Personal digital firewall ruleset for Surge, focused on identifying potential communication threats at both the application-layer and transport-layer. It covers a broad range of suspicious behaviors including DNS poisoning, APT threat sources, SDK telemetry, Backdoor Communication, PCDN relay communication, C2 controllers, and other potentially malicious communications. The project also expands domain-based identification to major global advertising platforms, behavioral tracking services, and adult content sites, enabling users to achieve fine-grained local traffic identification and classification on iOS/macOS and define their own network policies.
In addition, the project incorporates rule sets targeting globally recognized high-risk threat infrastructures, including detection strategies for Pegasus spyware and its associated command-and-control infrastructure.
The project fully enforces encrypted DNS, rejecting plaintext queries to ensure secure and private communications. Even on devices lacking traditional security software — such as iPhones — Aegis provides effective protection at the network traffic layer.
The Aegis rule set is dedicated to identifying and classifying the following high-risk communication behaviors:
- Ad domain identification, behavioral tracking, and surveillance-style CDN nodes
- PCDN relay traffic and shared-bandwidth transmission
- Botnets, remote access Trojans, and malware C2 channels
- SDK telemetry and behavioral fingerprinting
- APT command-and-control (C2) infrastructure
- DNS poisoning / injection / hijacking behavior
Aegis is purpose-built for the Surge platform, fully compatible with both iOS and macOS. It offers high readability, auditability, and modular deployment — making it suitable for policy-based routing, communication analysis, and enhanced security configurations.
An optional advanced module — CA_Block.list — is also available, aimed at blocking globally controversial or publicly revoked root certificate authorities, OCSP responders, and CRL domains. This module is intended for users with heightened digital trust requirements, offering additional protection against man-in-the-middle attacks and malicious certificate chains.
Aegis adheres to technical neutrality, information transparency, and independent autonomy. I firmly believe every individual has the right to understand and control their network traffic. Therefore, Aegis does not accept any form of commercial investment or capital control. To ensure purity, trust, and security, all configurations are handcrafted and audited by me, with complete annotations to guarantee every rule is transparent, verifiable, and pollution-free.
| Module ID | Module Name | File Name | Description | Criteria |
|---|---|---|---|---|
| ① | Untrusted Certificate Authorities | CA_Block.list | Flags CA root certificates, OCSP endpoints, and CRL domains with known incidents of misuse or revocation. Recommended for scenarios requiring enhanced digital trust. (Advanced Module – Disabled by Default) | Involves cases of certificate misuse, unauthorized issuance, or public revocation records |
| ② | Advertising Domain Detection | AdDomain.list | Covers domains used in commercial advertising delivery, social pixel tracking, behavioral analytics, and third-party SDK statistics (Identification Module - Disabled by Default) | Identified based on behavioral patterns and data collection models, distinguished from telemetry-related communications |
| ③ | Adult Content Domain Detection | AdultDomain.list | Covers domains related to major global adult content platforms (Identification Module - Disabled by default) | Domains directly associated with adult content distribution |
| ④ | PCDN Communication Detection | PCDNDomain.list | Identifies link behaviors suspected to use “shared bandwidth” models, involving device relays, cache nodes, and distributed delivery networks (Identification Module - Disabled by Default) | Identified based on traffic patterns and node distribution consistent with multi-hop relay and cache characteristics |
| ⑤ | Traffic Inspection & Node Detection | InspectionDomain.list | Detects active network-level interventions such as DPI probing, DNS poisoning, HTTP injection, and MITM eavesdropping (Identification Module - Disabled by Default) | Identified based on traffic anomalies like tampering, redirection, and injection, commonly seen in manipulated network environments |
| ⑥ | Behavioral Analytics / Telemetry Node Detection | BehaviorDomain.list | Flags cloud service nodes with identifiable behavioral fingerprinting, including telemetry SDKs, analytics platforms, and behavioral modeling services (Identification Module - Disabled by Default) | Focused on behavior-analytic SDK communication patterns via DNS/TLS traffic; excludes ad or data-upload SDKs |
| ⑦ | Background Reconnections & Silent Communication Blocking | Background_Block.list | Identifies domains used by IoT, NAS, or SDKs for config uploads or device callbacks, aiding detection of stealth telemetry communications (Enabled by Default) | Focused on background connection behavior via callback frequency, paths, and data uploads; excludes ad and analytics SDKs |
