Hello. I have created a micro-network with participants having defined access - specifically, ops and eng can do anything, other sites (except the lonely ‘site’) can communicate to others on the same site only. Here is the code, based on advice I received last year (thanks !):
Allow only IPv4, IPv4 ARP, and IPv6 Ethernet frames.
drop
not ethertype ipv4
and not ethertype arp
and not ethertype ipv6
or not chr ipauth # OR IP addresses are not authenticated (1.2.0+ only!)
;
Create a tag for which department someone is in
tag department
id 1100 # arbitrary, but must be unique
default 100
enum 100 site
enum 120 site_XX
enum 121 site_YY
enum 122 site_ZZ
enum 200 eng
enum 400 ops
;
Allow OPS or ENG unrestricted
accept
tseq department ops
or tseq department eng
;
Cripple minimal site but allow twixt same (site_…) sites
accept
tdiff department 0
and not tseq department site
;
drop chr tcp_syn and not chr tcp_ack; # block creating new tcp connections
Disallow ping
#drop ipprotocol 1;
Accept anything else. This is required since default is ‘drop’.
accept;
This works excellently, except that ping is seemingly unrestricted (ie site_XX for example can ping OPS, which I dont want). If I enable the line ‘drop ipprotocol 1;’ it has the effect of substantially crippling ping eg from OPS to site_XX (which I do want).
Can’t work out quite what is going on - any help appreciated. Thanks.
You’re dropping the entire protocol, you’ll likely want to drop the specific type and codes:
ping - icmp 8,0
reply - icmp 0,0
So if instead of dropping “ipprotocol 1”, you can drop “icmp 8 0”, and your " Allow OPS or ENG unrestricted" should still allow ops and eng to send pings and everyone else reply, but everyone else won’t be able to send unless it’s allowed in an earlier rule.
That worked perfectly. Thank you. Are you up for another enquiry (if not I’ll start a new thread but this saves me re-posting the rules) ?
As you see, I use tags to define and segregate micro subnets. This means I have to introduce a new tag for any new subnet (I guess there is a limit of 32 tags in total ?). Instead, I would like to classify the sub-net by a component of its assigned ip (specifically the third byte, eg 100 of 10.244.100.1). Thus site_XX members might be assigned 10.244.100.1 and 10.24.100.2 (etc); site_YY might be 10.244.101.1 etc etc. Now instead of
accept tdiff department 0;
I would like to write (using pseudo code to illustrate)
accept (byte 3 of ip is identical) (or indeed first 3 bytes of ip are identical)
I see in the Rule Definition Language I have access to ztsrc and ztdest and various .xor. and .and. operators are available, but I am unable to work out how I might apply these with the correct syntax (eg are ztsrc and ztdest 32-bit integers, or character strings; are the logic functions bitwise or logical).
ztsrc and ztdest are a 10-digit hexidecimal character. It’s the value that is attached to the node. You can find it in the ZeroTier Central console next to the “Auth?” button.
For your question regarding matching on the third octet, that’s easy to do with CIDR notation of subnets. If you wanted to match on traffic involving 10.244.100.0-255, you can write that as 10.244.100.0/24. ‘101’ would be 10.244.101.0/24, and so on.
The Rules Engine isn’t stateful, so depending on what you’re trying to do, you may need to make sure the rule allows for bidirectional traffic. So if you wanted 10.244.100 sites to be able to talk to 10.244.101 sites, you could just do this:
accept
ipsrc 10.244.100.0/24 and ipdest 10.244.101.0/24 or
ipdest 10.244.100.0/24 and ipsrc 10.244.101.0/24
;
Hi there. Thanks, and for putting me right on the value of ztsrc and ztdest.
I am still not sure how I can incorporate the ip notation (which I understand) in a single accept statement. To recap, I will retain the ops and eng tags thus: tag department id 1100 # arbitrary, but must be unique default 100 enum 100 site enum 200 eng enum 400 ops ;
and the rule for these which will allow communication across the board: accept tseq department ops or tseq department eng ;
Outside of ops and eng, it is not required (indeed it must be impossible) for sites to communicate outside their own subnet, the requirement is to allow only mutual communication within the sub-net. I would like to frame the rules such that it is not necessary to make any changes at all to the Flow Rules, such as adding new tags, if/when a new site is added with its specific subnet.
Thus I would like to replace my previous rule, which did the job perfectly (except it requires new tags for new subnets) accept tdiff department 0 ;
with something that means accept ipsrc/24 equals ipdest/24 ;
You won’t really be able to solve this with a single rule. Using the subnet would be a little less work than tags since you wouldn’t need to assign each node a tag. Every subnet would need something like this:
accept
ipsrc 10.244.100.0/24 and ipdest 10.244.100.0/24
;
accept
ipsrc 10.244.101.0/24 and ipdest 10.244.101.0/24
;
I haven’t tested it, but you can potentially do it this way too to make it cleaner:
macro intrasubnet($address)
accept
ipsrc $address and ipdest $address
;
;
include intrasubnet(10.244.100.0/24)
include intrasubnet(10.244.101.0/24)
include intrasubnet(10.244.102.0/24)
include intrasubnet(10.244.103.0/24)
include intrasubnet(10.244.104.0/24)
include intrasubnet(10.244.105.0/24)
You can potentially solve this another way. ZT Nodes can be joined to multiple networks. So each subnet you create could be it’s own network. That prevents them from talking to other sites. They would then join your network where Engineering and Ops reside as well. This allows them to talk to ops and engineering, and within their own network, but not outside of it.