PHpaoloaztig
Merry Christmas !!!
Heto na po ang ikatlo at huling bahagi ng aking kwento mga kasama ...alam kung marami na ang marunong at mahuhusay gumawa ng prx config pero para sa mga hindi pa nakaka-alam maaari ninyo itong pagtiyagaang basahin para mas maintindihan nyo ng mabuti ang postern.
Ngayon pag-uusapan natin ang laman ng prx config file tulad ng RULE, PROXY SERVER, PROXY GROUP, GEOIP at Matching Method…
Credits sa Github na pinagkukunan ko ng impormasyon tungkol sa User Guide ng Postern !!!
RULE
Ang RULE ang nagsasabi kung anu ang gagawin sa isang request at paano i-handle ang data traffic...
Tatlo (3) ang maaaring gagawin ng postern sa isang initiated request kung mag-access kayo ng isang site at ito ay nakasaad sa RULE...
1) Pwede niya itong i-block (Reject)
2) Pwede niya itong i-direct sa Proxy Server
3) Pwede rin niya itong i-diretso sa Destination Host (Direct)
Ex.
[RULE]
#ADBlock
DOMAIN-KEYWORD,adsmogo,REJECT
DOMAIN-SUFFIX,doubleclick.net,REJECT
#Keyword and Suffix, Proxy
DOMAIN-KEYWORD,facebook,paoloaztig
DOMAIN-SUFFIX,amazon.com,paoloaztig
DOMAIN-m.youtube.com, paoloaztig
#Keyword and Suffix, Direct
DOMAIN-KEYWORD,twitter,DIRECT
DOMAIN-SUFFIX,instagram.com,DIRECT
DOMAIN-www.rt.com,DIRECT
Basically Postern will choose one from above three options .when it sees a connection and its data, based on the rules you pass in. For example, some APPs visit certain sites to fetch. Ads. You might want to tell Postern to block these access attempts by a rule. Another example is you want to hide your IP address when visiting certain sites, then you might want to add a rule that tells Postern to direct traffic to these sites through your proxy server.
Rules play most important rules. Postern manages all traffic your device entirely based on the rules on configure.
2 Categories of Matching Method in Configuring RULE
1) Domain Named-Based Method Group
1.1. Match domain keyword (DOMAIN-KEYWORD)
When the rule-specified string matches any of the domain’s sub string, the rule is considered a match. Eg : DOMAIN-KEYWORD,google,REJECT
You do not have permission to view the full content of this post. Log in or register now. , You do not have permission to view the full content of this post. Log in or register now. will match this rule, meaning anything access attempts to these sites will be rejected. But You do not have permission to view the full content of this post. Log in or register now. won’t match this rule.
1.2. Match domain suffix (DOMAIN-SUFFIX)
When the rule-specified string is the domain’s suffix, the rule is considered a match.
Eg : DOMAIN-SUFFIX, google.com, Proxy
You do not have permission to view the full content of this post. Log in or register now. , mail.google.com will match this rule and all traffic to these sites will go through your proxy named ‘Proxy’. In the meantime, You do not have permission to view the full content of this post. Log in or register now. will not match this rule.
1.3. Perfect Match domain (DOMAIN)
Only when the rule-specified string perfectly matches the domain name, will the rule be considered a match.
Eg : DOMAIN, You do not have permission to view the full content of this post. Log in or register now. ,Proxy
Only You do not have permission to view the full content of this post. Log in or register now. matches this rule and all traffic to this site will go through your proxy named ‘Proxy’. mail.google.com, You do not have permission to view the full content of this post. Log in or register now. will not match this rule.
2. IP-address-based method group, which contains 2 different
types of method:
2.1. Match an IP address’s country
When the IP address’s country matches the one specified in the rule, the rule is considered a match.
Eg : GEOIP, US, DIRECT
You access to any US-based servers with a public IP address will match this rule. Eg, an attempt to access You do not have permission to view the full content of this post. Log in or register now. (216.58.216.4), will match this rule.
