├── lists
    ├── list-tor.txt
    ├── list-torrentbay.txt
    ├── list-rezka.txt
    ├── list-rutor.txt
    ├── list-nnmclub.txt
    ├── list-rutracker.txt
    ├── list-thepiratebay.txt
    ├── list-tiktok.txt
    ├── list-telegram.txt
    ├── list-chess.txt
    ├── list-microchip.txt
    ├── list-speedtest.txt
    ├── list-viber.txt
    ├── list-twitter.txt
    ├── list-soundcloud.txt
    ├── ipset-viber.txt
    ├── list-spotify.txt
    ├── list-discord.txt
    ├── list-cloudflare.txt
    ├── list-twitch.txt
    ├── list-youtube.txt
    ├── list-nvidia.txt
    ├── list-instagram.txt
    └── list-steam.txt
└── configurations
    ├── DiscordFix
    ├── DiscordFix_для_МГТС
    ├── UltimateFix_ALT_v5
    ├── discord
    ├── fix_v3
    ├── general_МГТС2
    ├── GeneralFix_ALT3
    ├── UltimateFix_ALT_v3
    ├── general_МГТС
    ├── general_old
    ├── GeneralFix_ALT4
    ├── UltimateFix_ALT_v4
    ├── GeneralFix
    ├── UltimateFix_ALT_v2
    ├── GeneralFix_ALT
    ├── UltimateFix_ALT
    ├── UltimateFix_для_МГТС
    ├── UltimateFix_ALT_v6
    ├── UltimateFix_ALT_v7
    ├── UltimateFix_ALT_v9
    ├── UltimateFix_Universal
    ├── UltimateFix_ALT_v8
    ├── DiscordFix_ALT
    ├── UltimateFix
    ├── YoutubeFix_ALT
    ├── general_fake_tls_auto
    ├── UltimateFix_ALT_v10
    ├── UltimateFix_Universal_v2
    ├── UltimateFix_Universal_v3
    ├── RussiaFix
    ├── UltimateFix_ALT_EXTENDED
    ├── preset_russia
    └── general_ALT5


/lists/list-tor.txt:
--------------------------------------------------------------------------------
1 | torproject.org


--------------------------------------------------------------------------------
/lists/list-torrentbay.txt:
--------------------------------------------------------------------------------
1 | torrentbay.to
2 | torrentbay.net
3 | torrentbay.org


--------------------------------------------------------------------------------
/lists/list-rezka.txt:
--------------------------------------------------------------------------------
1 | rezka.ag
2 | rezka.fl
3 | rezka.plus
4 | hd-rezka.one
5 | hd-rezka.tv
6 | ru1.hdreska.net


--------------------------------------------------------------------------------
/lists/list-rutor.txt:
--------------------------------------------------------------------------------
1 | rutor.info
2 | rutor.is
3 | rutor.org
4 | rutor.nl
5 | rutor.xyz
6 | rutor.one
7 | rutor.co
8 | rutor.lib


--------------------------------------------------------------------------------
/lists/list-nnmclub.txt:
--------------------------------------------------------------------------------
1 | nnm-club.to
2 | nnm-club.me
3 | nnmclub.ro
4 | nnm-club.name
5 | nnmclub.to
6 | nnm-club.cc
7 | nnmclub.se
8 | nnmclub.live


--------------------------------------------------------------------------------
/lists/list-rutracker.txt:
--------------------------------------------------------------------------------
 1 | rutracker.org
 2 | rutracker.net
 3 | rutracker.cr
 4 | rutracker.nl
 5 | rutracker.ru
 6 | rutracker.cc
 7 | rutracker.cloud
 8 | rutracker.in
 9 | rutracker.me
10 | rutracker.is


--------------------------------------------------------------------------------
/lists/list-thepiratebay.txt:
--------------------------------------------------------------------------------
 1 | thepiratebay.org
 2 | thepiratebay.se
 3 | thepiratebay3.org
 4 | thepiratebay10.org
 5 | pirateproxy.live
 6 | tpb.party
 7 | thepiratebay.vip
 8 | thepiratebay.rocks
 9 | thepirate-bay.org
10 | pirate-bay.net
11 | tpbproxy.org
12 | thepiratebay0.org


--------------------------------------------------------------------------------
/lists/list-tiktok.txt:
--------------------------------------------------------------------------------
 1 | byteoversea.com
 2 | muscdn.com
 3 | musical.ly
 4 | tik-tokapi.com
 5 | tiktok.com
 6 | tiktokcdn-us.com
 7 | tiktokcdn.com
 8 | tiktokd.net
 9 | tiktokd.org
10 | tiktokv.com
11 | tiktokv.us
12 | tiktokw.us
13 | ttwstatic.com
14 | p16-tiktokcdn-com.akamaized.net
15 | 


--------------------------------------------------------------------------------
/lists/list-telegram.txt:
--------------------------------------------------------------------------------
 1 | telegram.org
 2 | t.me
 3 | web.telegram.org
 4 | desktop.telegram.org
 5 | macos.telegram.org
 6 | telegram.me
 7 | telegram.dog
 8 | core.telegram.org
 9 | tdesktop.com
10 | telegram.tips
11 | telegramusercontent.com
12 | webk.telegram.org
13 | k.telegram.org
14 | telesco.pe


--------------------------------------------------------------------------------
/lists/list-chess.txt:
--------------------------------------------------------------------------------
 1 | chess.com
 2 | play.chess.com
 3 | beta.chess.com
 4 | chesskid.com
 5 | chessclock.com
 6 | chessgames.com
 7 | chesscdn.com
 8 | chessbase.com
 9 | chessok.com
10 | support.chess.com
11 | chess.com/club
12 | chess.com/tv
13 | chess.com/news
14 | chess.com/puzzles
15 | chess.com/lessons


--------------------------------------------------------------------------------
/lists/list-microchip.txt:
--------------------------------------------------------------------------------
 1 | microchip.com
 2 | ww1.microchip.com
 3 | microchipdirect.com
 4 | mplabcloud.com
 5 | microchipdeveloper.com
 6 | microchiptechnology.com
 7 | microchip.secure.force.com
 8 | support.microchip.com
 9 | store.microchip.com
10 | www.microchip.com
11 | microchip.widen.net
12 | microchiptech.com


