# > Project Name:Aegis · Personal Digital Firewall Ruleset for Surge # > Current Version:3.6.0 # > Last Updated:2026-04-10 # > Supported Environment:Surge 6 (iOS / macOS) # > Configuration Author:ThoseYearsBrian # > Project Homepage:https://github.com/Thoseyearsbrian/Aegis [General] # > Log Level loglevel = notify show-error-page-for-reject = true # > Allow Wi-Fi Access (LAN proxy sharing, recommended OFF) allow-wifi-access = false # > Allow Personal Hotspot Access (hotspot proxy sharing, recommended OFF) allow-hotspot-access = false # > All Hybrid Network Concurrency all-hybrid = false # > Test Timeout (seconds) test-timeout = 3 # > Internet Testing URL internet-test-url = http://connect.aliyun.com/generate_204 # > Proxy Testing URL proxy-test-url = http://cp.cloudflare.com/generate_204 # > GeoIP Database geoip-maxmind-url = https://raw.githubusercontent.com/Thoseyearsbrian/GeoIP2-Country/main/data/GeoLite2-Country.mmdb # > Exclude Simple Hostnames (prevent local hostname leakage) exclude-simple-hostnames = true # > Web Dashboard (recommended OFF) http-api-web-dashboard = false # > IPv6 DNS Lookup (Recommended: Off) ipv6 = false # > Surge VIF IPv6 (recommended disabled) ipv6-vif = disabled # > DNS SVCB/HTTPS Queries (recommended OFF) allow-dns-svcb = false # > Include Local Networks (recommended to enable; set to false if features like AirDrop, Bonjour, or Handoff do not work properly) include-local-networks = true # > Exclude Apple Push Services from Proxy (set to true to include iCloud and notification traffic in proxy routing) include-apns = true # > Include Cellular Services (set to true to bypass ISP DNS hijacking) include-cellular-services = true # > Read DNS records from /etc/hosts (prefer static resolution to prevent DNS leakage) read-etc-hosts = true # > Encrypted DNS Follows Outbound Proxy (Recommended: Off) encrypted-dns-follow-outbound-mode = false # > DNS Servers encrypted-dns-server = https://dns.alidns.com/dns-query, tls://dns.alidns.com, tls://1.1.1.1, tls://1.0.0.1, https://dns.cloudflare.com/dns-query # > Hijack DNS (intercepts plaintext system DNS requests and forces internal handling by Surge) hijack-dns = *:53 # > UDP Priority (recommended OFF) udp-priority = false # > Whether to take over all network traffic (recommended ON in firewall mode) include-all-networks = true # > UDP Proxy Fallback (recommended REJECT) udp-policy-not-supported-behaviour = REJECT # > Skip Proxy skip-proxy = 127.0.0.1, localhost, *.local,10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, 169.254.0.0/16, 198.18.0.0/15, 17.0.0.0/8, 224.0.0.0/4, 255.255.255.255, ::1, ::/128, ::ffff:0:0/96, fe80::/10, fc00::/7, fd00::/8, ff00::/8 # > Always Real IP always-real-ip = *.local, *.lan, *.home, msftconnecttest.com, msftncsi.com, *.msftconnecttest.com, *.msftncsi.com, *.srv.nintendo.net, *.stun.playstation.net, xbox.*.microsoft.com, *.xboxlive.com, *.battlenet.com.cn, *.battlenet.com, *.blzstatic.cn, *.battle.net # > Compatibility Mode (when enabled, some local addresses and critical services may bypass the proxy) compatibility-mode = false # > Automatic Update GEOIP database weekly disable-geoip-db-auto-update = false [Proxy Group] # > Policy Groups (The nodes listed below must correspond to those in the external nodes section. If a node is deleted from the external section, it must also be removed from the policy group.) Proxy = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", "✈️ My Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/Surge.png Google Services = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/Google.png AI Assistant = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/ChatGPT.png GitHub = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/GitHub.png Telegram = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/Telegram.png Crypto = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/Crypto.png International Media = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/ForeignMedia.png Mainland China Media = select, DIRECT, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/iQIYI.png Microsoft = select, 🇺🇲 United States Node, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/Microsoft.png Apple Services = select, DIRECT, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/Apple.png Gaming Platforms = select, DIRECT, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/Game.png WeChat = select, DIRECT, "🇭🇰 Hong Kong Node", "🇺🇲 United States Node", "🇸🇬 Singapore Node", "🇯🇵 Japan Node", "🇨🇳 Taiwan Node", icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/WeChat.png 🇭🇰 Hong Kong Node = smart, include-other-group=✈️ My Node, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇭🇰)|(Hong Kong)|(Hong)|(HK), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/flags/hk.png 🇺🇲 United States Node = smart, include-other-group=✈️ My Node, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇺🇸)|(United States)|(States)|(US), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/flags/us.png 🇯🇵 Japan Node = smart, include-other-group=✈️ My Node, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇯🇵)|(Japan)|(JP), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/flags/jp.png 🇨🇳 Taiwan Node = smart, include-other-group=✈️ My Node, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇨🇳)|(Taiwan)|(Tai)|(TW), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/flags/cn.png 🇸🇬 Singapore Node = smart, include-other-group=✈️ My Node, update-interval=0, no-alert=true, hidden=1, include-all-proxies=true, policy-regex-filter=(🇸🇬)|(Singapore)|(SG), icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/flags/sg.png ✈️ My Node = select, DIRECT, policy-path=Your Subscribed Nodes, update-interval=86400, no-alert=true, hidden=false, include-all-proxies=true, icon-url=https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/assets/icons/services/Final.png [Rule] # > ① Untrusted Certificate Authorities - Advanced Module (Commented by default, manual activation required) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/CA_Block.list,REJECT,no-resolve # > ② Advertising Identification - Detection Module (Commented by default, user-defined activation) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/AdDomain.list,REJECT,no-resolve # > ③ Adult Content Identification - Detection Module (Commented by default, user-defined activation) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/AdultDomain.list,REJECT,no-resolve # > ④ PCDN Content Delivery Network Identification - Detection Module (Commented by default, user-defined activation) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/PCDNDomain.list,REJECT,no-resolve # > ⑤ Link Interference & Monitoring Node Identification - Detection Module (Commented by default, user-defined activation) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/InspectionDomain.list,REJECT,no-resolve # > ⑥ Behavior Analysis & Telemetry Node Identification - Detection Module (Commented by default, user-defined activation) # RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/BehaviorDomain.list,REJECT,no-resolve # > ⑦ Background Callback & Silent Communication Node Blocking - Blocking Module (Enabled by default) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Background_Block.list,REJECT,no-resolve # > ⑧ Backdoor Control & Implant Communication Node Blocking - Blocking Module (Enabled by default) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Backdoor_Block.list,REJECT,no-resolve # > ⑨ Botnet & Control Node Blocking - Blocking Module (Enabled by default) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Botnet_Block.list,REJECT,no-resolve # > ⑩ Malware IOC Blocking - Blocking Module (Enabled by default) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Malware_IOC_Block.list,REJECT,no-resolve # > ⑪ Pegasus Spyware Communication Node Blocking - Blocking Module (Enabled by default) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Pegasus_Block.list,REJECT,no-resolve # > ⑫ Phishing Blocking - Blocking Module (Enabled by default) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Phishing_Block.list,REJECT,no-resolve # > ⑬ Scam Blocking - Blocking Module (Enabled by default) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Scam_Block.list,REJECT,no-resolve # > ⑭ Risk Communication Watchlist - Observation Module (Enabled by default) RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Quarantine_Block.list,REJECT,pre-matching,no-resolve # > AI Assistant RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/OpenAI.list,AI Assistant # > Apple Services RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Apple.list,Apple Services # > GitHub RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/GitHub.list,GitHub # > Crypto RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Crypto.list,Crypto # > Microsoft RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Microsoft.list,Microsoft # > Google Services RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Google.list,Google Services # > Social Platforms RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Telegram.list,Telegram # > Gaming Platforms RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/GamePlatforms.list,Gaming Platforms # > WeChat RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/WeChat.list,WeChat # > Streaming Media RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/ChinaMedia.list,Mainland China Media RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/GlobalMedia.list,International Media # > Proxy RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/Proxy.list,Proxy # > China RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/China.list,DIRECT # > Local Area Network Addresses RULE-SET,LAN,DIRECT # > Optional Regional GeoIP Routing (Disabled by default) # - Purpose: Provides simplified international routing for general users and reduces access failures # - Default: Disabled to maintain the Aegis firewall’s strong security policy (FINAL,REJECT) # - Enable: Remove the leading “# ” to activate the corresponding regional routing entry # GEOIP,US,Proxy # US region traffic routed through proxy # GEOIP,GB,Proxy # UK region traffic routed through proxy # GEOIP,FR,Proxy # France region traffic routed through proxy # GEOIP,DE,Proxy # Germany region traffic routed through proxy # GEOIP,RU,Proxy # Russia region traffic routed through proxy # GEOIP,EU,Proxy # EU region traffic routed through proxy # GEOIP,AU,Proxy # Australia region traffic routed through proxy # GEOIP,JP,Proxy # Japan region traffic routed through proxy # GEOIP,KR,Proxy # South Korea region traffic routed through proxy # GEOIP,SG,Proxy # Singapore region traffic routed through proxy # > GEOIP Match for Mainland China GEOIP,CN,DIRECT # GEOIP match for Mainland China # > Final Rule FINAL,REJECT # - Description: FINAL,REJECT is the default deny strategy in Aegis, ensuring that all traffic not explicitly allowed is blocked # - Security: Keeping REJECT maintains the highest protection level and prevents unknown domains, suspicious requests, or potential attack traffic from bypassing the rules # - Scenario: If access priority is required, the Final rule can be switched to Proxy to improve compatibility, but overall security will be reduced accordingly [Host] # > IPv6 loopback mapping ip6-localhost = ::1 # > Local Router Login & Hotspot Identification (No need to specify DNS, leave it to system resolution) routerlogin.net = system router.asus.com = system amplifi.lan = system *.lan = system _hotspot_.m2m = system hotspot.cslwifi.com = system dns.alidns.com = 223.5.5.5 # Primary IPv4 dns.alidns.com = 223.6.6.6 # Secondary IPv4 dns.alidns.com = 2400:3200::1 # IPv6