| ⑧ | Backdoor Control & Implant Communication Blocking | Backdoor_Block.list | Blocks known malicious infrastructure involving remote access tools (RATs), reverse shells, heartbeat signals, etc. (Enabled by Default) | Clearly associated with malicious traffic or exploit backdoors |
| ⑨ | Botnet & Command Node Blocking | Botnet_Block.list | Blocks known botnet controllers, DDoS nodes, and mass-control infrastructure (Enabled by Default) | Based on public threat intelligence with confirmed attribution and verifiable IoCs |
| ⑩ | APT Threat Source Blocking | APT_Block.list | Blocks C2 infrastructure used by known APT groups, with national attribution tags and intelligence source references (Enabled by Default) | Derived from public threat intelligence with reliable attribution and IoC chains |
| ⑪ | Pegasus Spyware Communication Blocking | Pegasus_Block.list | Contains domains disclosed by Amnesty used by Pegasus spyware for C2 communication (Enabled by Default) | Based on Amnesty’s public disclosures of Pegasus C2 infrastructure, indicating high surveillance risk |
| ⑫ | Phishing Domain Blocking | Phishing_Block.list | Blocks domains associated with phishing attacks, including spoofed login pages, fake official sites, and links in deceptive emails. Typical targets of social engineering campaigns. (Enabled by Default) | Based on public threat intelligence with confirmed attribution and verifiable IoCs |
| ⑬ | Scam Domain Blocking | Scam_Block.list | Blocks suspicious domains with extremely low reputation, reported fraud, fake services, or user complaints. (Enabled by Default) | Based on public threat intelligence with confirmed attribution and verifiable IoCs |
Aegis is hosted on GitHub with an automated update mechanism, ensuring that all rule sets remain up-to-date and are fully compatible with remote subscription in Surge.
If configuration auto-reload is not enabled, you can manually refresh external resources or reload the profile to ensure the ruleset stays up to date.
Aegis follows the Semantic Versioning : vMAJOR.MINOR.PATCH e.g., Aegis v3.0.1,MAJOR=3、MINOR=0、PATCH=1
MAJOR (X) : Major changes in structure or compatibility 👉 Requires re-downloading the configuration and re-adding nodes
MINOR (Y) : New policy groups, new modules, or new features 👉 Recommended to re-download the configuration and re-add nodes
PATCH (Z) : Rule fixes, annotation updates, minor improvements 👉 No need to re-download the configuration; updating external resources is sufficient
💡 It is recommended to enable “Automatically reload when configuration is changed by external programs or remote updates” to ensure PATCH updates take effect automatically.
Aegis (CN): https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Surge/config/Spec/Aegis_CN.conf
Aegis (EN): https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Surge/config/Spec/Aegis_EN.conf
Aegis (CN): https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Surge/config/Spec/Aegis_IPv6_CN.conf
Aegis (EN): https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/Surge/config/Spec/Aegis_IPv6_EN.conf
💡 Note: Please choose the appropriate configuration based on your network environment. If your network natively supports IPv6, use the IPv6 version; otherwise, use the IPv4 version. Do not mix configurations, as this may result in request failures or DNS resolution issues.
Copy the configuration link → Open Surge → Download from URL → Paste the link → Edit in Text Mode → Replace your node with the correct parameter → Done!
Beginner-Friendly Surge Guide · macOS (4K) |Click the thumbnail to watch on YouTube
-
Rule Mode is mandatory — Aegis cannot perform any filtering, routing, or protection without it
Aegis is a personal digital firewall system built entirely on Surge’s Rule Mode. It relies on rule-based matching to classify domains, enforce policies, and block malicious traffic. Full functionality is only available when Surge is running in **Rule Mode**. If you switch to Global Mode or Direct Mode, while network access may still work, all rule matching will be bypassed, leading to the following risks: • Domains and IPs will not be classified correctly • All filtering mechanisms and strategy modules will be disabled • Core functions like traffic splitting, threat protection, and ad blocking will stop working If you encounter a domain temporarily inaccessible due to unmatched rules, you may **switch to Global Mode or Direct Mode temporarily** to regain access. However, we strongly recommend submitting an Issue immediately, so we can update the corresponding rule set and prevent future disruption.
-
It is recommended to combine China.list (for domain matching) and GEOIP,CN (for IP segments) for accurate detection of Chinese traffic:
RULE-SET,https://raw.githubusercontent.com/Thoseyearsbrian/Aegis/main/rules/China.list, DIRECT # Precisely matches Chinese domains GEOIP,CN,DIRECT # Matches traffic from Chinese IPs not in domain list FINAL,REJECT # Final fallback rule (do NOT place GEOIP below this)
-
Supports GEOIP query rules for countries outside mainland China, as the current database supports global country IP ranges.