--------------------------------------------------------------------------------
/lists/list-speedtest.txt:
--------------------------------------------------------------------------------
 1 | beta.speedtest.net
 2 | cdnst.net
 3 | cellmaps.com
 4 | ekahau.cloud
 5 | ekahau.com
 6 | fast.com
 7 | ookla.com
 8 | ookla.org
 9 | ooklaserver.net
10 | pingtest.net
11 | speedtest.co
12 | speedtest.com
13 | speedtest.net
14 | speedtestcustom.com
15 | speedtestlab.net
16 | webtest.net
17 | www.speedtest.net.cdn.cloudflare.net


--------------------------------------------------------------------------------
/lists/list-viber.txt:
--------------------------------------------------------------------------------
 1 | viber.com
 2 | api.viber.com
 3 | account.viber.com
 4 | share.viber.com
 5 | stickers.viber.com
 6 | chats.viber.com
 7 | support.viber.com
 8 | www.viber.com
 9 | dl-media.viber.com
10 | media.viber.com
11 | ads.viber.com
12 | static.viber.com
13 | ar.viber.com
14 | billing.viber.com
15 | pg.viber.com
16 | chatapi.viber.com
17 | invite.viber.com
18 | 


--------------------------------------------------------------------------------
/lists/list-twitter.txt:
--------------------------------------------------------------------------------
 1 | ads-twitter.com
 2 | cms-twdigitalassets.com
 3 | periscope.tv
 4 | pscp.tv
 5 | t.co
 6 | tellapart.com
 7 | tweetdeck.com
 8 | twimg.com
 9 | twitpic.com
10 | twitter.biz
11 | twitter.com
12 | twitter.jp
13 | twittercommunity.com
14 | twitterflightschool.com
15 | twitterinc.com
16 | twitteroauth.com
17 | twitterstat.us
18 | twtrdns.net
19 | twttr.com
20 | twttr.net
21 | twvid.com
22 | vine.co
23 | x.com


--------------------------------------------------------------------------------
/lists/list-soundcloud.txt:
--------------------------------------------------------------------------------
 1 | soundcloud.com
 2 | m.soundcloud.com
 3 | api.soundcloud.com
 4 | developers.soundcloud.com
 5 | soundcloud.app
 6 | soundcloud.org
 7 | soundcloud.net
 8 | soundcloud.co
 9 | soundcloud.co.uk
10 | soundcloud.fr
11 | soundcloud.de
12 | soundcloud.me
13 | soundclouddesign.com
14 | soundcloudpress.com
15 | stream.soundcloud.com
16 | soundcloudstatus.com
17 | soundcloudforartists.com
18 | w.soundcloud.com
19 | sndcdn.com


--------------------------------------------------------------------------------
/lists/ipset-viber.txt:
--------------------------------------------------------------------------------
 1 | 52.58.160.0/24
 2 | 52.58.161.0/24
 3 | 52.58.162.0/24
 4 | 52.58.163.0/24
 5 | 52.58.164.0/24
 6 | 52.58.165.0/24
 7 | 52.58.166.0/24
 8 | 52.58.167.0/24
 9 | 52.58.168.0/24
10 | 52.58.169.0/24
11 | 52.58.170.0/24
12 | 52.58.171.0/24
13 | 52.58.172.0/24
14 | 52.58.173.0/24
15 | 52.58.174.0/24
16 | 52.58.175.0/24
17 | 52.58.176.0/24
18 | 52.58.177.0/24
19 | 52.58.178.0/24
20 | 52.58.179.0/24
21 | 52.58.180.0/24
22 | 52.58.181.0/24
23 | 52.58.182.0/24
24 | 52.58.183.0/24
25 | 52.58.184.0/24
26 | 52.58.185.0/24
27 | 52.58.186.0/24
28 | 52.58.187.0/24
29 | 52.58.188.0/24
30 | 52.58.189.0/24
31 | 52.58.190.0/24
32 | 52.58.191.0/24


--------------------------------------------------------------------------------
/lists/list-spotify.txt:
--------------------------------------------------------------------------------
 1 | audio-ak-spotify-com.akamaized.net
 2 | audio4-ak-spotify-com.akamaized.net
 3 | byspotify.com
 4 | cdn-spotify-experiments.conductrics.com
 5 | heads-ak-spotify-com.akamaized.net
 6 | heads4-ak-spotify-com.akamaized.net
 7 | open.spotify.com
 8 | pscdn.co
 9 | scdn.co
10 | spoti.fi
11 | spotify-everywhere.com
12 | spotify.co
13 | spotify.co.uk
14 | spotify.com
15 | spotify.com.edgesuite.net
16 | spotify.de
17 | spotify.design
18 | spotify.fr
19 | spotify.in
20 | spotify.jp
21 | spotify.map.fastly.net
22 | spotify.map.fastlylb.net
23 | spotify.net
24 | spotify.org
25 | spotify.ru
26 | spotifycdn.com
27 | spotifycdn.net
28 | spotifycharts.com
29 | spotifycodes.com
30 | spotifyforbrands.com
31 | spotifyjobs.com


--------------------------------------------------------------------------------
/lists/list-discord.txt:
--------------------------------------------------------------------------------
 1 | *.discord.app:*
 2 | *.discord.com
 3 | *.discord.com:*
 4 | *.discord.gg
 5 | *.discord.gg:*
 6 | *.discord.media
 7 | *.discordapp.com
 8 | *.discordapp.com:*
 9 | *.discordapp.net
10 | *.discordapp.net:*
11 | airhorn.solutions
12 | airhornbot.com
13 | bigbeans.solutions
14 | cdn.discordapp.com
15 | dis.gd
16 | discord-activities.com
17 | discord-attachments-uploads-prd.storage.googleapis.com
18 | discord.app
19 | discord.co
20 | discord.com
21 | discord.design
22 | discord.dev
23 | discord.gg
24 | discord.gift
25 | discord.gifts
26 | discord.media
27 | discord.new
28 | discord.store
29 | discord.tools
30 | discordactivities.com
31 | discordapp.com
32 | discordapp.io
33 | discordapp.net
34 | discordcdn.com
35 | discordmerch.com
36 | discordpartygames.com
37 | discordsays.com
38 | discordsez.com
39 | discordstatus.com
40 | gateway.discord.gg
41 | hammerandchisel.ssl.zendesk.com
42 | images-ext-1.discordapp.net
43 | media.discordapp.net
44 | watchanimeattheoffice.com
45 | www.discord.app
46 | www.discord.com