2.2. Match an IP address’s CIDR
A rule defines a IP subnet; When an IP address matches this subnet, the rule is considered a match.
Eg: IP-CIDR, 192.168.0.0/16, DIRECT
All access to 192.168.1.10, 192.168.100.1 matches this rule.
Another match method is defined to match any addresses:
3. Match all
For any domain names or IP addresses, the rule is considered a match.
Eg: FINAL, DIRECT
This rule usually comes last in a rule set (hence the name).That means when Postern has failed to find a rule for access to a certain destination, this rule will be the final match.
Ordering of Rules
Those of you who have dealt with route tables must know a thing or two about ordering. A destination usually can match more than one rule in a rule set. In such cases, the first matched rule is used. An example is as blow:
[Rule]
DOMAIN-KEYWORD, google, DIRECT
DOMAIN-SUFFIX, google.com, REJECT
DOMAIN, You do not have permission to view the full content of this post. Log in or register now. , Proxy
When your browser initiates a new connection to You do not have permission to view the full content of this post. Log in or register now. , all three rules may apply. And they are telling Postern to do different things. In cases like this, Postern always chooses the first rule that it finds is a match. In this case, Postern lets your browser access You do not have permission to view the full content of this post. Log in or register now. directy.
PROXY SERVER
Actually we have shown you how a proxy server is defined in configuration file, in examples above. Proxy servers are grouped together and defined in the [Proxy] section, as below.
[Proxy]
Proxy = shadowsocks, 11.22.33.44, 1080, aes-256-cfb, password
Proxy2 = ssh, 22.33.44.55, 22, username, password
Two different proxy servers are defined, named ‘Proxy’ and
‘Proxy2’ respectively. Their names are referenced in the [Rule] section. On the right side of ‘=’, from left to right, the type of the server, server’s address, server’s port, username and password are specified. It should be noted names of proxy servers must contain alphabetic characters, digits and underscores only. Some more details about the various fields required to define
a proxy server(stuff that are on the right side of ‘=’)
1. Type of Proxy server
Currently up to 5 different types of proxy servers are supported:
SSH – SSH tunnel (RFC 4254)
SOCKS5 – The standard SOCKS5 tunnel (RFC 1928)
HTPP CONNECT – The standard HTTP CONNECT method (RFC 2817)
Shadowsocks – A popular encrypted tunneling method invented in China
GFW.PRESS – An encrypted tunneling method invented in China
2. Proxy Server Address
This field can be an IP address or domain name of your proxy server. In the example above, ‘Proxy2’ is an SSH server at 22.33.44.55
3. Proxy Server Port
Thiw field is the port number of your proxy server.
4. Username/Encryption for Shadowsocks
Username to login to your proxy server. For Shadowsocks protocol, no username is needed so this field is the
encryption used on the proxy server. Please refer to Shadowsocks protocol specifications (Mostly its source codes) for a list of encryption types.
5. Password
In conjunction with username to login to the server.
PROXY GROUP
You may have many rules in your rule set, many of which point to the same proxy server. But somehow you would like different proxy servers when you are at home and having WIFI and when you are outside using carrier’s data service. But it’s much trouble that you maintain two different configuration files,or you manually change each rule when you switch between two different networks. Here’s where proxy groups can play their roles. A proxy group corresponds to a list of different actions. When you change current selection of a proxy group, all rules that use this proxy group will switch to that new selection and use it as the new action.
An example is as below:
[Proxy]
Proxy_WIFI = SSH, 11.22.33.44, 22, username, password
Proxy_4G = Shadowsocks, 22.33.44.55, 8888, aes-256-cfb,password
[Proxy Group]
ProxyG = select, Proxy_WIFI, Proxy_4G
[Rule]
DOMAIN-SUFFIX, google.com, ProxyG
DOMAIN-SUFFIX, twitter.com ProxyG
‘REJECT’ and ‘DIRECT’ can also be used as proxy group options. To do that, you define pseudo proxy servers in the [Proxy]
section. Below is an example.
