HiI am trying to create a ZT flow rules so that nodes with the “Intranet” tag can initiate communication with both “Intranet” nodes and “Extranet” tag nodes. “Extranet” nodes cannot initiate communication but can respond to any communication initiated by an “Intranet” node. Lastly, all other types of traffic that do not match the specified rules will be blocked.
This is the rules flow I have created, which allows me to assign tags to different nodes (intranet / extranet).
The issue I have encountered is that nodes with the intranet tag are able to communicate successfully with each other but are unable to connect to a node with the extranet.
Does anyone have any idea what I’m doing wrong and how to solve the problem?
Thank you very much
# Assign tags to nodes
tag intranet
id 10
enum 10 Intranet;
tag extranet
id 20
enum 20 Extranet;
# Allow communication within the Intranet tag
accept
and tdiff intranet 0;
# Allow communication from Intranet to any node, including Extranet
accept
and tseq intranet 10;
# Allow communication from Intranet to Extranet
accept
and tseq intranet 10
and treq extranet 20;
# Allow communication from Extranet to Intranet if initiated by Intranet
accept
and tseq extranet 20
and treq intranet 10
and tdiff intranet 0;
# Drop communication from Extranet to Intranet
drop
and tseq extranet 20
and treq intranet 10;
# Drop all other traffic
drop;
I have also tried without the tdiff
# Define tags for nodes
tag intranet
id 10
enum 10 Intranet;
tag extranet
id 20
enum 20 Extranet;
# Allow all communication initiated from nodes with the "Intranet" tag
accept
and teq intranet 10;
# Allow responses from nodes with the "Extranet" tag to nodes with the "Intranet" tag
accept
chr tcp_ack # This rule applies to TCP ACK packets (responses)
and teq extranet 20
and teq intranet 10;
# Drop all other traffic
drop;