I would like to make a slight modification to the rules below. Instead of accepting all traffic (when both devices are part of the same group) as in the case below, I would like to limit each device by port for certain devices. So for example:
Machine: webappbox
Has multiple web apps on different ports but don’t want users to directly visit ht://webappbox:8001, ht://webappbox:8002, ht://webappbox:8003. Instead, I want to limit it to just the reverse proxy at ht://webappbox:80. At the same time would like to use capabilities to allow full access to any port to some devices.
Credit to Groups in ZeroTier Rules
accept ethertype arp;
# Create a tag for group membership
tag group
id 1000 # All tags must have a unique id.
default 0 # Default = No group membership. Zero trust.
# These flags are what you edit
flag 0 server
flag 1 printers
# This special value means "access to all groups"
enum 2147483647 allgroups
;
#
# Allow only IPv4 and IPv4 ARP.
#
drop
not ethertype ipv4
and not ethertype arp
;
# Drop any traffic between nodes that don't share at least one group
break
tand group 0
;
# default to accept
accept;