# > 项目名称:Aegis - Surge个人数字防火墙规则集 # > 当前版本:3.4.5 # > 维护日期:2026-01-09 # > 适配环境:Surge 5(iOS / macOS) # > 配置作者:ThoseYearsBrian # > 项目主页:https://github.com/Thoseyearsbrian/Aegis # > GeoIP2-CN(中国区域 GeoIP 数据库构建方案):https://github.com/Thoseyearsbrian/GeoIP2-CN # > GeoLite2-ASN(全球 ASN 数据库构建方案):https://github.com/Thoseyearsbrian/GeoLite2-ASN # > GeoIP2-Country(全球国家 GeoIP 数据库构建方案):https://github.com/Thoseyearsbrian/GeoIP2-Country [General] # > 日志级别 loglevel = notify show-error-page-for-reject = true # > 允许 Wi-Fi 访问(局域网代理共享,建议关闭) allow-wifi-access = false # > 允许个人热点访问(热点代理共享,建议关闭) allow-hotspot-access = false # > All Hybrid 网络并发 all-hybrid = false # > 测试超时(秒) test-timeout = 3 # > Internet 测试 URL internet-test-url = http://cp.cloudflare.com/generate_204 # > 代理测速 URL proxy-test-url = http://cp.cloudflare.com/generate_204 # > GeoIP数据库 # - 说明:Aegis 不提供任何 GeoIP 数据文件,用户需使用自己的 MaxMind License Key 构建数据库 # - 提示:下方 URL 仅为目录结构示例,用于展示推荐的文件放置路径。构建完成后请自行将生成的数据库文件上传至对应位置 # - 构建方法参考: # - GeoIP2-CN(中国区域数据库构建脚本与配置方案): https://github.com/Thoseyearsbrian/GeoIP2-CN # - GeoLite2-ASN(全球 ASN 数据库构建方案): https://github.com/Thoseyearsbrian/GeoLite2-ASN # - GeoIP2-Country(全球国家数据库构建脚本与配置方案): https://github.com/Thoseyearsbrian/GeoIP2-Country geoip-maxmind-url = https://raw.githubusercontent.com/Thoseyearsbrian/GeoIP2-Country/main/data/GeoLite2-Country.mmdb # > 排除简单主机名 (防止内网主机名泄露) exclude-simple-hostnames = true # > 远程控制器(建议关闭) http-api-web-dashboard = false # > IPv6 支持(建议关闭) ipv6 = false # > IPv6 VIF(建议禁用) ipv6-vif = disabled # > DNS 的 SVCB/HTTPS 查询(建议关闭) allow-dns-svcb = false # > 是否接管本地网络流量(建议开启,若 AirDrop、Bonjour、Handoff 等功能异常可设为 false) include-local-networks = true # > Apple 推送服务不走代理(如需接管 iCloud / 通知相关行为,可设为 true) include-apns = true # > 是否将蜂窝运营商服务流量纳入代理(如需规避运营商 DNS 劫持,可设为 true) include-cellular-services = true # > 从 /etc/hosts 读取 DNS 记录优(先静态解析,防止 DNS 请求泄露) read-etc-hosts = true # > 加密 DNS 请求是否跟随出站代理(建议关闭) encrypted-dns-follow-outbound-mode = false # > DNS 服务器 encrypted-dns-server = https://dns.alidns.com/dns-query, tls://dns.alidns.com, tls://1.1.1.1 # > DNS 劫持接管(用于拦截系统发出的明文 DNS 请求,强制交由 Surge 内部处理) hijack-dns = *:53 # > UDP 优先发送(建议开启) udp-priority = true # > UDP 优先模式(游戏模式,建议开启) include-all-networks = true # > 接管所有网络接口(如虚拟网卡、共享网络等) udp-policy-not-supported-behaviour = DIRECT # > UDP退回行为 skip-proxy = 127.0.0.1, localhost, *.local,10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, 169.254.0.0/16, 198.18.0.0/15, 17.0.0.0/8, 224.0.0.0/4, 255.255.255.255, ::1, ::/128, ::ffff:0:0/96, fe80::/10, fc00::/7, fd00::/8, ff00::/8 # > 当前连接的 Wi-Fi 不是 Surge 配置中指定的「主 Wi-Fi」,则使用默认策略 always-real-ip = *.local, *.lan, *.home, msftconnecttest.com, msftncsi.com, *.msftconnecttest.com, *.msftncsi.com, *.srv.nintendo.net, *.stun.playstation.net, xbox.