--------------------------------------------------------------------------------
/lists/list-cloudflare.txt:
--------------------------------------------------------------------------------
 1 | cloudflare-ech.com
 2 | argotunnel.com
 3 | cf-ipfs.com
 4 | cf-ns.com
 5 | cf-ns.net
 6 | cf-ns.site
 7 | cf-ns.tech
 8 | cfl.re
 9 | cftest5.cn
10 | cftest6.cn
11 | cftest7.com
12 | cftest8.com
13 | cloudflare-cn.com
14 | cloudflare-dns.com
15 | cloudflare-esni.com
16 | cloudflare-gateway.com
17 | cloudflare-quic.com
18 | cloudflare.com
19 | cloudflare.net
20 | cloudflare-ipfs.com
21 | cloudflare-stream.com
22 | cloudflare-tv.com
23 | cloudflare-access.com
24 | cloudflare-apps.com
25 | cloudflare-bolt.com
26 | cloudflare-client.com
27 | cloudflare-insights.com
28 | cloudflare-ok.com
29 | cloudflare-partners.com
30 | cloudflare-portal.com
31 | cloudflare-preview.com
32 | cloudflare-resolve.com
33 | cloudflare-ssl.com
34 | cloudflare-status.com
35 | cloudflare-storage.com
36 | cloudflare-test.com
37 | cloudflare-warp.com
38 | cloudflareanycast.net
39 | cloudflarechina.cn
40 | cloudflareglobal.net
41 | cloudflareinsights-cn.com
42 | cloudflareperf.com
43 | cloudflareprod.com
44 | cloudflarestaging.com
45 | every1dns.net
46 | isbgpsafeyet.com
47 | one.one.one
48 | pacloudflare.com
49 | pages.dev
50 | trycloudflare.com
51 | videodelivery.net
52 | warp.plus
53 | workers.dev


--------------------------------------------------------------------------------
/lists/list-twitch.txt:
--------------------------------------------------------------------------------
 1 | app.twitch.tv
 2 | blog.twitch.tv
 3 | clips.twitch.tv
 4 | d1g1f25tn8m2e6.cloudfront.net
 5 | d1m7jfoe9zdc1j.cloudfront.net
 6 | d1mhjrowxxagfy.cloudfront.net
 7 | d1oca24q5dwo6d.cloudfront.net
 8 | d1w2poirtb3as9.cloudfront.net
 9 | d1xhnb4ptk05mw.cloudfront.net
10 | d1ymi26ma8va5x.cloudfront.net
11 | d2aba1wr3818hz.cloudfront.net
12 | d2dylwb3shzel1.cloudfront.net
13 | d2e2de1etea730.cloudfront.net
14 | d2nvs31859zcd8.cloudfront.net
15 | d2um2qdswy1tb0.cloudfront.net
16 | d2vjef5jvl6bfs.cloudfront.net
17 | d2xmjdvx03ij56.cloudfront.net
18 | d36nr0u3xmc4mm.cloudfront.net
19 | d3aqoihi2n8ty8.cloudfront.net
20 | d3c27h4odz752x.cloudfront.net
21 | d3vd9lfkzbru3h.cloudfront.net
22 | d6d4ismr40iw.cloudfront.net
23 | d6tizftlrpuof.cloudfront.net
24 | dashboard.twitch.tv
25 | ddacn6pr5v0tl.cloudfront.net
26 | developer.twitch.tv
27 | dgeft87wbj63p.cloudfront.net
28 | dqrpb9wgowsf5.cloudfront.net
29 | ds0h3roq6wcgc.cloudfront.net
30 | dykkng5hnh52u.cloudfront.net
31 | ext-twitch.tv
32 | help.twitch.tv
33 | jtvnw.net
34 | live-video.net
35 | m.twitch.tv
36 | passport.twitch.tv
37 | player.twitch.tv
38 | status.twitch.tv
39 | ttvnw.net
40 | twitch.tv
41 | twitchadvertising.tv
42 | twitchcdn.net
43 | twitchcon.com
44 | twitchsvc.net
45 | vod-secure.twitch.tv


--------------------------------------------------------------------------------
/lists/list-youtube.txt:
--------------------------------------------------------------------------------
 1 | 1e100.net
 2 | ggpht.com
 3 | googleusercontent.com
 4 | googlevideo.com
 5 | gstatic.com
 6 | gvt1.com
 7 | l.google.com
 8 | m.youtube.com
 9 | nhacmp3youtube.com
10 | play.google.com
11 | wide-youtube.l.google.com
12 | www.youtube.com
13 | youtu.be
14 | youtube-nocookie.com
15 | youtube-studio.com
16 | youtube-ui.l.google.com
17 | youtube.be
18 | youtube.ca
19 | youtube.co
20 | youtube.co.in
21 | youtube.co.uk
22 | youtube.com
23 | youtube.com.au
24 | youtube.com.br
25 | youtube.com.mx
26 | youtube.com.tr
27 | youtube.com.ua
28 | youtube.de
29 | youtube.es
30 | youtube.fr
31 | youtube.googleapis.com
32 | youtube.jp
33 | youtube.nl
34 | youtube.pl
35 | youtube.pt
36 | youtube.ru
37 | youtubeapi.com
38 | youtubechildren.com
39 | youtubecommunity.com
40 | youtubecreators.com
41 | youtubeeducation.com
42 | youtubeembeddedplayer.googleapis.com
43 | youtubei.googleapis.com
44 | youtubekids.com
45 | yt-video-upload.l.google.com
46 | yt.be
47 | yt3.ggpht.com
48 | ytimg.com
49 | 10tv.app
50 | 7tv.app
51 | 7tv.gg
52 | 7tv.io
53 | api.7tv.app
54 | cdn.7tv.app
55 | cdn.7tv.gg
56 | emotes.7tv.app
57 | events.7tv.app
58 | static.7tv.app
59 | betterttv.net
60 | frankerfacez.com
61 | cdn.betterttv.net
62 | cdn2.frankerfacez.com
63 | cdn.frankerfacez.com
64 | api.ffzap.com
65 | api.frankerfacez.com


