How to make one member that cannot access all the others but can be accessed by all the others?

wx565425677 · October 6, 2023, 9:00am

I have a server that is not secure enough. Nevertheless, I want to access certain services on it without allowing it to access other members. My flow rules are as follows:

# Whitelist only IPv4 (/ARP) and IPv6 traffic and allow only ZeroTier-assigned IP addresses
drop                      # drop cannot be overridden by capabilities
  not ethertype ipv4      # frame is not ipv4
  and not ethertype arp   # AND is not ARP
  and not ethertype ipv6  # AND is not ipv6
  or not chr ipauth       # OR IP addresses are not authenticated (1.2.0+ only!)
;

drop
  ztsrc $SERVER
;


# Accept anything else. This is required since default is 'drop'.
accept;

With this setting, the $SERVER cannot access other members, but other members cannot access the $SERVER either. I’m new to ZeroTier; could you please help me identify what might be wrong with my flow rules? Thank you in advance!

l0crian · October 6, 2023, 12:29pm

Unfortunately, ZT’s Rules Engine isn’t stateful, so doing stuff like this can be a little difficult. You have to plan for bidirectionally allowing traffic. You can do this with allowing traffic from the port you’re trying to access, and dropping everything else. You may have to massage this, but it’d look something like this:

drop                      # drop cannot be overridden by capabilities
  not ethertype ipv4      # frame is not ipv4
  and not ethertype arp   # AND is not ARP
  and not ethertype ipv6  # AND is not ipv6
  or not chr ipauth       # OR IP addresses are not authenticated (1.2.0+ only!)
;

# This allows the server to respond to incoming messages
accept
  ztsrc $SERVER and sport $PORT
;

# This prevents the server from talking on anything not previously allowed
drop
  ztsrc $SERVER
;

# Accept anything else. This is required since default is 'drop'.
accept;

l0crian · October 6, 2023, 1:32pm

I labbed this real quick. ARP messages are only being caught by the explicit “accept” message at the end of the rules, so any time you add a drop, you need to account for that. Here’s an example that’s working for me right now:

drop                      # drop cannot be overridden by capabilities
  not ethertype ipv4      # frame is not ipv4
  and not ethertype arp   # AND is not ARP
  and not ethertype ipv6  # AND is not ipv6
  or not chr ipauth       # OR IP addresses are not authenticated (1.2.0+ only!)
;

# Allows ARP messages to resolve MAC Addresses
accept
  ethertype arp
;

# This allows the server to respond to incoming messages
accept
  ztsrc $SERVER
  and sport $PORT
;

# This prevents the server from talking on anything not previously allowed
drop
  ztsrc $SERVER
;

# Accept anything else. This is required since default is 'drop'.
accept;

wx565425677 · October 6, 2023, 2:43pm

Thank you very much! In my initial flow rules, I also dropped the response from the $SERVER to the other members. This is the issue. I had been stuck with it for a long time. Thank you very much once again!

system · November 5, 2023, 2:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.