[Proxy]
Pseudo_REJECT = REJECT
Pseudo_DIRECT = DIRECT
MyProxy = https,1.2.3.4,443,username,password
[Proxy Group]
ProxyG = select, Pseudo_REJECT, Pseudo_DIRECT, MyProxy
[Rule]
DOMAIN,You do not have permission to view the full content of this post. Log in or register now.
DOMAIN-SUFFIX, twitter, ProxyG
GEOIP Supported Country Codes
GEOIP allows you to distribute data traffic based on the geo-location they are going. For example, a proxy APP has a feature that puts traffic destined for foreign servers through a specified proxy server, but makes data to domestic go directly to their destination hosts.The configuration file is as below:
[Proxy]
MyProxy=Shadowsocks,22.33.44.55, 8888, aes-256-cfb,password
[Rule]
GEOIP,CN,DIRECT
FINAL,MyProxy
There are two rules in total. The first one tells Postern to use direct connection when it sees an access attempt to a Chinese host. The other rule tells Postern to use proxy
‘MyProxy’ for all the rest of data. If you happen to have multiple proxy servers residing in
different countries, and you can use these proxy servers to accelerate your data traffic to these countries. A configuration for you is as below.
[Proxy]
HK_Proxy=Shadowsocks,22.33.44.55, 8888,aes-256-cfb,password
US_Proxy=SSH,1.2.3.4,22,username,password
JP_Proxy=HTTPS,2.3.4.5,1080,username,password
GB_Proxy=SOCKS5,5.6.7.8,10080,username,password
[Rules]
GEOIP,HK,HK_Proxy
GEOIP,US,US_Proxy
GEOIP,JP,JP_Proxy
GEOIP,GB,GB_Proxy
In this example, you have proxy servers in Hongkong, USA, Japan and Britain. For traffic destined for Hongkong, the proxy server in HK is used. Traffic destined for other countries are distributed to their corresponding proxy servers in the same way.
NOTE: Data distribution based on GEOIP rules depends largely on your DNS servers. If your DNS servers return incorrect IPs for certain domain names, you may not see expected outcome
from your rules.
Postern now supports up to 236 countries and regions, as listed below. Each country or region is represented by a 2-character code. You may refer to You do not have permission to view the full content of this post. Log in or register now. for more details.
ZA EG ZW LR KE GH NG TZ
MU ZM MG AO NA CI SD CM
MW GA ML BJ TD BW LY CV
RW CG UG MZ GM LS MA DZ
GN CD SZ BF SO SL NE CF
TG SS BI GQ SC SN MR DJ
RE TN YT ST GW KM ET ER
AU CN JP TH IN MY KR SG
TW HK PH VN NZ BD PK ID
NP PG TK KH MO MV AF NC
FJ MN WF MM LA LK BN AE
NR NL GU VU BT WS FM PF
TL TO GB MP TR US NU SB
KI PW NF BS BZ VG CA MH
FR IR SE AS KP NO TV IO
CK KY PR BB VC JM BM DE
TC VI DM AG PM MF GD AI
MQ GP CZ FI CH IT BE BL
LC KN MS ES LU AT IL IE
DO MX AR TT CO VE BO BR
CR CL UY PY CW HN PA SV
SX PE EC GY GT NI BQ AW
HT CU GF SR EU RU KZ PT
GR SA DK SY UA CY IQ RO
LB GE AZ PS LT OM RS IS
HU BG SI MD MK EE LI HR
PL BA LV JO KG IM AM YE
BY GI SK MT QA AL JE SM
KW ME TJ UZ BH GL VA FO
GG MC AD TM
Hindi man perpekto ang ating mga configurations, ang mahalaga napagana natin ito…Ang inyong nabasa ay guide lamang tungkol sa kung paano gumawa ng tamang prx config para sa postern…Ngunit mas mainam pa rin kung tayo mismo ang susubok at gagawa ng ating diskarte…
Note: Kung marunong kayong magsaliksik ng mabuti may mga bagong sekreto at diskarte na maaari ninyong idagdag sa inyong configuration. Hindi muna natin ito ipapalabas sa ngayon at kayo na lang muna ang bahalang maghanap…Talasan ang isip at paandarin ang kapangyarihan ng malayang imahinasyon….Gud Luck at maraming salamat sa pagbabasa !!!