--------------------------------------------------------------------------------
/lists/list-nvidia.txt:
--------------------------------------------------------------------------------
 1 | blogs.nvidia.com
 2 | developer.nvidia.com
 3 | forums.developer.nvidia.com
 4 | geforce.cn
 5 | geforce.co.kr
 6 | geforce.co.uk
 7 | geforce.com
 8 | geforce.com.tw
 9 | gputechconf.cn
10 | gputechconf.co.kr
11 | gputechconf.com
12 | gputechconf.com.au
13 | gputechconf.com.tw
14 | gputechconf.eu
15 | gputechconf.in
16 | gputechconf.jp
17 | images.nvidia.com
18 | international.nvidia.com
19 | news.developer.nvidia.com
20 | nvapi.nvidia.com
21 | nvidia.asia
22 | nvidia.at
23 | nvidia.be
24 | nvidia.ch
25 | nvidia.cn
26 | nvidia.co.at
27 | nvidia.co.in
28 | nvidia.co.jp
29 | nvidia.co.kr
30 | nvidia.co.uk
31 | nvidia.com
32 | nvidia.com.au
33 | nvidia.com.br
34 | nvidia.com.mx
35 | nvidia.com.pe
36 | nvidia.com.pl
37 | nvidia.com.tr
38 | nvidia.com.tw
39 | nvidia.com.ua
40 | nvidia.com.ve
41 | nvidia.cz
42 | nvidia.de
43 | nvidia.dk
44 | nvidia.es
45 | nvidia.eu
46 | nvidia.fi
47 | nvidia.fr
48 | nvidia.in
49 | nvidia.it
50 | nvidia.jp
51 | nvidia.lu
52 | nvidia.mx
53 | nvidia.nl
54 | nvidia.no
55 | nvidia.pl
56 | nvidia.ro
57 | nvidia.ru
58 | nvidia.se
59 | nvidia.tt.omtrdc.net
60 | nvidia.tw
61 | nvidiaforhp.com
62 | nvidiagrid.net
63 | nvidianews.nvidia.com
64 | partners.nvidia.com
65 | research.nvidia.com
66 | ru.download.nvidia.com
67 | ru.geforce.com
68 | shield.nvidia.com
69 | shotwithgeforce.com
70 | store.nvidia.com
71 | tegrazone.co
72 | tegrazone.co.kr
73 | tegrazone.com
74 | tegrazone.jp
75 | tegrazone.kr
76 | us.download.nvidia.com


--------------------------------------------------------------------------------
/lists/list-instagram.txt:
--------------------------------------------------------------------------------
 1 | achat-followers-instagram.com
 2 | acheter-followers-instagram.com
 3 | acheterdesfollowersinstagram.com
 4 | acheterfollowersinstagram.com
 5 | bookstagram.com
 6 | carstagram.com
 7 | cdninstagram.com
 8 | chickstagram.com
 9 | ig.me
10 | igcdn.com
11 | igsonar.com
12 | igtv.com
13 | imstagram.com
14 | imtagram.com
15 | instaadder.com
16 | instachecker.com
17 | instafallow.com
18 | instafollower.com
19 | instagainer.com
20 | instagda.com
21 | instagify.com
22 | instagmania.com
23 | instagor.com
24 | instagram-brand.com
25 | instagram-engineering.com
26 | instagram-help.com
27 | instagram-press.com
28 | instagram-press.net
29 | instagram.com
30 | instagramci.com
31 | instagramcn.com
32 | instagramdi.com
33 | instagramhashtags.net
34 | instagramhilecim.com
35 | instagramhilesi.org
36 | instagramium.com
37 | instagramizlenme.com
38 | instagramkusu.com
39 | instagramlogin.com
40 | instagramm.com
41 | instagramn.com
42 | instagrampartners.com
43 | instagramphoto.com
44 | instagramq.com
45 | instagramsepeti.com
46 | instagramtakipcisatinal.net
47 | instagramtakiphilesi.com
48 | instagramtips.com
49 | instagramtr.com
50 | instagran.com
51 | instagranm.com
52 | instagrem.com
53 | instagrm.com
54 | instagtram.com
55 | instagy.com
56 | instamgram.com
57 | instangram.com
58 | instanttelegram.com
59 | instaplayer.net
60 | instastyle.tv
61 | instgram.com
62 | intagram.com
63 | intagrm.com
64 | intgram.com
65 | kingstagram.com
66 | lnstagram-help.com
67 | oninstagram.com
68 | online-instagram.com
69 | onlineinstagram.com
70 | theinstagramhack.com
71 | web-instagram.net
72 | wwwinstagram.com


