Howdy all. Not new to ZeroTier but new to using flow rules to manage some traffic. I’ve been reading websites, manuals, and I just can’t wrap my head around this. I’ve got three devices and i’m experimenting, but maybe I’ve been at it so long I’m just missing the big Oh yea… So any pointers in the right direction would be much appreciated. My flow is below. Very basic, I have web server at 10.147.20.10 on HTTPs port 443. I only want all endpoints to be able to access it on port 443, or ping it. Below is my rule set. This does work, however to test this and prove it, I commented out the allow rule on ping, but I can still ping that IP. I can comment out the allow rule for 443 and can no longer access the web server. So, could someone articulate to me why the ping rule disabled still allows ping, while the 443 rule disabled stops 443? I know this is stupid simple and I’m overlooking it… Thank you!
Allow only IPv4, IPv4 ARP
drop
not ethertype ipv4
and not ethertype arp
or not chr ipauth
;
accept ipprotocol tcp and dport 443 and ipdest 10.147.20.10/32;
accept ipprotocol 1 and ipdest 10.147.20.10/32;
Drop TCP SYN,!ACK packets not whitelisted above
break
chr tcp_syn # TCP SYN
and not chr tcp_ack # AND not TCP ACK
;
Accept anything else. This is required since default is ‘drop’.
accept;