I would like to make a slight modification to the rules below. Instead of accepting all traffic (when both devices are part of the same group) as in the case below, I would like to limit each device by port for certain devices. So for example:
Has multiple web apps on different ports but don’t want users to directly visit ht://webappbox:8001, ht://webappbox:8002, ht://webappbox:8003. Instead, I want to limit it to just the reverse proxy at ht://webappbox:80. At the same time would like to use capabilities to allow full access to any port to some devices.
Credit to Groups in ZeroTier Rules
accept ethertype arp; # Create a tag for group membership tag group id 1000 # All tags must have a unique id. default 0 # Default = No group membership. Zero trust. # These flags are what you edit flag 0 server flag 1 printers # This special value means "access to all groups" enum 2147483647 allgroups ; # # Allow only IPv4 and IPv4 ARP. # drop not ethertype ipv4 and not ethertype arp ; # Drop any traffic between nodes that don't share at least one group break tand group 0 ; # default to accept accept;