NetClamp docs

Rule groups

A rule group is a JSON bundle of rules and quotas — a curated config you can install in one click, share across machines, or subscribe to from an HTTPS URL for auto-refresh.

Two flavours

Installed bundle

Loaded once from a .json file on disk. No auto-refresh; you re-install if it changes.

Subscription

HTTPS URL polled every N seconds. Updates are applied atomically. Signature verification is mandatory (Ed25519) so a compromised CDN can’t push malicious rules.

Bundle format

{
  "version": 2,
  "name": "Block known-bad CDNs",
  "description": "Drops outbound to a maintained list of malware C2 endpoints.",
  "rules": [
    {
      "name": "Block 198.51.100.0/24",
      "match_mode": "EXACT_PATH",
      "app_path": "*",
      "action": "BLOCK",
      "direction": "OUTBOUND",
      "remote_address": "198.51.100.0/24",
      "priority": 10
    }
  ],
  "quotas": []
}

The app_path: "*" wildcard means "all apps" — only valid in bundles, not in hand-created rules. Useful for network-wide blocks.

Installing from disk

  1. Click Rule Groups+ Install bundle.

  2. Pick a .json file.

  3. The SPA validates schema, signature (if .json.sig exists alongside), and shows a preview of what will be installed.

  4. Click Apply. Rules and quotas appear in the respective screens, tagged with the bundle name.

  5. Uninstall via the group’s row → Remove (deletes all rules/quotas installed by that bundle).

Subscribing to an HTTPS URL

  1. Click + Subscribe.

  2. Paste the HTTPS URL of the bundle (e.g. https://policy.example.com/netclamp-block-malware.json).

  3. Set the refresh interval in seconds (default 3600 = 1 hour).

  4. Click Subscribe. The subscription poller fetches immediately and every interval thereafter.

The fetched JSON must be Ed25519-signed by a key NetClamp trusts. Trusted keys are configured in C:\ProgramData\NetClamp\trusted-signers.toml.

Trusted signers

Default trust:

  • The NetClamp project’s own key (netclamp.production.pub) — used to sign rule subscriptions we host for customers.

You can add your own keys to the TOML file:

[[signer]]
name = "Acme Corp"
pubkey_hex = "1a2b3c..."

After editing, run netclamp config reload to pick up the new key without a service restart.

Where bundles live

Subscriptions are cached at C:\ProgramData\NetClamp\subscriptions\<id>.json so the rules survive a service restart even if the upstream is unreachable.

Installed (one-shot) bundles aren’t cached separately — the materialised rules / quotas live in the main SQLite store.