# > Project Name：Aegis - Personal Digital Firewall Ruleset for Surge

# > 当前版本：3.4.5

# > 维护日期：2026-01-09

# > Supported Environment：Surge 5（iOS / macOS）

# > Configuration Author：ThoseYearsBrian

# > Project Homepage：https://github.com/Thoseyearsbrian/Aegis

# > GeoIP2-CN (China Region GeoIP Database Build Scheme): https://github.com/Thoseyearsbrian/GeoIP2-CN

# > GeoLite2-ASN (Global ASN Database Building Solution): https://github.com/Thoseyearsbrian/GeoLite2-ASN

# > GeoIP2-Country (Global Country GeoIP Database Build Scheme): https://github.com/Thoseyearsbrian/GeoIP2-Country

[General]

# > Log Level

loglevel = notify
show-error-page-for-reject = true

# > Allow Wi-Fi Access (LAN proxy sharing, recommended OFF)

allow-wifi-access = false

# > Allow Personal Hotspot Access (hotspot proxy sharing, recommended OFF)

allow-hotspot-access = false

# > All Hybrid Network Concurrency

all-hybrid = false

# > Test Timeout (seconds)

test-timeout = 3

# > Internet Test URL

internet-test-url = http://cp.cloudflare.com/generate_204

# > Proxy Test URL

proxy-test-url = http://cp.cloudflare.com/generate_204

# > GeoIP Database

# - Notice: Aegis does not provide any GeoIP database files. Users must build the database using their own MaxMind License Key
# - Note: The URL below is only an example of the recommended directory structure. After building the database, upload your generated file to this path manually
# - Build reference:
# - GeoIP2-CN (China region database build scripts and configuration): https://github.com/Thoseyearsbrian/GeoIP2-CN
# - GeoLite2-ASN (Global ASN Database Building Solution): https://github.com/Thoseyearsbrian/GeoLite2-ASN
# - GeoIP2-Country (Global country database build scripts and configuration): https://github.com/Thoseyearsbrian/GeoIP2-Country

geoip-maxmind-url = https://raw.githubusercontent.com/Thoseyearsbrian/GeoIP2-CN/main/data/GeoLite2-Country.mmdb

# > Exclude Simple Hostnames (prevents local hostname leakage)

exclude-simple-hostnames = true

# > Remote Controller (Recommended: Off)

http-api-web-dashboard = false

# > IPv6 Support (Recommended: Off)

ipv6 = false

# > IPv6 VIF (Recommended: Disable)

ipv6-vif = disabled

# > DNS SVCB/HTTPS Query (Recommended: Off)

allow-dns-svcb = false

# > Include Local Networks (recommended to enable; set to false if features like AirDrop, Bonjour, or Handoff do not work properly)

include-local-networks = true

# > Exclude Apple Push Services from Proxy (set to true to include iCloud and notification traffic in proxy routing)

include-apns = true

# > Include Cellular Services (set to true to bypass ISP DNS hijacking)

include-cellular-services = true

# > Read DNS records from /etc/hosts first (static resolution to prevent DNS leak)

read-etc-hosts = true

# > Encrypted DNS Follows Outbound Proxy (Recommended: Off)

encrypted-dns-follow-outbound-mode = false

# > DNS Servers

encrypted-dns-server = https://dns.alidns.com/dns-query, tls://dns.alidns.com, tls://1.1.1.1, tls://1.0.0.1, https://dns.cloudflare.com/dns-query

# > DNS Hijacking (intercepts plaintext system DNS requests and forces internal resolution via Surge)

hijack-dns = *:53

# > Prioritize UDP (Recommended: On)

udp-priority = true

# > UDP Priority Mode (Gaming Mode, Recommended: On)

include-all-networks = true

# > Take Over All Network Interfaces (e.g., virtual NIC, shared network)

udp-policy-not-supported-behaviour = DIRECT

# > UDP Fallback Behavior

skip-proxy = 127.0.0.1, localhost, *.local,10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, 169.254.0.0/16, 198.18.0.0/15, 17.0.0.0/8, 224.0.0.0/4, 255.255.255.255, ::1, ::/128, ::ffff:0:0/96, fe80::/10, fc00::/7, fd00::/8, ff00::/8

