apernet / opengfw Goto Github PK
View Code? Open in Web Editor NEWOpenGFW is a flexible, easy-to-use, open source implementation of GFW (Great Firewall of China) on Linux
Home Page: https://gfw.dev/
License: Mozilla Public License 2.0
OpenGFW is a flexible, easy-to-use, open source implementation of GFW (Great Firewall of China) on Linux
Home Page: https://gfw.dev/
License: Mozilla Public License 2.0
建议作者增加对于Darwin内核的支持
而且区分开Darwin(Intel)和Darwin(Apple Silicon)的版本
接这个issue: #94
静态编译后, 按照readme配置和规则文件运行, 提示engine exited {"error": "exit status 1"}
root@router:/tmp# ./OpenGFW -c config.yaml rules.yaml
2024-03-12T12:39:04Z INFO engine started
2024-03-12T12:39:04Z DEBUG worker started {"id": 0}
2024-03-12T12:39:04Z DEBUG worker started {"id": 2}
2024-03-12T12:39:04Z DEBUG worker started {"id": 1}
2024-03-12T12:39:04Z DEBUG worker started {"id": 3}
2024-03-12T12:39:05Z DEBUG worker stopped {"id": 0}
2024-03-12T12:39:05Z DEBUG worker stopped {"id": 3}
2024-03-12T12:39:05Z INFO engine exited {"error": "exit status 1"}
2024-03-12T12:39:05Z DEBUG worker stopped {"id": 1}
2024-03-12T12:39:05Z DEBUG worker stopped {"id": 2}
有无其他参数可以打印更多消息?
根据日期/时间自动生效,例如:
通过对比JARM指纹,拦截请求
# config.yaml
io:
queueSize: 1024
local: true
workers:
count: 4
queueSize: 16
tcpMaxBufferedPagesTotal: 4096
tcpMaxBufferedPagesPerConn: 64
udpMaxStreams: 4096
# ruleset.yaml
- name: block alidns
action: block
expr: string(ip.dst) == "223.5.5.5"
Connection to IP that should be blocked established successfully.
Concretely, commands like ping 223.5.5.5
and nslookup baidu.com 223.5.5.5
can get response, but they should not act like this.
By the way, blocking by other keywords, such as blocking by keywords tls?.req?.sni
, http?.req?.header?.host
. These all things can work properly but ip.dst
. Maybe ip.src
can not too, but I have not check it yet.
1.Socks5
2.Socks4
3.Socks4A
4.QUIC
5.Stratum
6.GBT
7.BetterHash
8.NiceHash
9.MEP
The above tests are relatively simple and require relatively large amounts of new ones.
目前的drop
是100%丢包,建议添加一个配置,控制一个包有多大的概率被丢弃
另外,针对TCP的drop,可以放置30s达到连接超时的效果而非阻止
增加配置将某类包放置一段时间后再发送(如放置0.1s)达到拖慢网速的效果。
The Great Cannon is supposed to be when China's GFW inserts Javascript into every request and can weaponize every web browser and device connected to the internet as a DDOS botnet.
无法在OpenWrt 23版本上运行,不知是否和这个有关
如题
root@router:/tmp# ./OpenGFW -c config.yaml rules.yaml
bash: ./OpenGFW: cannot execute: required file not found
root@router:/tmp# opkg list | grep kmod-ipt-nfqueue
kmod-ipt-nfqueue - 6.1.81-1
root@router:/tmp# opkg list | grep iptables-mod-nfqueue
iptables-mod-nfqueue - 1.8.7-2
root@router:/tmp# opkg list | grep kmod-nf-conntrack-netlink
kmod-nf-conntrack-netlink - 6.1.81-1
It is human behaviour.
I read some source code and found analyzer based on network layer has yet to be implemented. Is there consideration for making it happen?
RT
此错误应该如何解决
并且日志的输出 error同样标记为INFO 是否有点不合适
2024-02-26T10:48:46-05:00 INFO engine exited {"error": "netlink receive: recvmsg: no buffer space available"}
能屏蔽openvpn吗
这个东西的工作原理是什么?GFW应该是通过端口镜像获得ip包,是并联的吧?这个东西是不是得网关串联接入?
如题, 请问是OpenGFW能墙Hysteria, 还是Hysteria能突破OpenGFW的封锁
弄得我跃跃欲试,先找gpt研究下luci怎么写,怎么和代码对接,希望我能写出第一版简陋的luci来
我注意到有这么一段常量与描述:
OpenGFW/analyzer/tcp/trojan.go
Lines 14 to 27 in bc2e21e
trojanUpUB
在 Trojan-killer 中目前是 750,而在 OpenGFW 中是 1000,应该会增加误报率,这是为了匹配内层 ECH 吗题外话:当初我还和 @yuhan6665 讨论要不要把 Trojan-killer 命名为 XGFW,后来决定还是把这个名字留给一个网关式的综合 GFW
多谢!
