API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 13th, 2024
361
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Properties 5.52 KB | Fixit | 0 0
raw download clone embed print report
  1. # this file is included from init scripts
  2. # change values here
  3.  
  4. # can help in case /tmp has not enough space
  5. #TMPDIR=/opt/zapret/tmp
  6.  
  7. # redefine user for zapret daemons. required on Keenetic
  8. #WS_USER=nobody
  9.  
  10. # override firewall type : iptables,nftables,ipfw
  11. FWTYPE=nftables
  12. # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
  13. # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
  14. #POSTNAT=0
  15.  
  16. # options for ipsets
  17. # maximum number of elements in sets. also used for nft sets
  18. SET_MAXELEM=522288
  19. # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
  20. # too large hashsize will waste lots of RAM
  21. IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
  22. # dynamically generate additional ip. $1 = ipset/nfset/table name
  23. #IPSET_HOOK="/etc/zapret.ipset.hook"
  24.  
  25. # options for ip2net. "-4" or "-6" auto added by ipset create script
  26. IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
  27. IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
  28. # options for auto hostlist
  29. AUTOHOSTLIST_RETRANS_THRESHOLD=3
  30. AUTOHOSTLIST_FAIL_THRESHOLD=3
  31. AUTOHOSTLIST_FAIL_TIME=60
  32. # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
  33. AUTOHOSTLIST_DEBUGLOG=0
  34.  
  35. # number of parallel threads for domain list resolves
  36. MDIG_THREADS=30
  37.  
  38. # ipset/*.sh can compress large lists
  39. GZIP_LISTS=1
  40. # command to reload ip/host lists after update
  41. # comment or leave empty for auto backend selection : ipset or ipfw if present
  42. # on BSD systems with PF no auto reloading happens. you must provide your own command
  43. # set to "-" to disable reload
  44. #LISTS_RELOAD="pfctl -f /etc/pf.conf"
  45.  
  46. # mark bit used by nfqws to prevent loop
  47. DESYNC_MARK=0x40000000
  48. DESYNC_MARK_POSTNAT=0x20000000
  49.  
  50. TPWS_SOCKS_ENABLE=0
  51. # tpws socks listens on this port on localhost and LAN interfaces
  52. TPPORT_SOCKS=987
  53. # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
  54. # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
  55. # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
  56. TPWS_SOCKS_OPT="
  57. --filter-tcp=80 --methodeol <HOSTLIST> --new
  58. --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
  59. "
  60.  
  61. TPWS_ENABLE=0
  62. TPWS_PORTS=80,443
  63. # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
  64. # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
  65. # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
  66. TPWS_OPT="
  67. --filter-tcp=80 --methodeol <HOSTLIST> --new
  68. --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
  69. "
  70.  
  71. NFQWS_ENABLE=1
  72. # redirect outgoing traffic with connbytes limiter applied in both directions.
  73. NFQWS_PORTS_TCP=80,443
  74. NFQWS_PORTS_UDP=443
  75. # PKT_OUT means connbytes dir original
  76. # PKT_IN means connbytes dir reply
  77. # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
  78. NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
  79. NFQWS_TCP_PKT_IN=3
  80. NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
  81. NFQWS_UDP_PKT_IN=0
  82. # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
  83. # normally it's needed only for stateless DPI that matches every packet in a single TCP session
  84. # typical example are plain HTTP keep alives
  85. # this mode can be very CPU consuming. enable with care !
  86. #NFQWS_PORTS_TCP_KEEPALIVE=80
  87. #NFQWS_PORTS_UDP_KEEPALIVE=
  88. # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
  89. # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
  90. # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
  91. NFQWS_OPT="
  92. --filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
  93. --filter-tcp=443 --dpi-desync=fake,disorder2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
  94. --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=6 <HOSTLIST_NOAUTO> --new
  95. --filter-udp=50000-50099 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-quic=0xC3
  96. "
  97.  
  98. # none,ipset,hostlist,autohostlist
  99. MODE_FILTER=none
  100.  
  101. # openwrt only : donttouch,none,software,hardware
  102. FLOWOFFLOAD=none
  103.  
  104. # openwrt: specify networks to be treated as LAN. default is "lan"
  105. #OPENWRT_LAN="lan lan2 lan3"
  106. # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
  107. #OPENWRT_WAN4="wan vpn"
  108. #OPENWRT_WAN6="wan6 vpn6"
  109.  
  110. # for routers based on desktop linux and macos. has no effect in openwrt.
  111. # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
  112. # or leave them commented if its not router
  113. # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
  114. # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
  115. #IFACE_LAN=
  116. #IFACE_WAN=
  117. #IFACE_WAN6="ipsec0 wireguard0 he_net"
  118.  
  119. # should start/stop command of init scripts apply firewall rules ?
  120. # not applicable to openwrt with firewall3+iptables
  121. INIT_APPLY_FW=1
  122. # firewall apply hooks
  123. #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
  124. #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
  125. #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
  126. #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
  127.  
  128. # do not work with ipv4
  129. #DISABLE_IPV4=1
  130. # do not work with ipv6
  131. DISABLE_IPV6=1
  132.  
  133. # select which init script will be used to get ip or host list
  134. # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
  135. # comment if not required
  136. #GETLIST=
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!