# > If connected Wi-Fi is not the primary one in Surge, use default policy

always-real-ip = *.local, *.lan, *.home, msftconnecttest.com, msftncsi.com, *.msftconnecttest.com, *.msftncsi.com, *.srv.nintendo.net, *.stun.playstation.net, xbox.*.microsoft.com, *.xboxlive.com, *.battlenet.com.cn, *.battlenet.com, *.blzstatic.cn, *.battle.net

# > Skip Proxy for Local Addresses and Critical Services

compatibility-mode = false

# > Allow GEOIP Auto Update

disable-geoip-db-auto-update = false

[Proxy Group]

# > Policy Groups (The nodes listed below must correspond to those in the external nodes section. If a node is deleted from the external section, it must also be removed from the policy group.)

Proxy = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", "✈️ My Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Surge.png
Google Services = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Google.png
AI Assistant = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/ChatGPT.png
GitHub = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/GitHub.png
Telegram = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Telegram.png
Crypto = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Crypto.png
International Media = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node",icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/ForeignMedia.png
Mainland China Media = select, DIRECT, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/iQIYI.png
Microsoft = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Microsoft.png
Apple Services = select, DIRECT, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Apple.png
Gaming Platforms = select, DIRECT, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Game.png
WeChat = select, DIRECT, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/WeChat.png

# > External Nodes

🇭🇰 Hong Kong Node = smart, include-other-group=✈️ My Node, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇭🇰)|(Hong Kong)|(Hong)|(HK), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Flags/hk.png
🇺🇲 United States Node = smart, include-other-group=✈️ My Node, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇺🇸)|(United States)|(States)|(US), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Flags/us.png
🇯🇵 Japan Node = smart, include-other-group=✈️ My Node, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇯🇵)|(Japan)|(JP), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Flags/jp.png
🇨🇳 Taiwan Node = smart, include-other-group=✈️ My Node, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇨🇳)|(Taiwan)|(Tai)|(TW), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Flags/cn.png
🇸🇬 Singapore Node = smart, include-other-group=✈️ My Node, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇸🇬)|(Singapore)|(SG), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Flags/sg.png
✈️ My Node = select, DIRECT, policy-path=Your Subscribed Nodes, update-interval=86400, no-alert=true, hidden=false, include-all-proxies=true, icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Icons/Services/Final.png

[Rule]

# > ① Untrusted Certificate Authorities - Advanced Module (Commented by default, manual activation required)

# RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/CA_Block.list,REJECT,no-resolve

# > ② Advertising Domain Detection - Detection Module (Commented by default, user-defined activation)

# RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/AdDomain.list,REJECT,no-resolve

# > ③ Adult Content Domain Detection - Detection Module (Commented by default, user-defined activation)

# RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/AdultDomain.list,REJECT,no-resolve

# > ④ PCDN Communication Detection - Detection Module (Commented by default, user-defined activation)

# RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/PCDNDomain.list,REJECT,no-resolve

# > ⑤ Traffic Inspection & Node Detection - Detection Module (Commented by default, user-defined activation)

# RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/InspectionDomain.list,REJECT,no-resolve

# > ⑥ Behavioral Analytics / Telemetry Node Detection - Detection Module (Commented by default, user-defined activation)

# RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/BehaviorDomain.list,REJECT,no-resolve

# > ⑦ Background Reconnections & Silent Communication Blocking - Blocking Module (Enabled by default)

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Background_Block.list,REJECT,no-resolve

# > ⑧ Backdoor Control & Implant Communication Blocking - Blocking Module (Enabled by default)

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Backdoor_Block.list,REJECT,no-resolve

# > ⑨ Botnet & Command Node Blocking - Blocking Module (Enabled by default)

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Botnet_Block.list,REJECT,no-resolve

# > ⑩ APT Threat Source Blocking - Blocking Module (Enabled by default)

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/APT_Block.list,REJECT,no-resolve

