RDP and Ping and only to Devices tagged as 'Server'

We have been using flow rule this successfully for over a year. But recently, some Macs stopped working or pinging until we moved this line:

accept ethertype arp;

above this line

break not tor server 1;

Here’s the rule. The goal is:

  • Only devices tagged as Server should be reachable. And then via RDP and Ping only.
  • Client devices (not tagged) shouldn’t be able to see each other (ping is OK, but definitely not file, rdp, etc)

Can anyone tell me why the change was needed for Mac?
Any suggestions for improvement?

(Apologies: couldn’t figure out how to format this properly)

Basic Header

Allow only IPv4, IPv4 ARP, and IPv6 Ethernet frames.

drop
not ethertype ipv4
and not ethertype arp
and not ethertype ipv6
;

Prevent IP spoofing, blocks manual IP management at the OS level and bridging.

Unless special rules to exempt certain hosts or traffic are added before this rule.

drop
not chr ipauth
;

Tagging Servers, allows tagging of nodes as server to accept connections 0=No(default) 1=Yes

tag server
id 2
enum 0 No
enum 1 Yes
default No;

if neither member is a server, break

break not tor server 1;

RDP Only, note blocks Netbios SMB so must use IP to connect

so nodes can find each other – but macs are not going to connect unless this is before ‘break not tor server 1’

accept ethertype arp;

only allow tcp and ping

drop not ipprotocol tcp and not ipprotocol icmp4;

allow port RDP

accept dport 3389;

No new TCP connections (except RDP)

drop chr tcp_syn and not chr tcp_ack;

Basic Footer

Accept anything else. This is required since default is ‘drop’.

accept;

Select a fragment of code, etc then use </> button.