,or new line - Filter Function can be negated by
! - Use
=to check local port/ip is equal to remote one
Example:
104.21.5.235:udp(443)
172.67.154.192:udp(443)
This rule has 2 filters.
Example:
104.21.5.235:{
udp(443)
tcp(80):dir(in)
}
This rule has 1 filter with several functions:
- the IP should be "104.21.5.235"
- AND ( the Port should be UDP 443 OR (TCP 80 AND incoming) )
Example:
1.1.1.1: !{ port(80):dir(out) }
Address 1.1.1.1 AND NOT (port 80 AND outgoing).
It's more effective to use values list in one filter function, than several filters:
(
1.1.1.1
2.2.2.2
3.3.3.3
):(80, 443)
- "ip":
ip(1.1.1.1, 2.2.2.2/16, [::1])First filter's name is "ip" by default. - "port":
port(53, 80, HTTPS, 1024-3000)IP address's next filter's name is "port" by default. - "local_ip"
- "local_port"
- "proto" or "protocol":
proto(TCP, UDP, ICMP, ICMPv6, 97, 100-140) - "icmp_type":
icmp_type(8, 10-18) - "icmp_code":
icmp_code(0-9) - "ip_ver" or "ip_version":
ip_ver(6) - "dir" or "direction":
dir(IN, OUT) - "area": predefined network areas
area(LOCALHOST, LAN, INET) - "profile": network interface's profile
profile(PUBLIC, PRIVATE, DOMAIN) - "act" or "action":
action(ALLOW),action(BLOCK) - "tcp":
tcp(...)is optimized sugar for{ proto(TCP):port(...) } - "udp":
udp(...)is optimized sugar for{ proto(UDP):port(...) }
You can turn on the Rule's "Exclusive" flag to skip the rule's preset rules, when the rule's filters is blocked. The flag is effective, when the Rule is Allowed only.
Example: Allowed Exclusive Rule with text "profile(PUBLIC)" and its presets. When current network profile is not Public (but Private or Domain), then the Rule will not be processed.
You can turn on the Rule's "Terminating Rule" flag to set mandatory action, when no other filters or preset rules triggered.
- rules max count = 1024
- global rules max count = 64
- rule's preset sub-rules max count = 32
- rule's preset sub-rules max depth count = 8 (max level of preset sub-rules)
- rule filters' max depth count = 7 (max level of {{{...}}})
If no Rule's filters or sub-rules are applied for a connection, then the default action will be used.
-
If rule is disabled, then IGNORE
-
If rule has Zones and address is filtered by Zones, then remember Zone-Or-Filter
-
Else if rule has Filters and connection is filtered by Filters, then remember Zone-Or-Filter
-
If rule is Exclusive and rule's action is Allow:
- If Zone-Or-Filter is not applied, then IGNORE
-
Else if Zone-Or-Filter is applied, then APPLY
-
If rule has Preset Rules and any of them is filtered, then APPLY
-
If rule has Terminating Rule, then APPLY
- create allowing App Rule named "Allow App to only some"
- add the following text to filters field:
1.2.3.4:9100
- tick on the "Terminating Rule" and select "Block". So any connections will be blocked, when the filters are not applied.
The logic here:
- if some filter is applied to connection, then allow it
- otherwise block it, as terminating
Caveat:
- if you don't tick on the "Terminating Rule", then all connections will be allowed
- create blocking App Rule named "Block App except some"
- add the following text to filters field:
!{
1.2.3.4:9100
}
The logic here:
- if some filter is applied to connection, then block it
- otherwise allow it, as default app's action