Flow assistance

Howdy all. Not new to ZeroTier but new to using flow rules to manage some traffic. I’ve been reading websites, manuals, and I just can’t wrap my head around this. I’ve got three devices and i’m experimenting, but maybe I’ve been at it so long I’m just missing the big Oh yea… So any pointers in the right direction would be much appreciated. My flow is below. Very basic, I have web server at on HTTPs port 443. I only want all endpoints to be able to access it on port 443, or ping it. Below is my rule set. This does work, however to test this and prove it, I commented out the allow rule on ping, but I can still ping that IP. I can comment out the allow rule for 443 and can no longer access the web server. So, could someone articulate to me why the ping rule disabled still allows ping, while the 443 rule disabled stops 443? I know this is stupid simple and I’m overlooking it… Thank you!

Allow only IPv4, IPv4 ARP

not ethertype ipv4
and not ethertype arp
or not chr ipauth
accept ipprotocol tcp and dport 443 and ipdest;
accept ipprotocol 1 and ipdest;

Drop TCP SYN,!ACK packets not whitelisted above

chr tcp_syn # TCP SYN
and not chr tcp_ack # AND not TCP ACK

Accept anything else. This is required since default is ‘drop’.


I think the final accept is how ping is getting through?

(TCP flags will never match non-TCP packets)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.