Rules - tnodir/fort GitHub Wiki

Introduction

Overview of the Rules

Rules are for defining network rules for applications and global rules.

Application Rules

You can set a rule per app, and add different preset rules to the app rule.

If app's action is "Block", then it will be blocked immediately.

If app's action is "Allow", then you can set various restrictions before allowing it.

So because of some restrictions the app's connection will be blocked. If no restriction applied, then the app's connection will be allowed.

Global Rules, applied before or after Application Rules

Syntax of Rules

Basic syntax

Rule's text can contain Filters, separated with new line (\n)
Filter can contain Filter Functions, separated with :
Filter can contain Sub-Filters, wrapped by { and }
Filter Function can contain optional name and values
Filter Function's values can be wrapped by ( and ), separated with , or new line
Filter Function can be negated by !
Use = to check local port/ip is equal to remote one
Use # to comment a line

Example:

104.21.5.235:udp(443)
172.67.154.192:udp(443)

This rule has 2 filters.

Example:

104.21.5.235:{
    udp(443) # HTTPS
    tcp(80):dir(in) # Inbound HTTP
}

This rule has 1 filter with several functions:

the IP should be "104.21.5.235"
AND ( the Port should be UDP 443 OR (TCP 80 AND incoming) )

Example:

1.1.1.1: !{ port(80):dir(out) }

Address 1.1.1.1 AND NOT (port 80 AND outgoing).

It's more effective to use values list in one filter function, than several filters:

(
1.1.1.1
2.2.2.2
3.3.3.3
):(80, 443)

Possible Filter Function names

"ip": ip(1.1.1.1, 2.2.2.2/16, [::1]) First filter's name is "ip" by default.
"port": port(53, 80, HTTPS, 1024-3000) IP address's next filter's name is "port" by default.
"local_ip"
"local_port"
"proto" or "protocol": proto(TCP, UDP, ICMP, ICMPv6, 97, 100-140)
"icmp_type": icmp_type(8, 10-18)
"icmp_code": icmp_code(0-9)
"ip_ver" or "ip_version": ip_ver(6)
"dir" or "direction": dir(IN, OUT)
"area": predefined network areas area(LOCALHOST, LAN, INET, INTERNET)
"profile": network interface's profile profile(PUBLIC, PRIVATE, DOMAIN)
"act" or "action": action(ALLOW), action(BLOCK)
"tcp": tcp(...) is optimized sugar for { proto(TCP):port(...) }
"udp": udp(...) is optimized sugar for { proto(UDP):port(...) }

Rule's settings

"Exclusive" Rule

You can turn on the Rule's "Exclusive" flag to skip the rule's preset rules, when the rule's filters is blocked. The flag is effective, when the Rule is Allowed only.

Example: Allowed Exclusive Rule with text "profile(PUBLIC)" and its presets. When current network profile is not Public (but Private or Domain), then the Rule will not be processed.

"Terminating Rule"

You can turn on the Rule's "Terminating Rule" flag to set mandatory action, when no other filters or preset rules triggered.

Limits

rules max count = 1024
global rules max count = 64
rule's preset sub-rules max count = 32
rule's preset sub-rules max depth count = 8 (max level of preset sub-rules)
rule filters' max depth count = 7 (max level of {{{...}}})

Rule's filtering logic

If no Rule's filters or sub-rules are applied for a connection, then the default action will be used.

If rule is disabled, then IGNORE
If rule has Zones and address is filtered by Zones, then remember Zone-Or-Filter
Else if rule has Filters and connection is filtered by Filters, then remember Zone-Or-Filter
If rule is Exclusive and rule's action is Allow:
- If Zone-Or-Filter is not applied, then IGNORE
Else if Zone-Or-Filter is applied, then APPLY
If rule has Preset Rules and any of them is filtered, then APPLY
If rule has Terminating Rule, then APPLY

Global Rule's processing order

The global rules are processed in the same order as shown in the Rules window, i.e. by name field.

You can name the global rules like "01 Allow Some", "02 Block Some", ...

Examples

How to allow an Application, but only specific IP and port

Allow the app to connect only to 1.2.3.4 address and 9100 port

create allowing App Rule named "Allow App to only some"
add the following text to filters field:

1.2.3.4:9100

tick on the "Terminating Rule" and select "Block". So any connections will be blocked, when the filters are not applied.

The logic here:

if some filter is applied to connection, then allow it
otherwise block it, as terminating

Caveat:

if you don't tick on the "Terminating Rule", then all connections will be allowed

Block all connections of the app except only 1.2.3.4 address and 9100 port

create blocking App Rule named "Block App except some"
add the following text to filters field:

!{
1.2.3.4:9100
}

The logic here:

if some filter is applied to connection, then block it
otherwise allow it, as default app's action

How to setup a Kill-Switch for NekoBox

The "Kill-Switch" means that programs should connect to Internet via NekoBox, when it's working. But when NekoBox is not working, then programs should be blocked.

About NekoBox in TUN mode

"172.19.*" addresses added to routing table:

> route print
===========================================================================
Interface List
  8...........................sing-tun Tunnel
...
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
...
       172.19.0.0  255.255.255.240         On-link        172.19.0.1    256
       172.19.0.1  255.255.255.255         On-link        172.19.0.1    256
      172.19.0.15  255.255.255.255         On-link        172.19.0.1    256
...

Programs connect to Internet via "172.19.*" addresses:

fort-conn

How to configure Kill-Switch in Fort Firewall for NekoBox (TUN or Proxy mode)

For Proxy mode enable the Options: IP Addresses: Local Area Network: "Filter Local Addresses (127.0.0.0/8)" flag
Create Global Rule, applied after App Rules, to Block connections when local address is 192.168.*:

fort-block