# > ⑪ Pegasus Spyware Communication Blocking - Blocking Module (Enabled by default)

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Pegasus_Block.list,REJECT,no-resolve

# > ⑫ Phishing Domain Blocking - Blocking Module (Enabled by default)

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Phishing_Block.list,REJECT,no-resolve

# > ⑬ Scam Domain Blocking - Blocking Module (Enabled by default)

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Scam_Block.list,REJECT,no-resolve

# > ⑭ Risk Communication Observation List - Observation Module (Enabled by default)

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Quarantine_Block.list,REJECT,no-resolve

# > AI Assistant

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/OpenAI.list,AI Assistant

# > Apple Services

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Apple.list,Apple Services

# > Github

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/GitHub.list,GitHub

# > Crypto

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Crypto.list,Crypto

# > Microsoft

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Microsoft.list,Microsoft

# > Google Services

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Google.list,Google Services

# > Social Platforms

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Telegram.list,Telegram

# > Gaming Platforms

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/GamePlatforms.list,Gaming Platforms

# > WeChat

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/WeChat.list,WeChat

# > Streaming Media

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/ChinaMedia.list,Mainland China Media
RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/GlobalMedia.list,International Media

# > Proxy

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Proxy.list,Proxy

# > China

RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/China.list,DIRECT

# > Local Area Network Addresses

RULE-SET,LAN,DIRECT

# > Optional Regional GeoIP Routing (Disabled by default)

# - Purpose: Provides simplified international routing for general users and reduces access failures
# - Default: Disabled to maintain the Aegis firewall’s strong security policy (FINAL,REJECT)
# - Enable: Remove the leading “# ” to activate the corresponding regional routing entry
# - Database Notice: To use this module, switch your GeoIP database to a self-built GeoIP2-Country file (GeoIP2-CN cannot be used)
# - Build reference:
# - https://github.com/Thoseyearsbrian/GeoIP2-Country

# GEOIP,US,Proxy # Route US region traffic through proxy (enables access to US-based sites)

# GEOIP,GB,Proxy # Route UK region traffic through proxy (enables access to UK-based sites)

# GEOIP,FR,Proxy # Route France region traffic through proxy (enables access to France-based sites)

# GEOIP,DE,Proxy # Route Germany region traffic through proxy (enables access to Germany-based sites)

# GEOIP,RU,Proxy # Route Russia region traffic through proxy (enables access to Russia-based sites)

# GEOIP,EU,Proxy # Route EU region traffic through proxy (enables access to most Europe-based sites)

# GEOIP,AU,Proxy # Route Australia region traffic through proxy (enables access to Australia-based sites)

# GEOIP,JP,Proxy # Route Japan region traffic through proxy (enables access to Japan-based sites)

# GEOIP,KR,Proxy # Route South Korea region traffic through proxy (enables access to Korea-based sites)

# GEOIP,SG,Proxy # Route Singapore region traffic through proxy (common Southeast Asia node)

# > GEOIP Match for Mainland China

GEOIP,CN,DIRECT

# > Final Rule

FINAL,REJECT

# - Description: FINAL,REJECT is the default deny strategy in Aegis, ensuring that all traffic not explicitly allowed is blocked
# - Security: Keeping it as REJECT maintains the highest protection level, preventing unknown domains, suspicious requests, or potential attack traffic from bypassing the rules
# - Adjustment: Switching REJECT to Proxy may improve compatibility but will reduce overall security
# - Scenario: When access availability is the priority, you may change the Final rule to Proxy or simply use a global proxy/direct mode

[Host]

# > IPv6 loopback mapping

ip6-localhost = ::1

# > Local Router Login & Hotspot Identification (No need to specify DNS, leave it to system resolution)

routerlogin.net = system
router.asus.com = system
amplifi.lan = system
*.lan = system
_hotspot_.m2m = system
hotspot.cslwifi.com = system
dns.alidns.com = 223.5.5.5 # 主 IPv4
dns.alidns.com = 223.6.6.6 # 备 IPv4
dns.alidns.com = 2400:3200::1 # IPv6