Ngayon pag-uusapan natin ang laman ng prx config file tulad ng RULE, PROXY SERVER, PROXY GROUP, GEOIP at Matching Method…
Credits sa Github na pinagkukunan ko ng impormasyon tungkol sa User Guide ng Postern !!!
RULE
Ang RULE ang nagsasabi kung anu ang gagawin sa isang request at paano i-handle ang data traffic...
Tatlo (3) ang maaaring gagawin ng postern sa isang initiated request kung mag-access kayo ng isang site at ito ay nakasaad sa RULE...
1) Pwede niya itong i-block (Reject)
2) Pwede niya itong i-direct sa Proxy Server
3) Pwede rin niya itong i-diretso sa Destination Host (Direct)
Ex.
[RULE]
#ADBlock
DOMAIN-KEYWORD,adsmogo,REJECT
DOMAIN-SUFFIX,doubleclick.net,REJECT
#Keyword and Suffix, Proxy
DOMAIN-KEYWORD,facebook,paoloaztig
DOMAIN-SUFFIX,amazon.com,paoloaztig
DOMAIN-m.youtube.com, paoloaztig
#Keyword and Suffix, Direct
DOMAIN-KEYWORD,twitter,DIRECT
DOMAIN-SUFFIX,instagram.com,DIRECT
DOMAIN-www.rt.com,DIRECT
Basically Postern will choose one from above three options .when it sees a connection and its data, based on the rules you pass in. For example, some APPs visit certain sites to fetch. Ads. You might want to tell Postern to block these access attempts by a rule. Another example is you want to hide your IP address when visiting certain sites, then you might want to add a rule that tells Postern to direct traffic to these sites through your proxy server.
Rules play most important rules. Postern manages all traffic your device entirely based on the rules on configure.
2 Categories of Matching Method in Configuring RULE
1) Domain Named-Based Method Group
1.1. Match domain keyword (DOMAIN-KEYWORD)
When the rule-specified string matches any of the domain’s sub string, the rule is considered a match. Eg : DOMAIN-KEYWORD,google,REJECT
You do not have permission to view the full content of this post. Log in or register now. , You do not have permission to view the full content of this post. Log in or register now. will match this rule, meaning anything access attempts to these sites will be rejected. But You do not have permission to view the full content of this post. Log in or register now. won’t match this rule.
1.2. Match domain suffix (DOMAIN-SUFFIX)
When the rule-specified string is the domain’s suffix, the rule is considered a match.
Eg : DOMAIN-SUFFIX, google.com, Proxy
You do not have permission to view the full content of this post. Log in or register now. , mail.google.com will match this rule and all traffic to these sites will go through your proxy named ‘Proxy’. In the meantime, You do not have permission to view the full content of this post. Log in or register now. will not match this rule.
1.3. Perfect Match domain (DOMAIN)
Only when the rule-specified string perfectly matches the domain name, will the rule be considered a match.
Eg : DOMAIN, You do not have permission to view the full content of this post. Log in or register now. ,Proxy
Only You do not have permission to view the full content of this post. Log in or register now. matches this rule and all traffic to this site will go through your proxy named ‘Proxy’. mail.google.com, You do not have permission to view the full content of this post. Log in or register now. will not match this rule.
2. IP-address-based method group, which contains 2 different
types of method:
2.1. Match an IP address’s country
When the IP address’s country matches the one specified in the rule, the rule is considered a match.
Eg : GEOIP, US, DIRECT
You access to any US-based servers with a public IP address will match this rule. Eg, an attempt to access You do not have permission to view the full content of this post. Log in or register now. (216.58.216.4), will match this rule.
2.2. Match an IP address’s CIDR
A rule defines a IP subnet; When an IP address matches this subnet, the rule is considered a match.
Eg: IP-CIDR, 192.168.0.0/16, DIRECT
All access to 192.168.1.10, 192.168.100.1 matches this rule.
