Chr ipauth blocking traffic

Chura · June 9, 2022, 3:25pm

Hi

I’m trying to set flow rules, but the moment I de-comment the block chr ip auth, I can’t access anything. Why is that ? according to docuemtnation and recommendation, this line prohibit access from non-authorized IPs.
Also, If I don’t have it, it means that someone can just put my network ID and even without me authorizing him, he can access the resources ?

# Whitelist only IPv4 (/ARP) and IPv6 traffic and allow only ZeroTier-assigned IP addresses
drop                      # drop cannot be overridden by capabilities
  not ethertype ipv4      # frame is not ipv4
  and not ethertype arp   # AND is not ARP
  and not ethertype ipv6  # AND is not ipv6
  or not chr ipauth       # OR IP addresses are not authenticated (1.2.0+ only!)
;

accept
  dport 1880 or dport 8443 or dport 8123-8124
  and ipdest x.x.x.x/32
  and ipprotocol tcp
;

# Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
break                     # break can be overridden by a capability
  chr tcp_syn             # TCP SYN (TCP flags will never match non-TCP packets)
  and not chr tcp_ack     # AND not TCP ACK
;

# Accept other packets
accept;

Chura · June 9, 2022, 4:20pm

ipauth means ip assigned either automatically or by administrator, if I got it right (to block someone from spoofing IP of something else).
But, can ipauth be used when route of another networks is in place too ?

zt-grant · June 9, 2022, 4:27pm

No it cannot. It only works on ZeroTier assigned IP addresses. This is probably why you’re seeing your issue.

Chura · June 9, 2022, 4:48pm

I’ve seen lot of workstation I didn’t approved. I was afraid they can access my network without my authorization.

zt-grant · June 9, 2022, 4:53pm

In the docs for ipauth:

drops traffic between IP addresses that have not been assigned by ZeroTier

This means only zerotier network controller assigned IP addresses will work, and limits you to only having traffic between clients running zerotier. If you have a router configured to route between a physical network and a zerotier network, ipauth will break that.

system · July 9, 2022, 3:26pm

This topic was automatically closed after 30 days. New replies are no longer allowed.