# can help in case /tmp has not enough space #TMPDIR=/data/zapret/tmp # redefine user for zapret daemons. required on Keenetic #WS_USER=nobody # override firewall type : iptables,nftables,ipfw FWTYPE=iptables # nftables only : set this to 0 to use pre-nat mode. default is post-nat. # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log #POSTNAT=0 # options for ipsets # maximum number of elements in sets. also used for nft sets SET_MAXELEM=522288 # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough # too large hashsize will waste lots of RAM IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM" # dynamically generate additional ip. $1 = ipset/nfset/table name #IPSET_HOOK="/etc/zapret.ipset.hook" # options for ip2net. "-4" or "-6" auto added by ipset create script IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4" IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5" # options for auto hostlist AUTOHOSTLIST_RETRANS_THRESHOLD=3 AUTOHOSTLIST_FAIL_THRESHOLD=3 AUTOHOSTLIST_FAIL_TIME=60 # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log AUTOHOSTLIST_DEBUGLOG=0 # number of parallel threads for domain list resolves MDIG_THREADS=30 # ipset/*.sh can compress large lists GZIP_LISTS=1 # command to reload ip/host lists after update # comment or leave empty for auto backend selection : ipset or ipfw if present # on BSD systems with PF no auto reloading happens. you must provide your own command # set to "-" to disable reload #LISTS_RELOAD="pfctl -f /etc/pf.conf" # mark bit used by nfqws to prevent loop DESYNC_MARK=0x40000000 DESYNC_MARK_POSTNAT=0x20000000 TPWS_SOCKS_ENABLE=0 # tpws socks listens on this port on localhost and LAN interfaces TPPORT_SOCKS=987 # use and placeholders to engage standard hostlists and autohostlist in ipset dir # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy # appends ipset/zapret-hosts-auto.txt as normal list TPWS_SOCKS_OPT=" --filter-tcp=80 --methodeol --new --filter-tcp=443 --split-pos=1,midsld --disorder " TPWS_ENABLE=0 TPWS_PORTS=80,443 # use and placeholders to engage standard hostlists and autohostlist in ipset dir # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy # appends ipset/zapret-hosts-auto.txt as normal list TPWS_OPT=" --filter-tcp=80 --methodeol --new --filter-tcp=443 --split-pos=1,midsld --disorder " NFQWS_ENABLE=1 # redirect outgoing traffic with connbytes limiter applied in both directions. NFQWS_PORTS_TCP=80,443,4244,5222-5228,5242,50318,59234 NFQWS_PORTS_UDP=443,590-1400,3478-3481,5349,19294-19344 # PKT_OUT means connbytes dir original # PKT_IN means connbytes dir reply # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU. NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD)) NFQWS_TCP_PKT_IN=3 NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD)) NFQWS_UDP_PKT_IN=0 # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter # normally it's needed only for stateless DPI that matches every packet in a single TCP session # typical example are plain HTTP keep alives # this mode can be very CPU consuming. enable with care ! #NFQWS_PORTS_TCP_KEEPALIVE=80 #NFQWS_PORTS_UDP_KEEPALIVE= # use and placeholders to engage standard hostlists and autohostlist in ipset dir # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy # appends ipset/zapret-hosts-auto.txt as normal list # just notes: --debug=@debug.log /data/zapret/lists/ /data/zapret/files/fake/ #GoogleVideo first UDP strats!!! UDP for Quick. You maybe need change only TCP or UDP or both strats. For enable starats just delete --skip #Стратегия DISCORD вместо просто fake. Если закомментировать - будет использоваться просто fake #NFQWS_OPT_DESYNC_DISCORD_MEDIA="--dpi-desync=fake --dpi-desync-autottl --dup=2 --dup-autottl --dup-cutoff=n3" #Стратегия ТГ, ВА и т.