CAP Flow Rules Not Working

# nodeadmin  - xxxyyyzzz
# noderaspberry - aaabbbccc

cap dns
  id 10
  accept ipprotocol udp and dport 53;
  accept ipprotocol tcp and dport 53;

cap ssh_raspberry
  id 11
  accept dport 22 and ipprotocol tcp and ztdest aaabbbccc;

cap rdp_raspberry
  id 12
  accept dport 3389 and ipprotocol tcp and ztdest aaabbbccc;

cap admin
  id 99

accept ethertype arp or ipprotocol icmp4;
accept dport 53;

The goal here is to allow nodeadmin the capability to ssh and rdp into the noderaspberry but do not want the noderaspberry to be able to ssh or rdp back to nodeadmin.

I’ve selected the following capabilities foreach

noderaspberrry = selected 1) ssh_raspberry and 2) rdp_raspberry
nodeadmin = selected 1) admin

But nodeadmin is not able to do either unless i select the admin capability for noderaspberry which is not what I want.

Any help would be much appreciated.

Hosted on paid ZeroTier Central with version running on both devices
ZeroTier One version 1.12.2 build 0

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.