Change custom rule to accept ports by device

I would like to make a slight modification to the rules below. Instead of accepting all traffic (when both devices are part of the same group) as in the case below, I would like to limit each device by port for certain devices. So for example:

Machine: webappbox

Has multiple web apps on different ports but don’t want users to directly visit ht://webappbox:8001, ht://webappbox:8002, ht://webappbox:8003. Instead, I want to limit it to just the reverse proxy at ht://webappbox:80. At the same time would like to use capabilities to allow full access to any port to some devices.

Credit to Groups in ZeroTier Rules

accept ethertype arp;

# Create a tag for group membership
tag group
  id 1000 # All tags must have a unique id.
  default 0 # Default = No group membership. Zero trust.

  # These flags are what you edit
  flag 0 server
  flag 1 printers

  # This special value means "access to all groups"
  enum 2147483647 allgroups

# Allow only IPv4 and IPv4 ARP.
  not ethertype ipv4
  and not ethertype arp

# Drop any traffic between nodes that don't share at least one group
  tand group 0

# default to accept

This topic was automatically closed after 30 days. New replies are no longer allowed.