Another match method is defined to match any addresses:
3. Match all
For any domain names or IP addresses, the rule is considered a match.
Eg: FINAL, DIRECT
This rule usually comes last in a rule set (hence the name).That means when Postern has failed to find a rule for access to a certain destination, this rule will be the final match.
Ordering of Rules
Those of you who have dealt with route tables must know a thing or two about ordering. A destination usually can match more than one rule in a rule set. In such cases, the first matched rule is used. An example is as blow:
[Rule]
DOMAIN-KEYWORD, google, DIRECT
DOMAIN-SUFFIX, google.com, REJECT
DOMAIN, You do not have permission to view the full content of this post. Log in or register now. , Proxy
When your browser initiates a new connection to You do not have permission to view the full content of this post. Log in or register now. , all three rules may apply. And they are telling Postern to do different things. In cases like this, Postern always chooses the first rule that it finds is a match. In this case, Postern lets your browser access You do not have permission to view the full content of this post. Log in or register now. directy.
PROXY SERVER
Actually we have shown you how a proxy server is defined in configuration file, in examples above. Proxy servers are grouped together and defined in the [Proxy] section, as below.
[Proxy]
Proxy = shadowsocks, 11.22.33.44, 1080, aes-256-cfb, password
Proxy2 = ssh, 22.33.44.55, 22, username, password
Two different proxy servers are defined, named ‘Proxy’ and
‘Proxy2’ respectively. Their names are referenced in the [Rule] section. On the right side of ‘=’, from left to right, the type of the server, server’s address, server’s port, username and password are specified. It should be noted names of proxy servers must contain alphabetic characters, digits and underscores only. Some more details about the various fields required to define
a proxy server(stuff that are on the right side of ‘=’)
1. Type of Proxy server
Currently up to 5 different types of proxy servers are supported:
SSH – SSH tunnel (RFC 4254)
SOCKS5 – The standard SOCKS5 tunnel (RFC 1928)
HTPP CONNECT – The standard HTTP CONNECT method (RFC 2817)
Shadowsocks – A popular encrypted tunneling method invented in China
GFW.PRESS – An encrypted tunneling method invented in China
2. Proxy Server Address
This field can be an IP address or domain name of your proxy server. In the example above, ‘Proxy2’ is an SSH server at 22.33.44.55
3. Proxy Server Port
Thiw field is the port number of your proxy server.
4. Username/Encryption for Shadowsocks
Username to login to your proxy server. For Shadowsocks protocol, no username is needed so this field is the
encryption used on the proxy server. Please refer to Shadowsocks protocol specifications (Mostly its source codes) for a list of encryption types.
5. Password
In conjunction with username to login to the server.
PROXY GROUP
You may have many rules in your rule set, many of which point to the same proxy server. But somehow you would like different proxy servers when you are at home and having WIFI and when you are outside using carrier’s data service. But it’s much trouble that you maintain two different configuration files,or you manually change each rule when you switch between two different networks. Here’s where proxy groups can play their roles. A proxy group corresponds to a list of different actions. When you change current selection of a proxy group, all rules that use this proxy group will switch to that new selection and use it as the new action.
An example is as below:
[Proxy]
Proxy_WIFI = SSH, 11.22.33.44, 22, username, password
Proxy_4G = Shadowsocks, 22.33.44.55, 8888, aes-256-cfb,password
[Proxy Group]
ProxyG = select, Proxy_WIFI, Proxy_4G
[Rule]
DOMAIN-SUFFIX, google.com, ProxyG
DOMAIN-SUFFIX, twitter.com ProxyG
‘REJECT’ and ‘DIRECT’ can also be used as proxy group options. To do that, you define pseudo proxy servers in the [Proxy]
section. Below is an example.
[Proxy]
Pseudo_REJECT = REJECT
Pseudo_DIRECT = DIRECT
MyProxy = https,1.2.3.4,443,username,password
[Proxy Group]
ProxyG = select, Pseudo_REJECT, Pseudo_DIRECT, MyProxy
[Rule]
DOMAIN,You do not have permission to view the full content of this post. Log in or register now.
