Encountering Difficulties in Setting Flow Rules

honor199309 · July 10, 2023, 9:43am

I am using Self-Hosting ZeroTier Network Controllers.The version of ZeroTier I am using is 1.10.6.

When the Flow Rules are set as follows:

drop not ethertype ipv4
and not ethertype ipv6
and not ethertype arp
and not chr ipauth;
accept ethertype arp;
accept ipprotocol icmpv4;
accept ipprotocol tcp;
drop;

Ports 22 and 80 are allowed for connections.

But when the Flow Rules are set as follows:

drop not ethertype ipv4
and not ethertype ipv6
and not ethertype arp
and not chr ipauth;
accept ethertype arp;
accept ipprotocol icmpv4;
accept dport 22 and ipprotocol tcp ;
drop;

No ports, including port 22, are able to establish connections.

When I tried an alternative Flow Rules configuration:

drop not ethertype ipv4
and not ethertype ipv6
and not ethertype arp
and not chr ipauth;
accept ethertype arp;
accept ipprotocol icmpv4;
drop dport 22;
accept ipprotocol tcp ;
drop;

All ports, except for port 22, are able to establish connections.

Can someone tell me what the problem is? Thank you very much.

zt-travis · July 10, 2023, 4:24pm

The issue is probably that traffic to port 22 is allowed, but the return traffic is blocked because it is to a different port.

honor199309 · July 11, 2023, 2:30am

Thank you very much. I have resolved the issue, just as you mentioned that the return traffic was coming back through a different port.

I added these two commands:

drop chr tcp_syn and not chr tcp_ack;
accept chr tcp_ack;

And the issue was resolved.

drop not ethertype ipv4
  and not ethertype ipv6
  and not ethertype arp
  and not chr ipauth;
 accept ethertype arp;
 accept ipprotocol icmpv4;
 accept dport 22 and ipprotocol tcp;
 drop chr tcp_syn and not chr tcp_ack;
 accept chr tcp_ack;
 drop;

system · August 10, 2023, 2:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.