老实说,我就知道会有这样离谱的项目出现,先点个star看看这个项目的后续发展如何,感觉潜力很大啊!😝
failed to parse config {"error": "invalid config: io: running [/usr/sbin/iptables -t filter -C INPUT -m connmark --mark 1001 -j ACCEPT --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match connmark':No such file or directory\n\nTry
iptables -h' or 'iptables --help' for more information
RT
怎样学习这个项目呢?如题 ,直接看源码吗?看了一下感觉不是很懂。好像是用到了一个go语言的库吗
# block bilibili
- name: block bilibili http
action: block
expr: string(http?.req?.headers?.host) endsWith "bilibili.com"
- name: block bilibili https
action: block
expr: string(tls?.req?.sni) endsWith "bilibili.com"
# block csdn
- name: block csdn http
action: block
expr: string(http?.req?.headers?.host) endsWith "csdn.net"
- name: block csdn https
action: block
expr: string(tls?.req?.sni) endsWith "csdn.net"
https://www.csdn.net
has been blocked properly, while https://www.bilibili.com
cannot.
Concretely, when visiting bilibili
through https://www.bilibili.com
in Chrome, the page is not accessible. But while web browser keeping trying to reconnect automatically, there's high possibility that the page will be loaded successfully. And after that, due to http long connection has benn established, all the followed-up operations will not be interrupted.
I found this happened on my:
Moreover, this problem only happened when domain name holding IP addresses more than one. For example, I query DNS record for bilibili.com
and csdn.net
:
$ nslookup bilibili.com
Server: 210.31.0.9
Address: 210.31.0.9#53
Non-authoritative answer:
Name: bilibili.com
Address: 119.3.70.188
Name: bilibili.com
Address: 8.134.50.24
Name: bilibili.com
Address: 139.159.241.37
Name: bilibili.com
Address: 47.103.24.173
$ nslookup csdn.net
Server: 210.31.0.9
Address: 210.31.0.9#53
Non-authoritative answer:
Name: csdn.net
Address: 120.46.76.152
The result is that csdn
can be blocked properly, while former cannot. I am not sure whether there is some relation between this bug and DNS record. But I think it's worth to mention.
After testing, it seems that the core routers & switches' mirror ports' traffic is not currently supported. I enabled the promiscuous mode of the network card under CentOS7 for testing and found that there was no log output.
I hope to add this feature for the following reasons:
The company's security construction is relatively mature, and it is not possible to make major changes under the current circumstances, especially using self-built cores at key nodes. Therefore, I hope to add support for the detection of traffic on mirror ports, to find users with matching characteristics and intercept them through firewalls or AC devices (internet behavior management).
Please assess whether the requirement is feasible to be included in the plan.
经过测试目前貌似并不支持核心路由器&交换机镜像端口的流量,我在CentOS7下开启了网卡混杂模式进行测试发现并没有日志输出。
希望能够添加该功能,原因如下:
目前公司安全建设已经相对成熟,在现有的情况下并不能做大的改动特别是使用自建核心在关键节点。因此希望增加支持对镜像端口流量的检测功能,找出符合特征的用户通过防火墙或AC设备(上网行为管理)进行拦截。
请评估是否可行将该需求纳入计划中。
I am worried that the Chinese government will learn from this project and strengthen GFW, thereby causing losses to Chinese software developers. Such as not being able to access their projects or being unable to contact the company where they work remotely.
比如对于某订阅列表的IP和域名(gfwlist)实施干扰/阻断拦截,这样建墙体验就和真正的墙无异啦。
其实更快的方法是用超能力买通GFW的人员,把内部版本拿出来😁
解决广告拦截被Surge/Quantumult X卡脖子的问题
比GFW更遥遥领先一步,内网设备不安装证书不允许接入互联网(逃
Hi
I heard that TLS in TLS vulnerability exist in all TLS based proxies even VLESS XTLS
was you able to detect them too?
could you please rate each proxy protocol / transport
which ones have more false positive
which ones will consume more hardware resources of GFW to detect
also noTLS proxies, you can help us use more stealth config combines
If you found a good way to detect torrent, please help proxy cores to detect them.
Thank you.
Besides read config from file and using SIGHUP to reload it when process is running. Is there any plan to read config from configurable url using polling http/http server push.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.