--------------------------------------------------------------------------------
/lists/list-steam.txt:
--------------------------------------------------------------------------------
 1 | cdn.akamai.steamstatic.com
 2 | cdn.cloudflare.steamstatic.com
 3 | cdn.edgecast.steamstatic.com
 4 | cdn.highwinds.steamstatic.com
 5 | cdn.steampipe.steamcontent.com
 6 | cdn.steampowered.com
 7 | cdn.steamstatic.com
 8 | csgo.wmsj.cn
 9 | dl.steam.clngaa.com
10 | dl.steam.ksyna.com
11 | dota2.wmsj.cn
12 | edge.steam-dns.top.comcast.net
13 | help.steampowered.com
14 | media.steampowered.com
15 | partner.steamgames.com
16 | playartifact.com
17 | s.team
18 | st.dl.bscstorage.net
19 | st.dl.eccdnx.com
20 | st.dl.pinyuncloud.com
21 | steam-api.com
22 | steam-chat.com
23 | steam.apac.qtlglb.com
24 | steam.cdn.on.net
25 | steam.cdn.orcon.net.nz
26 | steam.cdn.slingshot.co.nz
27 | steam.cdn.webra.ru
28 | steam.eca.qtlglb.com
29 | steam.naeu.qtlglb.com
30 | steam.ru.qtlglb.com
31 | steam.tv
32 | steamapi.com
33 | steambroadcast-l3-prod-prd.steamos.cloud
34 | steambroadcast.akamaized.net
35 | steambroadcast.steampowered.com
36 | steambroadcastmedia-a.akamaihd.net
37 | steamcdn-a.akamaihd.net
38 | steamchina.com
39 | steamcommunity-a.akamaihd.net
40 | steamcommunity.com
41 | steamcontent.com
42 | steamdeck.com
43 | steamgames.com
44 | steamgift.com
45 | steaminfra.com
46 | steammobile.akamaized.net
47 | steampipe-kr.akamaized.net
48 | steampipe-partner.akamaized.net
49 | steampipe.akamaized.net
50 | steampipe.steamcontent.tnkjmec.com
51 | steampowered.cn
52 | steampowered.com
53 | steampowered.com.8686c.com
54 | steamserver.net
55 | steamstatic.cn
56 | steamstatic.com
57 | steamstatic.com.8686c.com
58 | steamstore-a.akamaihd.net
59 | steamstore.com
60 | steamtracker.com
61 | steamusercontent-a.akamaihd.net
62 | steamusercontent.com
63 | steamuserimages-a.akamaihd.net
64 | steamvideo-a.akamaihd.net
65 | store.steampowered.com
66 | underlords.com
67 | valvesoftware.com
68 | wmsjsteam.com
69 | xz.pphimalayanrt.com


--------------------------------------------------------------------------------
/configurations/DiscordFix:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535  --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 95 | # none,ipset,hostlist,autohostlist
 96 | MODE_FILTER=autohostlist
 97 | 
 98 | # openwrt only : donttouch,none,software,hardware
 99 | FLOWOFFLOAD=donttouch
100 | 
101 | # openwrt: specify networks to be treated as LAN. default is "lan"
102 | #OPENWRT_LAN="lan lan2 lan3"
103 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
104 | #OPENWRT_WAN4="wan vpn"
105 | #OPENWRT_WAN6="wan6 vpn6"
106 | 
107 | # for routers based on desktop linux and macos. has no effect in openwrt.
108 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
109 | # or leave them commented if its not router
110 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
111 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
112 | #IFACE_LAN=
113 | #IFACE_WAN=
114 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
115 | 
116 | # should start/stop command of init scripts apply firewall rules ?
117 | # not applicable to openwrt with firewall3+iptables
118 | INIT_APPLY_FW=1
119 | # firewall apply hooks
120 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
121 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
122 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
123 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
124 | 
125 | # do not work with ipv4
126 | #DISABLE_IPV4=1
127 | # do not work with ipv6
128 | DISABLE_IPV6=1
129 | 
130 | # select which init script will be used to get ip or host list
131 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
132 | # comment if not required
133 | #GETLIST=
134 | 


--------------------------------------------------------------------------------
/configurations/DiscordFix_для_МГТС:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535  --dpi-desync=fake,tamper --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-autottl=2 --dpi-desync-repeats=6  --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 95 | # none,ipset,hostlist,autohostlist
 96 | MODE_FILTER=autohostlist
 97 | 
 98 | # openwrt only : donttouch,none,software,hardware
 99 | FLOWOFFLOAD=donttouch
100 | 
101 | # openwrt: specify networks to be treated as LAN. default is "lan"
102 | #OPENWRT_LAN="lan lan2 lan3"
103 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
104 | #OPENWRT_WAN4="wan vpn"
105 | #OPENWRT_WAN6="wan6 vpn6"
106 | 
107 | # for routers based on desktop linux and macos. has no effect in openwrt.
108 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
109 | # or leave them commented if its not router
110 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
111 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
112 | #IFACE_LAN=
113 | #IFACE_WAN=
114 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
115 | 
116 | # should start/stop command of init scripts apply firewall rules ?
117 | # not applicable to openwrt with firewall3+iptables
118 | INIT_APPLY_FW=1
119 | # firewall apply hooks
120 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
121 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
122 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
123 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
124 | 
125 | # do not work with ipv4
126 | #DISABLE_IPV4=1
127 | # do not work with ipv6
128 | DISABLE_IPV6=1
129 | 
130 | # select which init script will be used to get ip or host list
131 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
132 | # comment if not required
133 | #GETLIST=
134 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT_v5:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-l3=ipv4 --filter-tcp=443 --dpi-desync=syndata"
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/discord:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-50100 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 95 | # none,ipset,hostlist,autohostlist
 96 | MODE_FILTER=autohostlist
 97 | 
 98 | # openwrt only : donttouch,none,software,hardware
 99 | FLOWOFFLOAD=donttouch
100 | 
101 | # openwrt: specify networks to be treated as LAN. default is "lan"
102 | #OPENWRT_LAN="lan lan2 lan3"
103 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
104 | #OPENWRT_WAN4="wan vpn"
105 | #OPENWRT_WAN6="wan6 vpn6"
106 | 
107 | # for routers based on desktop linux and macos. has no effect in openwrt.
108 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
109 | # or leave them commented if its not router
110 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
111 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
112 | #IFACE_LAN=
113 | #IFACE_WAN=
114 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
115 | 
116 | # should start/stop command of init scripts apply firewall rules ?
117 | # not applicable to openwrt with firewall3+iptables
118 | INIT_APPLY_FW=1
119 | # firewall apply hooks
120 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
121 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
122 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
123 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
124 | 
125 | # do not work with ipv4
126 | #DISABLE_IPV4=1
127 | # do not work with ipv6
128 | DISABLE_IPV6=1
129 | 
130 | # select which init script will be used to get ip or host list
131 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
132 | # comment if not required
133 | #GETLIST=
134 | 


