From 1a24b62ed75c8d46839865b1653df483a9cbe205 Mon Sep 17 00:00:00 2001 From: vchikalkin Date: Tue, 17 Mar 2026 15:31:46 +0300 Subject: [PATCH] nfqws: add files --- opt/etc/nfqws/ipset.list | 65 ++++++++++++++++++++++++++++++++++++++++ opt/etc/nfqws/nfqws.conf | 54 +++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+) create mode 100644 opt/etc/nfqws/ipset.list create mode 100644 opt/etc/nfqws/nfqws.conf diff --git a/opt/etc/nfqws/ipset.list b/opt/etc/nfqws/ipset.list new file mode 100644 index 0000000..704f481 --- /dev/null +++ b/opt/etc/nfqws/ipset.list @@ -0,0 +1,65 @@ +# # Roblox +# 23.173.192.0/24 +# 103.140.28.0/23 +# 103.142.220.0/24 +# 103.142.221.0/24 +# 128.116.0.0/17 +# 141.193.3.0/24 +# 204.9.184.0/24 +# 204.13.168.0/24 +# 204.13.169.0/24 +# 204.13.170.0/24 +# 204.13.171.0/24 +# 204.13.172.0/24 +# 204.13.173.0/24 +# 205.201.62.0/24 +# 209.206.40.0/21 +# 2602:801:1000::/48 +# 2602:801:1001::/48 +# 2602:801:1002::/48 +# 2602:801:1003::/48 +# 2602:801:1004::/48 +# 2602:801:1005::/48 +# 2602:801:1006::/48 +# 2602:801:1007::/48 +# 2602:801:1008::/48 +# 2602:801:1009::/48 +# 2620:2b:e000::/48 +# 2620:2b:e001::/48 +# 2620:2b:e002::/48 +# 2620:135:6000::/40 +# 2620:135:6001::/48 +# 2620:135:6002::/48 +# 2620:135:6003::/48 +# 2620:135:6004::/48 +# 2620:135:6005::/48 +# 2620:135:6006::/48 +# 2620:135:6007::/48 +# 2620:135:6008::/48 +# 2620:135:6009::/48 +# 2620:135:600a::/48 +# 2620:135:600b::/48 +# 46.62.154.0/24 + +# # Telegram +# 91.108.56.0/22 +# 91.108.4.0/22 +# 91.108.8.0/22 +# 91.108.16.0/22 +# 91.108.12.0/22 +# 149.154.160.0/20 +# 91.105.192.0/23 +# 91.108.20.0/22 +# 185.76.151.0/24 +# 2001:b28:f23d::/48 +# 2001:b28:f23f::/48 +# 2001:67c:4e8::/48 +# 2001:b28:f23c::/48 +# 2a0a:f280::/32 + +# Discord +34.0.192.0/18 +35.192.0.0/11 +66.22.192.0/18 +104.16.0.0/13 +162.158.0.0/15 diff --git a/opt/etc/nfqws/nfqws.conf b/opt/etc/nfqws/nfqws.conf new file mode 100644 index 0000000..805cf06 --- /dev/null +++ b/opt/etc/nfqws/nfqws.conf @@ -0,0 +1,54 @@ +# Provider network interface, e.g. eth3 +# You can specify multiple interfaces separated by space, e.g. ISP_INTERFACE="eth3 nwg1" +ISP_INTERFACE="eth3" + +# All arguments here: https://github.com/bol-van/zapret (search for `nfqws` on the page) +# HTTP(S) strategy +#NFQWS_ARGS="--dpi-desync=fakedsplit --dpi-desync-split-pos=1 --dpi-desync-ttl=0 --dpi-desync-repeats=16 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls-mod=padencap --dpi-desync-fake-tls=/opt/etc/nfqws/tls_clienthello.bin" +#NFQWS_ARGS="--dpi-desync=fake,multidisorder --dpi-desync-split-pos=1,midsld --dpi-desync-repeats=11 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls-mod=rnd,dupsid,sni=www.google.com" +#NFQWS_ARGS="--dpi-desync=fake,multidisorder --dpi-desync-fake-tls=0x00000000 --dpi-desync-fake-tls=! --dpi-desync-split-pos=1,midsld --dpi-desync-repeats=2 --dpi-desync-fooling=badseq --dpi-desync-fake-tls-mod=rnd,dupsid,sni=www.google.com" +#NFQWS_ARGS="--dpi-desync=fake,multisplit --dpi-desync-fake-tls=0x00000000 --dpi-desync-fake-tls=! --dpi-desync-split-pos=1,midsld --dpi-desync-repeats=2 --dpi-desync-fooling=badseq --dpi-desync-fake-tls-mod=rnd,dupsid,sni=www.google.com" +NFQWS_ARGS="--ip-id=zero --dpi-desync=fake,multisplit --dpi-desync-split-seqovl=681 --dpi-desync-split-pos=1 --dpi-desync-fooling=ts --dpi-desync-repeats=8 --dpi-desync-fake-tls-mod=rnd,dupsid,sni=www.google.com" + +# QUIC strategy +NFQWS_ARGS_QUIC="--filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-quic=/opt/etc/nfqws/quic_initial.bin" + +# UDP strategy (doesn't use lists from NFQWS_EXTRA_ARGS) +NFQWS_ARGS_UDP="--filter-udp=590-600,1400,3478-3481,5349,19294-19344,50000-65535 --filter-l7=discord,stun --dpi-desync=fake --dpi-desync-repeats=6" + +# Working modes, don't change +MODE_LIST="--hostlist=/opt/etc/nfqws/user.list" +MODE_ALL="--hostlist-exclude=/opt/etc/nfqws/exclude.list" +MODE_AUTO="$MODE_LIST --hostlist-auto=/opt/etc/nfqws/auto.list --hostlist-auto-debug=/opt/var/log/nfqws.log $MODE_ALL" + +# $MODE_AUTO - automatically detects blocked resources and adds them to the auto.list +# $MODE_LIST - applies rules only to domains in the user.list +# $MODE_ALL - applies rules to all traffic except domains from exclude.list +NFQWS_EXTRA_ARGS="$MODE_LIST" + +# IP-lists +NFQWS_ARGS_IPSET="--ipset=/opt/etc/nfqws/ipset.list --ipset-exclude=/opt/etc/nfqws/ipset_exclude.list" + +# Custom arguments, e.g. NFQWS_ARGS_CUSTOM="--filter-tcp=80 --dpi-desync=fakedsplit --new --filter-tcp=443 --dpi-desync=fake" +NFQWS_ARGS_CUSTOM="" + +# IPv6 support +IPV6_ENABLED=0 + +# TCP ports for iptables rules +TCP_PORTS=443,2053,2083,2087,2096,8443 + +# UDP ports for iptables rules +UDP_PORTS=443,590:600,1400,3478:3481,5349,19294:19344,50000:65535 + +# Keenetic policy name +POLICY_NAME="nfqws" +# Policy mode (0 - include, 1 - exclude) +POLICY_EXCLUDE=0 + +# Syslog logging level (0 - silent, 1 - debug) +LOG_LEVEL=0 + +NFQUEUE_NUM=200 +USER=nobody +CONFIG_VERSION=8