Greetings All,
I would like to group my hosts within a network and then restrict access to individual services. To do this, I followed the following instructions:
Unfortunately the hosts do not reach each other unless I set the capability superuser.
What am I doing wrong? Is there any way to debug this error and if so, how?
Here is my current configuration:
tag groups
id 1000
flag 1 group1
flag 2 group2
flag 3 group3
enum 2147483647 all
;
tag services
id 1001
flag 1 http_https
flag 2 ssh
flag 3 dns
flag 4 smb
enum 2147483647 all
;
# Whitelist only IPv4, IPv6, ARP traffic and allow only ZeroTier-assigned IP addresses
drop # drop cannot be overridden by capabilities
not ethertype ipv4 # frame is not ipv4
and not ethertype arp # AND is not ARP
and not ethertype ipv6 # AND is not ipv6
or not chr ipauth # OR IP addresses are not authenticated (1.2.0+ only!)
;
# Allow communications only when hosts share at least one group
break
tand groups 0
;
# Allow http/https when hosts share flag http_https in tag services
#accept
# ipprotocol tcp
# dport 80 or dport 443
#;
# Allow ssh when hosts share flag ssh in tag services
#accept
# ipprotocol tcp
# and dport 22
#;
# Allow dns when hosts share flag dns in tag services
#accept
# ipprotocol udp
# and dport 53
#;
# Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
#break # break can be overridden by a capability
# chr tcp_syn # TCP SYN (TCP flags will never match non-TCP packets)
# and not chr tcp_ack # AND not TCP ACK
#;
# Create a capability called "superuser" that lets its holders override all but the initial "drop"
cap superuser
id 1000
accept; # allow with no match conditions means allow anything and everything
;
# Accept other packets
accept;
Next, I would like to add a second tag “Services” and create a rule that only allows connections between hosts that are in the same group and share the same service.
Maybe someone has already implemented this and wants to share their configuration here. I would be very happy about it. 
Thanks!