I’m trying to set flow rules to allow only communication to destination PC10, and drop anything else.
PC20 must not communicate with PC30, and inversely.
To check if basis network is correct, I setup these rules :
# Allow IPv4, IPv4 ARP, and IPv6 frames. drop not ethertype ipv4 and not ethertype arp and not ethertype ipv6 ; accept;
For testing, all firewalls on PC10, PC20, PC30 are disabled.
PC10, PC20, PC30 are authenticated in ZeroTier Central networks and have a manual IP (auto-assigned disabled)
On PC10, I ping PC20 and PC30 : Reply OK
On PC20, I ping PC10 and PC30 : Reply OK
On PC30, I ping PC10 and PC20 : Reply OK
Well, everybody’s able to ping each other.
Now, I restrict communication modifying the flow rules :
# Allow only server communication, blocking everything except communications from and to PC10. drop not ipdest 10.147.19.10/24 or not ipsrc 10.147.19.10/24 ; # Allow IPv4, IPv4 ARP, and IPv6 frames. drop not ethertype ipv4 and not ethertype arp and not ethertype ipv6 ; #accept;
After few seconds, rules are updated but behavior is illogical and not what I expected : only ping from PC10 to PC30 replies.
What did I missed ?
Thanks for your support !
Updating tests :
→ Switching the drop blocks one before the other doesn’t change anything.
#accept; leads to the same issue.
Solution : not use ipdest/ipsrc
→ The following flow rule works using
ztsrc !! :
drop not ethertype ipv4 and not ethertype arp; drop not chr ipauth; accept ztsrc xxxxxxxxxx or ztdest xxxxxxxxxx; drop;