Would be happy if someone could review my Flow-Rules :)

Trying to find my way into defining network rules. I made a simple set but yet to shy to save it :wink:

The network has about ten members. ipv6 not needed at the moment.Two of the members are administrators. My goal is to drop every packet on the network EXCEPT from or to the machines of the admins. So admins should be able to talk to everyone (tcp AND udp), all other traffic should be denied.

This is what I created by now (a1abfxxxxx and 2e4c6xxxxx would be the zerotier addresses of the admins):

# Allow only IPv4, IPv4 ARP Ethernet frames.
not ethertype ipv4
and not ethertype arp
#and not ethertype ipv6

# This prevents IP spoofing but also 
# blocks manual IP management at the OS level and
# bridging unless special rules to exempt 
# certain hosts or traffic are added before
# this rule.
not chr ipauth
ztsrc a1abfxxxxx # allow everything FROM admin1
or ztdest a1abfxxxxx # allow everything TO admin1
or ztsrc 2e4c6xxxxx # allow everything FROM admin2
or ztdest 2e4c6xxxxx # allow everything TO admin2

# drop every other packet/traffic

Thank you so much for every hint on that!

That looks like it should work. If it doesnโ€™t, you can change the whole thing to accept, or use a second network for rules testing.

We have an article about doing this with tags.

Thank you! works as expectet. Really brilliant.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.