search

shadowsocks / shadowsocks-rust

A Rust port of shadowsocks
https://shadowsocks.org/
MIT License
8.52k stars 1.16k forks source link

Possible to add [outbound_block_list] to ss-local ? #1349

Open macruspareto opened 11 months ago

macruspareto commented 11 months ago

Hello everyone !

I'm running ss-local on a Win machine and it tunnels everything to an instance in Amazon cloud. (I dont own it, its a semi-public semi-private server).

Would be great to have ACL rules and make some IP ranges unreachable for the local apps using the tunnel.

And while there is an option for ss-server ("outbound_block_list"), I cant see any reason why its not for the ss-local ?

All the code is probably already there and would require a copy-paste (ss-server -> ss-local) without any major overhaul?

zonyitoo commented 11 months ago

The “outbound” of sslocal is the addresses of ssservers.

macruspareto commented 11 months ago

Ok then, is there any way to null-route some outbound requests at ss-local?

There's an option called "bypass_list" for ss-local ACL. It would route the request directly (and not through the tunnel). Perhaps, a small patch could make it parse the same list of IP ranges and treat it as a blacklist?

Think of it as a part of ad-blocking or malware-blocking.

zonyitoo commented 11 months ago

I don’t think this is necessary. For servers, we should “reject” the connections that has wrong or malicious targets, for example, 127.0.0.1. The servers’ job is to decrypt and bypass all traffics from locals (inbounds) to target servers (outbounds).

For locals, their job is to provide proxy services for local clients, and relay all traffics to servers.

So for servers, we need to set connections from which locals could be “accepted” or “blocked”, and which “outbound” targets should be blocked. For locals, we only need to decide which connections should be relayed (proxied) to servers and others should be bypassed directly.

The local server is running on your own machine, why would you want to “block” yourself from connecting some targets? For users that use proxies, a common request is: bypass some of the connections directly from being proxied to remote servers.

As for your requirement, if you want some of the targets to be excluded from being proxied to remote servers, just put them into the bypass_list.