Using Capability Rule

k2ace · October 14, 2022, 7:06am

I’m trying to figure out how to use the capability rules. From read docs and looking at examples I would have expected the following would allow clients with capability intraweb assigned to access server X, where X is the ZT address for a server. Below is the entire set of rules I was using.

drop
not ethertype ipv4
and not ethertype arp
or not chr ipauth
;

accept ethertype arp;

cap intraweb
id 1000
accept ztdest X and dport 443 and ipprotocol tcp;
;

accept ztsrc X;

drop;

zt-travis · October 14, 2022, 3:38pm

Hello,

Use break instead of drop
They do the same thing, but break can be overridden by capabilities.

Some similar examples here:
https://zerotier.atlassian.net/wiki/spaces/SD/pages/222330881/Client+Isolation
https://www.zerotier.com/2022/05/19/using-flow-rules-to-direct-users-to-services/

k2ace · October 14, 2022, 6:33pm

Thanks, that did the trick.

system · November 13, 2022, 6:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.