--------------------------------------------------------------------------------
/configurations/fix_v3:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443,50000-50099
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-tcp=80,443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,multidisorder --dpi-desync-split-pos=1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1 --dpi-desync-ttl=4 --dpi-desync-fake-tls=0x00000000 --dpi-desync-fake-tls=! --dpi-desync-fake-tls-mod=rnd,rndsni --new ^ 
 93 | --filter-udp=80,443  --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,multidisorder --dpi-desync-split-pos=1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1 --dpi-desync-ttl=4 --dpi-desync-fake-tls=0x00000000 --dpi-desync-fake-tls=! --dpi-desync-fake-tls-mod=rnd,rndsni,dupsid --new ^ 
 94 | --filter-udp=50000-50099 --filter-l7=discord,stun --dpi-desync=fake"
 95 | 
 96 | 
 97 | # none,ipset,hostlist,autohostlist
 98 | MODE_FILTER=autohostlist
 99 | 
100 | # openwrt only : donttouch,none,software,hardware
101 | FLOWOFFLOAD=donttouch
102 | 
103 | # openwrt: specify networks to be treated as LAN. default is "lan"
104 | #OPENWRT_LAN="lan lan2 lan3"
105 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
106 | #OPENWRT_WAN4="wan vpn"
107 | #OPENWRT_WAN6="wan6 vpn6"
108 | 
109 | # for routers based on desktop linux and macos. has no effect in openwrt.
110 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
111 | # or leave them commented if its not router
112 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
113 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
114 | #IFACE_LAN=
115 | #IFACE_WAN=
116 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
117 | 
118 | # should start/stop command of init scripts apply firewall rules ?
119 | # not applicable to openwrt with firewall3+iptables
120 | INIT_APPLY_FW=1
121 | # firewall apply hooks
122 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
123 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
124 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
125 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
126 | 
127 | # do not work with ipv4
128 | #DISABLE_IPV4=1
129 | # do not work with ipv6
130 | DISABLE_IPV6=1
131 | 
132 | # select which init script will be used to get ip or host list
133 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
134 | # comment if not required
135 | #GETLIST=
136 | 


--------------------------------------------------------------------------------
/configurations/general_МГТС2:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535  --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/GeneralFix_ALT3:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=split --dpi-desync-split-pos=1 --dpi-desync-autottl --dpi-desync-fooling=badseq --dpi-desync-repeats=8"
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT_v3:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-split-pos=1 --dpi-desync-autottl --dpi-desync-fooling=badseq --dpi-desync-repeats=8"
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/general_МГТС:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/general_old:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535  --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/GeneralFix_ALT4:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=8 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-repeats=6 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT_v4:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-repeats=6 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/GeneralFix:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT_v2:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=split2 --dpi-desync-split-seqovl=652 --dpi-desync-split-pos=2 --dpi-desync-split-seqovl-pattern="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/GeneralFix_ALT:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-autottl=5 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-autottl=5 --dpi-desync-repeats=6 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_для_МГТС:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT_v6:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=8 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=8 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,disorder2 --dpi-desync-autottl=2 --dpi-desync-repeats=8 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin" "
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT_v7:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=10 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d4 --dpi-desync-repeats=10 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=3 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,disorder2 --dpi-desync-autottl=3 --dpi-desync-repeats=10 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT_v9:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,tamper --dpi-desync-repeats=8 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake,disorder2 --dpi-desync-any-protocol --dpi-desync-cutoff=n4 --dpi-desync-repeats=8 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-autottl=3 --dpi-desync-fooling=badseq --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=split --dpi-desync-split-pos=2 --dpi-desync-autottl=3 --dpi-desync-repeats=8 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin" "
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_Universal:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80  --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin" --dpi-desync-split-pos=1 "
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT_v8:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,disorder2 --dpi-desync-repeats=12 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake,tamper --dpi-desync-any-protocol --dpi-desync-cutoff=d5 --dpi-desync-repeats=12 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,disorder2 --dpi-desync-autottl=4 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=split2 --dpi-desync-split-pos=3 --dpi-desync-autottl=4 --dpi-desync-repeats=12 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin"" 
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/DiscordFix_ALT:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-tcp=80  --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 93 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,disorder2 --dpi-desync-cutoff=d4 --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 94 | --filter-udp=50000-65535 --dpi-desync=fake,tamper --dpi-desync-any-protocol --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,disorder2 --dpi-desync-autottl=1 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/YoutubeFix_ALT:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/general_fake_tls_auto:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443,2053,2083,2087,2096,8443
 74 | NFQWS_PORTS_UDP=443,19294-19344,50000-50100
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=19294-19344,50000-50100 --filter-l7=discord,stun --dpi-desync=fake --dpi-desync-repeats=6 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,fakedsplit --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 96 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,fakedsplit --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 97 | 
 98 | "
 99 | # none,ipset,hostlist,autohostlist
100 | MODE_FILTER=autohostlist
101 | 
102 | # openwrt only : donttouch,none,software,hardware
103 | FLOWOFFLOAD=donttouch
104 | 
105 | # openwrt: specify networks to be treated as LAN. default is "lan"
106 | #OPENWRT_LAN="lan lan2 lan3"
107 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
108 | #OPENWRT_WAN4="wan vpn"
109 | #OPENWRT_WAN6="wan6 vpn6"
110 | 
111 | # for routers based on desktop linux and macos. has no effect in openwrt.
112 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
113 | # or leave them commented if its not router
114 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
115 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
116 | #IFACE_LAN=
117 | #IFACE_WAN=
118 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
119 | 
120 | # should start/stop command of init scripts apply firewall rules ?
121 | # not applicable to openwrt with firewall3+iptables
122 | INIT_APPLY_FW=1
123 | # firewall apply hooks
124 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
125 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
126 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
127 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
128 | 
129 | # do not work with ipv4
130 | #DISABLE_IPV4=1
131 | # do not work with ipv6
132 | DISABLE_IPV6=1
133 | 
134 | # select which init script will be used to get ip or host list
135 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
136 | # comment if not required
137 | #GETLIST=
138 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT_v10:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,disorder2 --dpi-desync-repeats=11 --dpi-desync-udplen-increment=10 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake,tamper --dpi-desync-any-protocol --dpi-desync-cutoff=n5 --dpi-desync-repeats=11 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=5 --dpi-desync-fooling=badseq --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=split2 --dpi-desync-split-pos=4 --dpi-desync-autottl=5 --dpi-desync-repeats=11 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin" "
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_Universal_v2:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,disorder2 --dpi-desync-repeats=8 --dpi-desync-udplen-increment=12 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake,tamper --dpi-desync-any-protocol --dpi-desync-cutoff=d4 --dpi-desync-repeats=8 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=3 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=disorder2 --dpi-desync-split-pos=2 --dpi-desync-autottl=3 --dpi-desync-repeats=8 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin" "
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_Universal_v3:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-repeats=10 --dpi-desync-udplen-increment=15 --dpi-desync-udplen-pattern=0xCAFEBABE --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake,disorder2 --dpi-desync-any-protocol --dpi-desync-cutoff=n5 --dpi-desync-repeats=10 --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,disorder2 --dpi-desync-autottl=4 --dpi-desync-fooling=badseq --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=split --dpi-desync-split-pos=3 --dpi-desync-autottl=4 --dpi-desync-repeats=10 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin" "
 96 | 
 97 | # none,ipset,hostlist,autohostlist
 98 | MODE_FILTER=autohostlist
 99 | 
100 | # openwrt only : donttouch,none,software,hardware
101 | FLOWOFFLOAD=donttouch
102 | 
103 | # openwrt: specify networks to be treated as LAN. default is "lan"
104 | #OPENWRT_LAN="lan lan2 lan3"
105 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
106 | #OPENWRT_WAN4="wan vpn"
107 | #OPENWRT_WAN6="wan6 vpn6"
108 | 
109 | # for routers based on desktop linux and macos. has no effect in openwrt.
110 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
111 | # or leave them commented if its not router
112 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
113 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
114 | #IFACE_LAN=
115 | #IFACE_WAN=
116 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
117 | 
118 | # should start/stop command of init scripts apply firewall rules ?
119 | # not applicable to openwrt with firewall3+iptables
120 | INIT_APPLY_FW=1
121 | # firewall apply hooks
122 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
123 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
124 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
125 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
126 | 
127 | # do not work with ipv4
128 | #DISABLE_IPV4=1
129 | # do not work with ipv6
130 | DISABLE_IPV6=1
131 | 
132 | # select which init script will be used to get ip or host list
133 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
134 | # comment if not required
135 | #GETLIST=
136 | 


