Would be happy if someone could review my Flow-Rules :)

Michael · November 25, 2020, 7:50am

Trying to find my way into defining network rules. I made a simple set but yet to shy to save it

The network has about ten members. ipv6 not needed at the moment.Two of the members are administrators. My goal is to drop every packet on the network EXCEPT from or to the machines of the admins. So admins should be able to talk to everyone (tcp AND udp), all other traffic should be denied.

This is what I created by now (a1abfxxxxx and 2e4c6xxxxx would be the zerotier addresses of the admins):

# Allow only IPv4, IPv4 ARP Ethernet frames.
drop
not ethertype ipv4
and not ethertype arp
#and not ethertype ipv6
 ;

# This prevents IP spoofing but also 
# blocks manual IP management at the OS level and
# bridging unless special rules to exempt 
# certain hosts or traffic are added before
# this rule.
drop
not chr ipauth
;
accept
ztsrc a1abfxxxxx # allow everything FROM admin1
or ztdest a1abfxxxxx # allow everything TO admin1
or ztsrc 2e4c6xxxxx # allow everything FROM admin2
or ztdest 2e4c6xxxxx # allow everything TO admin2
;

# drop every other packet/traffic
drop;

Thank you so much for every hint on that!

zt-travis · November 25, 2020, 5:02pm

That looks like it should work. If it doesn’t, you can change the whole thing to accept, or use a second network for rules testing.

We have an article about doing this with tags.

Michael · November 26, 2020, 10:33am

Thank you! works as expectet. Really brilliant.

system · December 3, 2020, 10:34am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.