GEOIP,US, PROXY # Valid GEOIP,AU, PROXY # Valid GEOIP,CN, DIRECT # Valid
-
Explanation for the message “tun-excluded-routes parameter configured, may cause issues after switching networks”
This message is not an error or conflict but a system-level reminder from Surge. It can be safely ignored in a fixed network environment. If you experience temporary LAN communication issues (e.g., AirDrop, Bonjour, or NAS) after switching networks such as Wi-Fi ↔ hotspot, select “Stop Proxy” → “Start Proxy” in the menu to rebuild the routing table and restore connectivity.
This project is built upon inspiration and reference from numerous outstanding open-source initiatives within the GitHub community. We extend our sincere gratitude to all developers who have contributed to the open-source ecosystem.
To meet personal cybersecurity requirements, this project has been deeply customized and optimized for enhanced security based on existing rule sets. In order to ensure the integrity, safety, and long-term availability of the project, all materials and rule files are self-hosted within this repository, thereby avoiding issues such as update failures or trust concerns arising from third-party dependencies.
@Rabbit-Spec 👉 The primary reference for the overall project architecture and rule logic. The current version has undergone extensive restructuring and security adaptation based on this foundation.
@AmnestyTech 👉 Provided Pegasus–related IOC data, serving as a key intelligence source for rule construction (CC BY 2.0 License).
@ESET 👉 Provides data from the public malware-ioc repository, serving as an important source of intelligence for APT-related rule development (BSD 2‑Clause License).
@mieqq 👉 A key contributor to the Chinese Surge community. The mieqq repository has consistently maintained a variety of rules and modules, playing a significant role in the early development and promotion of the ecosystem.
The above acknowledgements are listed in no particular order.If you believe your work is missing from the acknowledgements, please feel free to contact me — I will add it promptly.
This project is a non-profit, open-source security rule set aimed at helping users enhance their network defense capabilities. By using this project, you acknowledge that you have read, understood, and agreed to the following terms:
This project is a non-commercial, open-source security rule set intended to help users enhance their network security posture. By using this project, you acknowledge that you have read, understood, and agreed to the following terms:
- Third-Party Source Notice: Portions of this project reference publicly available threat intelligence (e.g., security community reports, threat databases, GitHub projects). All such references are properly cited. If you believe there is an issue, please contact us for correction or removal.
- Module Activation Statement: This project adheres to the principles of technological neutrality and information transparency. The rule set is designed to assist users in identifying potentially risky communication behaviors. All identification modules are disabled by default, and the formulation and activation of related policies are entirely at the discretion of the user. The project author assumes no responsibility for any communication risks arising from user configurations.
- False Positive Warning: As the rule sets may include generalized blocking strategies, users are advised to conduct thorough testing before deployment to ensure normal business operations are not affected. The project author bears no responsibility for connection disruptions, functional issues, or other consequences caused by false positives.
- Commercial Use Notice: This project is released under the Apache License 2.0. You are free to use it for both commercial and non-commercial purposes, provided you comply with the license terms, including attribution and documentation requirements. We strongly oppose abuse of the rule set for closed-source development, infringement of public interest, or any actions contrary to the spirit of open-source.
- No Warranty Clause: This project is provided “as is” without any express or implied warranties regarding its completeness, accuracy, timeliness, or suitability. Users must assess applicability on their own and bear all associated risks.
- Usage Restrictions: All rules and configuration files are intended solely for lawful purposes such as network defense, traffic identification, and security research. Any use for offensive actions, reverse engineering, audit bypassing, or illegal activities is strictly prohibited.
- Limitation of Liability: The project author shall not be held liable for any direct or indirect damages (including but not limited to data breaches, business disruption, or security failures) resulting from the use, replication, or distribution of this project.
- Right to Modify: The project author reserves the right to update, modify, or remove any content or disclaimer clauses at any time without prior notice. It is recommended that users periodically review the repository for the latest version.
Author’s Statement: This project does not engage in malicious activities, does not include hidden backdoors or monitoring mechanisms, does not promote proxy services, and contains no obfuscated or harmful logic. All rule contents are written in plain text, fully commented, structured clearly, and hosted solely within this repository for community review, audit, and traceability.
This project is licensed under the Apache License 2.0. You are free to use, modify, and distribute this project, even for commercial purposes.
We ask you to respect the spirit of open source:
- Keep original author credits and license text intact.
- Do not remove annotations or license statements.
- Do not exploit the rule set for closed-source monetization or abusive purposes.
Additionally, the Aegis project has enabled GPG commit signing to ensure the authenticity and integrity of its codebase. You can verify each commit via GPG signatures to gain higher assurance that the code has not been tampered with.