--------------------------------------------------------------------------------
/configurations/RussiaFix:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --hostlist-auto="/opt/zapret/files/fake/autohostlist.txt" --new ^
 93 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-repeats=11 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin" --new ^
 94 | --filter-tcp=80,443 --dpi-desync=fake,disorder2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new
 95 | --filter-udp=50000-50099 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol --dpi-desync-cutoff=n4 --new ^
 96 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 97 | --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=11"
 98 | # none,ipset,hostlist,autohostlist
 99 | MODE_FILTER=autohostlist
100 | 
101 | # openwrt only : donttouch,none,software,hardware
102 | FLOWOFFLOAD=donttouch
103 | 
104 | # openwrt: specify networks to be treated as LAN. default is "lan"
105 | #OPENWRT_LAN="lan lan2 lan3"
106 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
107 | #OPENWRT_WAN4="wan vpn"
108 | #OPENWRT_WAN6="wan6 vpn6"
109 | 
110 | # for routers based on desktop linux and macos. has no effect in openwrt.
111 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
112 | # or leave them commented if its not router
113 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
114 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
115 | #IFACE_LAN=
116 | #IFACE_WAN=
117 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
118 | 
119 | # should start/stop command of init scripts apply firewall rules ?
120 | # not applicable to openwrt with firewall3+iptables
121 | INIT_APPLY_FW=1
122 | # firewall apply hooks
123 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
124 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
125 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
126 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
127 | 
128 | # do not work with ipv4
129 | #DISABLE_IPV4=1
130 | # do not work with ipv6
131 | DISABLE_IPV6=1
132 | 
133 | # select which init script will be used to get ip or host list
134 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
135 | # comment if not required
136 | #GETLIST=
137 | 


--------------------------------------------------------------------------------
/configurations/UltimateFix_ALT_EXTENDED:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-udplen-increment=10 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 93 | --filter-udp=50000-65535 --hostlist="/opt/zapret/ipset/ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 94 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 95 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin""
 96 | # none,ipset,hostlist,autohostlist
 97 | MODE_FILTER=autohostlist
 98 | 
 99 | # openwrt only : donttouch,none,software,hardware
100 | FLOWOFFLOAD=donttouch
101 | 
102 | # openwrt: specify networks to be treated as LAN. default is "lan"
103 | #OPENWRT_LAN="lan lan2 lan3"
104 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
105 | #OPENWRT_WAN4="wan vpn"
106 | #OPENWRT_WAN6="wan6 vpn6"
107 | 
108 | # for routers based on desktop linux and macos. has no effect in openwrt.
109 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
110 | # or leave them commented if its not router
111 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
112 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
113 | #IFACE_LAN=
114 | #IFACE_WAN=
115 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
116 | 
117 | # should start/stop command of init scripts apply firewall rules ?
118 | # not applicable to openwrt with firewall3+iptables
119 | INIT_APPLY_FW=1
120 | # firewall apply hooks
121 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
122 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
123 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
124 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
125 | 
126 | # do not work with ipv4
127 | #DISABLE_IPV4=1
128 | # do not work with ipv6
129 | DISABLE_IPV6=1
130 | 
131 | # select which init script will be used to get ip or host list
132 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
133 | # comment if not required
134 | #GETLIST=
135 | 