п. вместо просто fake. Если закомментировать - будет использоваться просто fake #NFQWS_OPT_DESYNC_STUN="--dpi-desync=fake --dpi-desync-autottl --dup=2 --dup-autottl --dup-cutoff=n3" NFQWS_OPT=" --filter-tcp=80 --hostlist=/data/zapret/ipset/zapret-hosts-user.txt --dpi-desync=fake,fakedsplit --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fooling=datanoack --new --filter-tcp=443 --hostlist=/data/zapret/ipset/zapret-hosts-google.txt --dpi-desync=fake,multisplit --dpi-desync-fake-tls=0x00000000 --dpi-desync-fake-tls=! --dpi-desync-split-pos=1,midsld --dpi-desync-repeats=2 --dpi-desync-fooling=badseq --dpi-desync-fake-tls-mod=rnd,dupsid,sni=www.google.com --new --filter-tcp=443 --hostlist=/data/zapret/ipset/zapret-hosts-user.txt --dpi-desync=hostfakesplit --dpi-desync-hostfakesplit-mod=host=max.ru --dpi-desync-hostfakesplit-midhost=host-2 --dpi-desync-split-seqovl=726 --dpi-desync-fooling=badsum,badseq --dpi-desync-badseq-increment=0 --new --filter-udp=443 --hostlist=/data/zapret/ipset/zapret-hosts-user.txt --dpi-desync=fake,udplen --dpi-desync-fake-quic=/data/zapret/files/fake/quic_initial_www_google_com.bin --dpi-desync-repeats=20 --dpi-desync-udplen-increment=24 --new --filter-udp=443,590-1400,3478-3481,5349,19294-19344 --filter-l7=stun --dpi-desync=fake --new --filter-udp=443,590-1400,3478-3481,5349,19294-19344 --hostlist=/data/zapret/ipset/cust1.txt --dpi-desync=fake,udplen --dpi-desync-fake-quic=/data/zapret/files/fake/quic_initial_www_google_com.bin --dpi-desync-repeats=20 --dpi-desync-udplen-increment=24 --new --filter-tcp=443,4244,5222-5228,5242,50318,59234 --hostlist=/data/zapret/ipset/cust1.txt --dpi-desync=fake,multisplit --dpi-desync-fake-tls=0x00000000 --dpi-desync-fake-tls=! --dpi-desync-split-pos=1,midsld --dpi-desync-repeats=2 --dpi-desync-fooling=badseq --dpi-desync-fake-tls-mod=rnd,dupsid,sni=www.google.com " # none,ipset,hostlist,autohostlist MODE_FILTER=hostlist # openwrt only : donttouch,none,software,hardware FLOWOFFLOAD=donttouch # openwrt: specify networks to be treated as LAN. default is "lan" #OPENWRT_LAN="lan lan2 lan3" # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route #OPENWRT_WAN4="wan vpn" #OPENWRT_WAN6="wan6 vpn6" # for routers based on desktop linux and macos. has no effect in openwrt. # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES # or leave them commented if its not router # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2" # if IFACE_WAN6 is not defined it take the value of IFACE_WAN #IFACE_LAN=eth0 #IFACE_WAN=eth0 #IFACE_WAN6="ipsec0 wireguard0 he_net" # should start/stop command of init scripts apply firewall rules ? # not applicable to openwrt with firewall3+iptables INIT_APPLY_FW=1 # firewall apply hooks #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up" #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up" #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down" #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down" # do not work with ipv4 #DISABLE_IPV4=1 # do not work with ipv6 DISABLE_IPV6=1 # drop icmp time exceeded messages for nfqws tampered connections # in POSTNAT mode this can interfere with default mtr/traceroute in tcp or udp mode. use source port not redirected to nfqws # set to 0 if you are not expecting connection breakage due to icmp in response to TCP SYN or UDP FILTER_TTL_EXPIRED_ICMP=1 # select which init script will be used to get ip or host list # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh # comment if not required #GETLIST=