DOMAIN-SUFFIX, twitter, ProxyG
GEOIP Supported Country Codes
GEOIP allows you to distribute data traffic based on the geo-location they are going. For example, a proxy APP has a feature that puts traffic destined for foreign servers through a specified proxy server, but makes data to domestic go directly to their destination hosts.The configuration file is as below:
[Proxy]
MyProxy=Shadowsocks,22.33.44.55, 8888, aes-256-cfb,password
[Rule]
GEOIP,CN,DIRECT
FINAL,MyProxy
There are two rules in total. The first one tells Postern to use direct connection when it sees an access attempt to a Chinese host. The other rule tells Postern to use proxy
‘MyProxy’ for all the rest of data. If you happen to have multiple proxy servers residing in
different countries, and you can use these proxy servers to accelerate your data traffic to these countries. A configuration for you is as below.
[Proxy]
HK_Proxy=Shadowsocks,22.33.44.55, 8888,aes-256-cfb,password
US_Proxy=SSH,1.2.3.4,22,username,password
JP_Proxy=HTTPS,2.3.4.5,1080,username,password
GB_Proxy=SOCKS5,5.6.7.8,10080,username,password
[Rules]
GEOIP,HK,HK_Proxy
GEOIP,US,US_Proxy
GEOIP,JP,JP_Proxy
GEOIP,GB,GB_Proxy
In this example, you have proxy servers in Hongkong, USA, Japan and Britain. For traffic destined for Hongkong, the proxy server in HK is used. Traffic destined for other countries are distributed to their corresponding proxy servers in the same way.
NOTE: Data distribution based on GEOIP rules depends largely on your DNS servers. If your DNS servers return incorrect IPs for certain domain names, you may not see expected outcome
from your rules.
Postern now supports up to 236 countries and regions, as listed below. Each country or region is represented by a 2-character code. You may refer to You do not have permission to view the full content of this post. Log in or register now. for more details.
ZA EG ZW LR KE GH NG TZ
MU ZM MG AO NA CI SD CM
MW GA ML BJ TD BW LY CV
RW CG UG MZ GM LS MA DZ
GN CD SZ BF SO SL NE CF
TG SS BI GQ SC SN MR DJ
RE TN YT ST GW KM ET ER
AU CN JP TH IN MY KR SG
TW HK PH VN NZ BD PK ID
NP PG TK KH MO MV AF NC
FJ MN WF MM LA LK BN AE
NR NL GU VU BT WS FM PF
TL TO GB MP TR US NU SB
KI PW NF BS BZ VG CA MH
FR IR SE AS KP NO TV IO
CK KY PR BB VC JM BM DE
TC VI DM AG PM MF GD AI
MQ GP CZ FI CH IT BE BL
LC KN MS ES LU AT IL IE
DO MX AR TT CO VE BO BR
CR CL UY PY CW HN PA SV
SX PE EC GY GT NI BQ AW
HT CU GF SR EU RU KZ PT
GR SA DK SY UA CY IQ RO
LB GE AZ PS LT OM RS IS
HU BG SI MD MK EE LI HR
PL BA LV JO KG IM AM YE
BY GI SK MT QA AL JE SM
KW ME TJ UZ BH GL VA FO
GG MC AD TM
Hindi man perpekto ang ating mga configurations, ang mahalaga napagana natin ito…Ang inyong nabasa ay guide lamang tungkol sa kung paano gumawa ng tamang prx config para sa postern…Ngunit mas mainam pa rin kung tayo mismo ang susubok at gagawa ng ating diskarte…
Note: Kung marunong kayong magsaliksik ng mabuti may mga bagong sekreto at diskarte na maaari ninyong idagdag sa inyong configuration. Hindi muna natin ito ipapalabas sa ngayon at kayo na lang muna ang bahalang maghanap…Talasan ang isip at paandarin ang kapangyarihan ng malayang imahinasyon….Gud Luck at maraming salamat sa pagbabasa !!!
