Rules
Rules are for defining network rules for applications and global rules.
You can set a rule per app, and add different preset rules to the app rule.
If app's action is "Block", then it will be blocked immediately.
If app's action is "Allow", then you can set various restrictions before allowing it.
So because of some restrictions the app's connection will be blocked. If no restriction applied, then the app's connection will be allowed.
You can also create Global Rules, applied before or after Application Rules.
- Rule's text can contain Filters, separated with new line
\n - Filter can contain Filter Functions, separated with
: - Filter can contain Sub-Filters, wrapped by
{and} - Filter Function can contain optional name and values
- Filter Function's values can be wrapped by
(and), separated with,or new line - Filter Function can be negated by
! - Use
=to check local port/ip is equal to remote one - Use
#to comment a line
Example:
104.21.5.235:udp(443)
172.67.154.192:udp(443)
This rule has 2 filters.
Example:
104.21.5.235:{
udp(443) # HTTPS
tcp(80):dir(in) # Inbound HTTP
}
This rule has 1 filter with several functions:
- the IP should be "104.21.5.235"
- AND ( the Port should be UDP 443 OR (TCP 80 AND incoming) )
Example:
1.1.1.1: !{ port(80):dir(out) }
Address 1.1.1.1 AND NOT (port 80 AND outgoing).
It's more effective to use values list in one filter function, than several filters:
(
1.1.1.1
2.2.2.2
3.3.3.3
):(80, 443)
- "ip":
ip(1.1.1.1, 2.2.2.2/16, [::1])First filter's name is "ip" by default. - "port":
port(53, 80, HTTPS, 1024-3000)IP address's next filter's name is "port" by default. - "local_ip"
- "local_port"
- "proto" or "protocol":
proto(TCP, UDP, ICMP, ICMPv6, 97, 100-140) - "icmp_type":
icmp_type(8, 10-18) - "icmp_code":
icmp_code(0-9) - "ip_ver" or "ip_version":
ip_ver(6) - "dir" or "direction":
dir(IN, OUT) - "zones":
zones(),zones(ACCEPTED),zones(REJECTED)Available when "Inline Zones" ticked on. - "area": predefined network areas
area(LOCALHOST, LAN, INET, INTERNET) - "profile": network interface's profile
profile(PUBLIC, PRIVATE, DOMAIN) - "act" or "action":
action(ALLOW),action(BLOCK) - "opt" or "option":
option(LOG, NOLOG, ALERT) - "tcp":
tcp(...)is optimized sugar for{ proto(TCP):port(...) } - "udp":
udp(...)is optimized sugar for{ proto(UDP):port(...) }
You can turn on the Rule's "Exclusive" flag to skip the rule's preset rules, when the rule's filters is blocked. The flag is effective, when the Rule is Allowed only.
Example: Allowed Exclusive Rule with text "profile(PUBLIC)" and its presets. When current network profile is not Public (but Private or Domain), then the Rule will not be processed.
You can turn on the Rule's "Terminating Rule" flag to set mandatory action, when no other filters or preset rules triggered.
- rules max count = 1024
- global rules max count = 64
- rule's preset sub-rules max count = 32
- rule's preset sub-rules max depth count = 8 (max level of preset sub-rules)
- rule filters' max depth count = 7 (max level of {{{...}}})
If no Rule's filters or sub-rules are applied for a connection, then the default action will be used.
-
If rule is disabled, then IGNORE
-
If rule has Zones and address is filtered by Zones, then remember Zone-Or-Filter
-
Else if rule has Filters and connection is filtered by Filters, then remember Zone-Or-Filter
-
If rule is Exclusive and rule's action is Allow:
- If Zone-Or-Filter is not applied, then IGNORE
-
Else if Zone-Or-Filter is applied, then APPLY
-
If rule has Preset Rules and any of them is filtered, then APPLY
-
If rule has Terminating Rule, then APPLY
The global rules are processed in the same order as shown in the Rules window, i.e. by name field.
You can name the global rules like "01 Allow Some", "02 Block Some", ...
- create allowing App Rule named "Allow App to only some"
- add the following text to filters field:
1.2.3.4:9100
- tick on the "Terminating Rule" and select "Block". So any connections will be blocked, when the filters are not applied.
The logic here:
- if some filter is applied to connection, then allow it
- otherwise block it, as terminating
Caveat:
- if you don't tick on the "Terminating Rule", then all connections will be allowed
- create blocking App Rule named "Block App except some"
- add the following text to filters field:
!{
1.2.3.4:9100
}
The logic here:
- if some filter is applied to connection, then block it
- otherwise allow it, as default app's action
The "Kill-Switch" means that programs should connect to Internet via NekoBox, when it's working. But when NekoBox is not working, then programs should be blocked.
- "172.19.*" addresses added to routing table:
> route print
===========================================================================
Interface List
8...........................sing-tun Tunnel
...
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
...
172.19.0.0 255.255.255.240 On-link 172.19.0.1 256
172.19.0.1 255.255.255.255 On-link 172.19.0.1 256
172.19.0.15 255.255.255.255 On-link 172.19.0.1 256
...
- Programs connect to Internet via "172.19.*" addresses:
-
For Proxy mode tick on the Options: IP Addresses: Local Area Network: "Filter Local Addresses (127.0.0.0/8)" and the "Filter Local Network" flags
-
Create Global Rule, applied after App Rules, to Block connections when local address is
192.168.*:
- Create App Rule to Allow connections when local address is
192.168.*:
- Set the App Rule to
nekobox_core.exe
- Create Global Rule, applied before App Rules, to Allow connections when local address is
172.19.*:
- Create Global Rule, applied after App Rules, to Block connections when local address is not
172.19.*:
- Create App Rule to Allow connections when local address is not
172.19.*:
- Set the App Rule to
nekobox_core.exe:
