Rules | Plucky manual

On this page

Plucky rules change what you are able to access over the Internet, and which programs are allowed to access the Internet. They live in your Plucky configurations, and they always contain one of allow, block, blot, or flee, or one of unallow, unblock, unblot, or unflee.

Recall that rules can be added in one of 3 places.

Example Rules

Here are some example Plucky rules in textual form:

block image/
allow example.com
allow 127.0.0.1
block facebook.com
flee word:pizza

The above 5 rules tell Plucky to block images by default, to allow all content from example.com or 127.0.0.1, to block facebook.com, and to flee any website containing the word “pizza”.

A rule consists of an action, a context, and optionally a when modifier.

How to add a rule

A rule can be added in the browser, in a console, or on the user site.

How to remove a rule

A rule can be removed in the browser, in a console, or on the user site.

Action

All rules contain an action that is either allow, block, blot, flee, or one of their respective “undo” actions (unallow, unblock, unblot, unflee).

allow: Allow some specific context.
block: Block some specific context.
blot: Block imagery on a webpage.
flee: Flee a word or website.
unallow: Undo an allow rule. This is weaker than block.
unblock: Undo a block rule This is weaker than allow, and both flee and blot will still have effect on an unblocked (but not allowed) web page.
unblot: Undo a blot rule. This can be used to negate a blot rule that would otherwise cause some web pages to be blotted.
unflee: Undo a flee rule. This can be used to negate a flee rule that would otherwise cause some web pages to be blocked.

allow

allow example.com

block

block example.com

blot

blot word pizza
blot word spaghetti sauce

The blot action instructs Plucky to block imagery on webpages containing the indicated words.

flee

flee host obviouslybad.com
flee url https://example.com/obviously-bad
flee word pizza
flee word spaghetti sauce

The flee action is similar to block, but stronger. While block will block access to a particular host or url, flee will block any webpage that even contains a hyperlink to a particular host or url or that contains a certain word. Generally, you use flee when the thing being fled is so obviously bad that any site that even mentions the term is probably also bad and worth blocking.

One may flee the following 3 contexts:

hosts
urls
words

unallow

In this example, images will be blocked on http://example.com/questionable-page :

block image/
allow http://example.com/
unallow http://example.com/questionable-page

unblock

In this example, http://example.com/fine-page will be accessible but with images blocked , and http://example.com/ will not be accessible at all.

block image/
block http://example.com/
unblock http://example.com/fine-page

unblot

In this example, http://example.com/fine-page will not be blotted, even if it contains the word “pizza”.

blot word pizza
unblot http://example.com/fine-page word pizza

unblot

In this example, the page http://example.com/fine-page will not be blocked if it contains the word “pizza”.

flee word pizza
unflee http://example.com/fine-page word pizza

Context

A context can be a hostname, ipv4 address, ipv6 address, port, program name, media type, url, username, word (flee rules only), one of the special terms everything or otherwise, or some combination of these contexts.

host

allow example.com
block bb.example.com
allow host edu

A rule for a host automatically affects all subdomains of that host. A top-level host must be qualified with host. E.g., allow host edu.

ipv4

allow 192.168.1.1
allow 192.168.1.0
allow 192.168.0.0

IP addresses ending in 0 affect the entire subnet.

ipv6

allow ::1

port

block port 80

A port requires an explicit port qualification. E.g. allow port 22

protocol

block protocol wss
block protocol about

A protocol can be used to block some non-https urls in the browser. E.g., wss:, ws:, about:, etc.

program

block program calc.exe
allow program C:\Program Files\Visual Studio\code.exe
block program C:\Program Files\Visual Studio\code.exe
allow program /bin/curl

A program filename, a file system directory, or a full program pathname may be used.

Note that you can combine contexts to only allow programs access to some destinations. For example,

allow 10.10.0.0 program curl
allow github.com program curl
allow host edu program curl
allow user:peter host:live.com program:microsoft teams helper

mediaType

block image/
allow image/svg

Either major media types or full media types can be used. See media types.

user

allow user susan
block user edmund

The user name must match that of a user on the local computer.

url

allow http://example.com/a/b/c
block http://example.com/a/b

A rule for a urls automatically affects all suburls.

word (blot and flee rules only)

flee word pizza
flee word spaghetti sauce

See flee

everything

block everything

The everything context can be used to allow or block everything. This is sometimes called a blackout (block everything) or whiteout (allow everything).

otherwise

allow otherwise

The otherwise context can be used to specify what Plucky should do when no more specific context matches.

Precedence

When more than one rule can be applied, which one has precedence?

Rule priority is not baked in stone, but roughly speaking, the more specific rule should win. Let’s look at some examples.

Example 1 : youtube.com vs www.youtube.com

block youtube.com
allow www.youtube.com

Will https://www.youtube.com/ be blocked or not given the above two rules?

Short Answer: The main web page, https://www.youtube.com/ will not be blocked because allow www.youtube.com is more specific than block youtube.com.

Longer answer: Some sub-resources may be blocked, because some sub-resources may come from https://api.youtube.com/ , and allow www.youtube.com is irrelevant to api.youtube.com, but block youtube.com is relevant, and will instruct Plucky to block.

Advice: Avoid adding rules for both a domain and its subdomain (e.g., for youtube.com and www.youtube.com) because the result is almost never what you want. The main exceptions to this are huge sites such as google.com that has accounts.google.com, mail.google.com, store.google.com, etc.

Example 2 : https://www.youtube.com/ vs youtube.com

block youtube.com
allow https://www.youtube.com/

Will https://www.youtube.com/ be blocked or not given the above two rules?

In Plucky 1.14.10+, https://www.youtube.com/ will be blocked, but in older versions, https://www.youtube.com/ was allowed.

Advice: Do not mix url and host rules. If you want to block or allow an entire host, then use a host rule, but if you want to allow some urls, but not others on a given site, then use only url rules for that host.

Example 3 : https://www.youtube.com/ vs https://www.youtube.com/watch

allow https://www.youtube.com/
block https://www.youtube.com/watch

Will https://www.youtube.com/ be blocked or not given the above two rules?

https://www.youtube.com/ won’t be blocked, but https://www.youtube.com/watch?v=ZpNGsZvM7VY will be blocked.

Example 4 : program vs url

allow program chrome.exe
block https://www.youtube.com/

Will youtube be allowed?

In Chrome, yes, https://www.youtube.com/ will be allowed because the allow program chrome rule is high priority.

Example 5 : user vs url

allow user jon
block https://www.youtube.com/

Will youtube be allowed?

For jon, yes, https://www.youtube.com/ will be allowed because the allow user jon rule is high priority.

Example 6 : everything vs url

allow everything
block https://www.youtube.com/

Will youtube be allowed?

Yes, because allow everything is nearly the highest priority rule possible, second only to block everything.

Last updated: 2023-12-06