*.microsoft.com, *.xboxlive.com, *.battlenet.com.cn, *.battlenet.com, *.blzstatic.cn, *.battle.net # > 跳过代理的本地地址和关键服务 compatibility-mode = false # > 允许GEOIP 自动更新 disable-geoip-db-auto-update = false [Proxy Group] # > 策略组(下面的节点信息需与外部节点对应,若删除了外部节点里的节点,那么在策略组里也要删除。) Proxy = select, 🇺🇲 美国节点, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", "✈️ 我的节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Surge.png 谷歌服务 = select, 🇺🇲 美国节点, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Google.png 智能助理 = select, 🇺🇲 美国节点, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/ChatGPT.png GitHub = select, 🇺🇲 美国节点, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/GitHub.png 电报信息 = select, 🇺🇲 美国节点, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Telegram.png Crypto = select, 🇺🇲 美国节点, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Crypto.png 国外媒体 = select, 🇺🇲 美国节点, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点",icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/ForeignMedia.png 国内媒体 = select, DIRECT, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/iQIYI.png 微软服务 = select, 🇺🇲 美国节点, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Microsoft.png 苹果服务 = select, DIRECT, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Apple.png 游戏平台 = select, DIRECT, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Game.png WeChat = select, DIRECT, "🇭🇰 香港节点", "🇺🇲 美国节点", "🇸🇬 新加坡节点", "🇯🇵 日本节点", "🇨🇳 台湾节点", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/WeChat.png 🇭🇰 香港节点 = smart, include-other-group=✈️ 我的节点, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇭🇰)|(香港)|(Hong)|(HK), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Flags/hk.png 🇺🇲 美国节点 = smart, include-other-group=✈️ 我的节点, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇺🇸)|(美国)|(States)|(US), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Flags/us.png 🇯🇵 日本节点 = smart, include-other-group=✈️ 我的节点, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇯🇵)|(日本)|(Japan)|(JP), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Flags/jp.png 🇨🇳 台湾节点 = smart, include-other-group=✈️ 我的节点, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇨🇳)|(台湾)|(Tai)|(TW), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Flags/cn.png 🇸🇬 新加坡节点 = smart, include-other-group=✈️ 我的节点, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇸🇬)|(新加坡)|(Singapore)|(SG), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Flags/sg.png ✈️ 我的节点 = select, DIRECT, policy-path=你的节点, update-interval=86400, no-alert=true, hidden=false, include-all-proxies=true, icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Final.png [Rule] # > ① 不受信任的证书机构 CA_Block.list - 高级模块 (默认注释,用户手动启用) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/CA_Block.list,REJECT,no-resolve # > ② 广告识别 - 识别模块 (默认注释,用户自行配置) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/AdDomain.list,REJECT,no-resolve # > ③ 成人识别 - 识别模块 (默认注释,用户自行配置) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/AdultDomain.list,REJECT,no-resolve # > ④ PCDN 内容分发网络识别 - 识别模块 (默认注释,用户自行配置) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/PCDNDomain.list,REJECT,no-resolve # > ⑤ 监听节点识别 - 识别模块 (默认注释,用户自行配置) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/InspectionDomain.list,REJECT,no-resolve # > ⑥ 行为分析与遥测节点识别 - 识别模块 (默认注释,用户自行配置) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/BehaviorDomain.list,REJECT,no-resolve # > ⑦ 后台回连与静默通信节点拦截 - 拦截模块 (默认启用) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Background_Block.list,REJECT,no-resolve # > ⑧ 后门控制与植入通信节点拦截 - 拦截模块 (默认启用) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Backdoor_Block.list,REJECT,no-resolve # > ⑨ 僵尸网络与控制节点拦截 - 拦截模块 (默认启用) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Botnet_Block.list,REJECT,no-resolve # > ⑩ APT 攻击源拦截 - 拦截模块 (默认启用) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/APT_Block.list,REJECT,no-resolve # > ⑪ Pegasus 间谍软件通信节点拦截 - 拦截模块 (默认启用) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Pegasus_Block.list,REJECT,no-resolve # > ⑫ 网络钓鱼拦截 - 拦截模块 (默认启用) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Phishing_Block.list,REJECT,no-resolve # > ⑬ 网络欺诈拦截 - 拦截模块 (默认启用) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Scam_Block.list,REJECT,no-resolve # > ⑭ 风险通信观察列表 - 观察模块 (默认启用) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Quarantine_Block.list,REJECT,no-resolve # > 智能助理 RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/OpenAI.list,智能助理 # > 苹果服务 RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Apple.list,苹果服务 # > Github RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/GitHub.list,GitHub # > Crypto RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Crypto.list,Crypto # > 微软服务 RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Microsoft.list,微软服务 # > 谷歌服务 RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Google.list,谷歌服务 # > 社交平台 RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Telegram.list,电报信息 # > 游戏平台 RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/GamePlatforms.list,游戏平台 # > WeChat RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/WeChat.list,WeChat # > 流媒体 RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/ChinaMedia.list,国内媒体 RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/GlobalMedia.list,国外媒体 # > Proxy RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Proxy.list,Proxy # > China RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/China.list,DIRECT # > 局域网地址 RULE-SET,LAN,DIRECT # > 可选区域分流功能(默认关闭) # - 用途:为普通用户提供简化的国际分流能力,减少访问受阻情况 # - 默认:关闭,保持 Aegis 防火墙强安全策略(FINAL,REJECT) # - 启用:删除规则行首 “# ” 即可启用对应区域分流条目 # - 数据库提示:如需启用本模块,请将 GeoIP 数据库切换为用户自行构建的 GeoIP2-Country # - 构建方法参考: # - GeoIP2-Country(全球国家数据库构建脚本与配置方案): https://github.com/Thoseyearsbrian/GeoIP2-Country # GEOIP,US,Proxy # 美国区域流量走代理(启用后可访问美国站点) # GEOIP,GB,Proxy # 英国区域流量走代理(启用后可访问英国站点) # GEOIP,FR,Proxy # 法国区域流量走代理(启用后可访问法国站点) # GEOIP,DE,Proxy # 德国区域流量走代理(启用后可访问德国站点) # GEOIP,RU,Proxy # 俄罗斯区域流量走代理(启用后可访问俄罗斯站点) # GEOIP,EU,Proxy # 欧盟区域流量走代理(启用后可访问多数欧洲站点) # GEOIP,AU,Proxy # 澳大利亚区域流量走代理(启用后可访问澳大利亚站点) # GEOIP,JP,Proxy # 日本区域流量走代理(启用后可访问日本站点) # GEOIP,KR,Proxy # 韩国区域流量走代理(启用后可访问韩国站点) # GEOIP,SG,Proxy # 新加坡区域流量走代理(启用后可访问新加坡站点) # > GEOIP 匹配中国大陆 GEOIP,CN,DIRECT # > Final 规则 FINAL,REJECT # - 说明:FINAL,REJECT 为 Aegis 默认拒绝策略,用于确保未显式放行的流量全部被阻断 # - 安全性:保持为 REJECT 可维持最高防护等级,防止未知域名、可疑请求或潜在攻击流量绕过规则 # - 调整:如将 REJECT 改为 Proxy,可改善访问兼容性,但会降低整体安全性 # - 场景:在需要以访问优先为主的情况下,可将 Final 规则切换为 Proxy 或 直接采用全局代理模式 / 直连模式 [Host] # > 本地回环 IPv6 映射 ip6-localhost = ::1 # > 本地路由器登录与热点识别(无须指定 DNS,保留交由系统解析) routerlogin.net = system router.asus.com = system amplifi.lan = system *.lan = system _hotspot_.m2m = system hotspot.cslwifi.com = system dns.alidns.com = 223.5.5.5 # 主 IPv4 dns.alidns.com = 223.6.6.6 # 备 IPv4 dns.alidns.com = 2400:3200::1 # IPv6