Hey, guys, I’m hoping I’m just being a total newbie and missing something here but whenever I try and add the ‘drop not chr ipauth’ rule to my flow rules, it starts dropping everything. I have 2 members on the network - both Ubuntu 20.04 machines - with 1 having a fixed managed IP and the other getting a managed IP from the pool. I’m not manipulating any IPs on either host. My understanding was that I don’t need to do anything special here. Any help would be appreciated!
Here are my flow rules:
# Member tags
tag vpc_gateway
id 100
enum 0 No
enum 1 Yes
default No
;
# Copy all traffic to another member
# tee -1 some_member_id
# ;
# Whitelist only ARP and IPv4 traffic (since we don't use IPv6)
drop # drop cannot be overridden by capabilities
not ethertype ipv4 # frame is not ipv4
and not ethertype arp # AND is not ARP
#and not ethertype ipv6 # AND is not ipv6
;
# Allow only ZeroTier-assigned IP addresses
#drop
# not chr ipauth
#;
# Drop any traffic that's not between a member and a VPC gateway or between VPC gateways
break
not txor vpc_gateway 1
and not teq vpc_gateway 1
;
# Allow all ICMPv4 traffic
accept
ipprotocol icmpv4
;
# Allow UDP traffic
accept
ipprotocol udp
#and dport 53
;
# Allow TCP traffic
accept
ipprotocol tcp
#and dport 22 or dport 3389 or dport 2049
;
# Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
break # break can be overridden by a capability
chr tcp_syn # TCP SYN (TCP flags will never match non-TCP packets)
and not chr tcp_ack # AND not TCP ACK
;
# Accept anything else. This is required since default is 'drop'.
accept;