--------------------------------------------------------------------------------
/configurations/preset_russia:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443
 74 | NFQWS_PORTS_UDP=443,50000-65535
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | --filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --new ^
 93 | --filter-tcp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,split2 --dpi-desync-repeats=11 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin" --new ^
 94 | --filter-tcp=80,443 --dpi-desync=fake,disorder2 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new
 95 | --filter-udp=50000-50099  --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol --dpi-desync-cutoff=n4 --new ^
 96 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 97 | --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=11"
 98 | # none,ipset,hostlist,autohostlist
 99 | MODE_FILTER=autohostlist
100 | 
101 | # openwrt only : donttouch,none,software,hardware
102 | FLOWOFFLOAD=donttouch
103 | 
104 | # openwrt: specify networks to be treated as LAN. default is "lan"
105 | #OPENWRT_LAN="lan lan2 lan3"
106 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
107 | #OPENWRT_WAN4="wan vpn"
108 | #OPENWRT_WAN6="wan6 vpn6"
109 | 
110 | # for routers based on desktop linux and macos. has no effect in openwrt.
111 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
112 | # or leave them commented if its not router
113 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
114 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
115 | #IFACE_LAN=
116 | #IFACE_WAN=
117 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
118 | 
119 | # should start/stop command of init scripts apply firewall rules ?
120 | # not applicable to openwrt with firewall3+iptables
121 | INIT_APPLY_FW=1
122 | # firewall apply hooks
123 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
124 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
125 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
126 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
127 | 
128 | # do not work with ipv4
129 | #DISABLE_IPV4=1
130 | # do not work with ipv6
131 | DISABLE_IPV6=1
132 | 
133 | # select which init script will be used to get ip or host list
134 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
135 | # comment if not required
136 | #GETLIST=
137 | 


--------------------------------------------------------------------------------
/configurations/general_ALT5:
--------------------------------------------------------------------------------
  1 | # this file is included from init scripts
  2 | # change values here
  3 | 
  4 | # can help in case /tmp has not enough space
  5 | #TMPDIR=/opt/zapret/tmp
  6 | 
  7 | # redefine user for zapret daemons. required on Keenetic
  8 | #WS_USER=nobody
  9 | 
 10 | # override firewall type : iptables,nftables,ipfw
 11 | FWTYPE=iptables
 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 14 | #POSTNAT=0
 15 | 
 16 | # options for ipsets
 17 | # maximum number of elements in sets. also used for nft sets
 18 | SET_MAXELEM=522288
 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
 20 | # too large hashsize will waste lots of RAM
 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name
 23 | #IPSET_HOOK="/etc/zapret.ipset.hook"
 24 | 
 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script
 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 28 | # options for auto hostlist
 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3
 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3
 31 | AUTOHOSTLIST_FAIL_TIME=60
 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 33 | AUTOHOSTLIST_DEBUGLOG=0
 34 | 
 35 | # number of parallel threads for domain list resolves
 36 | MDIG_THREADS=30
 37 | 
 38 | # ipset/*.sh can compress large lists
 39 | GZIP_LISTS=1
 40 | # command to reload ip/host lists after update
 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present
 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command
 43 | # set to "-" to disable reload
 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf"
 45 | 
 46 | # mark bit used by nfqws to prevent loop
 47 | DESYNC_MARK=0x40000000
 48 | DESYNC_MARK_POSTNAT=0x20000000
 49 | 
 50 | TPWS_SOCKS_ENABLE=0
 51 | # tpws socks listens on this port on localhost and LAN interfaces
 52 | TPPORT_SOCKS=987
 53 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 55 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 56 | TPWS_SOCKS_OPT="
 57 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 58 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 59 | "
 60 | 
 61 | TPWS_ENABLE=0
 62 | TPWS_PORTS=80,443
 63 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 65 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 66 | TPWS_OPT="
 67 | --filter-tcp=80 --methodeol <HOSTLIST> --new
 68 | --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
 69 | "
 70 | 
 71 | NFQWS_ENABLE=1
 72 | # redirect outgoing traffic with connbytes limiter applied in both directions.
 73 | NFQWS_PORTS_TCP=80,443,2053,2083,2087,2096,8443
 74 | NFQWS_PORTS_UDP=443,19294-19344,50000-50100
 75 | # PKT_OUT means connbytes dir original
 76 | # PKT_IN means connbytes dir reply
 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 79 | NFQWS_TCP_PKT_IN=3
 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 81 | NFQWS_UDP_PKT_IN=0
 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 84 | # typical example are plain HTTP keep alives
 85 | # this mode can be very CPU consuming. enable with care !
 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80
 87 | #NFQWS_PORTS_UDP_KEEPALIVE=
 88 | # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 90 | # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 91 | NFQWS_OPT="
 92 | 
 93 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 94 | --filter-udp=19294-19344,50000-50100 --filter-l7=discord,stun --dpi-desync=fake --dpi-desync-repeats=6 --new ^
 95 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,multisplit --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 96 | --filter-l3=ipv4 --filter-tcp=443,2053,2083,2087,2096,8443 --dpi-desync=syndata --new ^
 97 | --filter-tcp=80 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake,multisplit --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new ^
 98 | --filter-udp=443 --hostlist="/opt/zapret/ipset/zapret-hosts-user.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new ^
 99 | 
100 | "
101 | # none,ipset,hostlist,autohostlist
102 | MODE_FILTER=autohostlist
103 | 
104 | # openwrt only : donttouch,none,software,hardware
105 | FLOWOFFLOAD=donttouch
106 | 
107 | # openwrt: specify networks to be treated as LAN. default is "lan"
108 | #OPENWRT_LAN="lan lan2 lan3"
109 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
110 | #OPENWRT_WAN4="wan vpn"
111 | #OPENWRT_WAN6="wan6 vpn6"
112 | 
113 | # for routers based on desktop linux and macos. has no effect in openwrt.
114 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
115 | # or leave them commented if its not router
116 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
117 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
118 | #IFACE_LAN=
119 | #IFACE_WAN=
120 | #IFACE_WAN6="ipsec0 wireguard0 he_net"
121 | 
122 | # should start/stop command of init scripts apply firewall rules ?
123 | # not applicable to openwrt with firewall3+iptables
124 | INIT_APPLY_FW=1
125 | # firewall apply hooks
126 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
127 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
128 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
129 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
130 | 
131 | # do not work with ipv4
132 | #DISABLE_IPV4=1
133 | # do not work with ipv6
134 | DISABLE_IPV6=1
135 | 
136 | # select which init script will be used to get ip or host list
137 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
138 | # comment if not required
139 | #GETLIST=
140 | 


--------------------------------------------------------------------------------