Check out the Repository on GitHub


Development & writing of this documentation is still in progress!


You can define a list of rules that calamary will apply to the traffic passing through it.

Rules basically consist of a match and an action!

  - match:
      dest: ''
    action: 'drop'


Multiple matches can be defined in a single rule.

- match:
    src: 'IP OR NET+CIDR'
    dest: 'IP OR NET+CIDR'
    port: 'NUMBER'  # destination ports
    sport: 'NUMBER'  # source ports
    protoL3: 'ip4/ivp4/ip6/ip6'
    protoL4: 'tcp/udp'  # others might be supported later on
    protoL5: 'tls/http/dns/ntp'  # others might be supported later on
    dns: 'DOMAIN'  # domain/TLS-SNI to match
    encrypted: 'true/false/yes/no'  # match TLS traffic

The value of matches is case-insensitive by default.

NOTE: The HTTP host-header domain is not compared if dns is used - as it can be modified easily.

You can define multiple values for each match.

Matches can also be negated by using the ! prefix:

  - match:
      port: ['!80', '!443', '!587']
    action: 'drop'

  - match:
      dest: '!'
      port: 443
      protoL4: 'tcp'
    action: 'accept'

Packets that don’t match any accept rule will be dropped by default.


Available actions include:

  • ‘accept’ (alias: ‘allow’)

  • ‘deny’ (alias: ‘drop’)

Other actions like ‘limit’ will be implemented later on.


Calamary enables you to define variables that can be used inside your ruleset.

  - name: 'net_private'
    value: ['', '', '']
  - name: 'svc_http'
    value: [80, 443]

Variables are referenced using the $ prefix.

Whenever you use a variable, you can also negate it like any other value:

  - match:
      src: '$net_private'
      dest: '!$net_private'
    action: 'accept'