Trying to find my way into defining network rules. I made a simple set but yet to shy to save it
The network has about ten members. ipv6 not needed at the moment.Two of the members are administrators. My goal is to drop every packet on the network EXCEPT from or to the machines of the admins. So admins should be able to talk to everyone (tcp AND udp), all other traffic should be denied.
This is what I created by now (a1abfxxxxx and 2e4c6xxxxx would be the zerotier addresses of the admins):
# Allow only IPv4, IPv4 ARP Ethernet frames. drop not ethertype ipv4 and not ethertype arp #and not ethertype ipv6 ; # This prevents IP spoofing but also # blocks manual IP management at the OS level and # bridging unless special rules to exempt # certain hosts or traffic are added before # this rule. drop not chr ipauth ; accept ztsrc a1abfxxxxx # allow everything FROM admin1 or ztdest a1abfxxxxx # allow everything TO admin1 or ztsrc 2e4c6xxxxx # allow everything FROM admin2 or ztdest 2e4c6xxxxx # allow everything TO admin2 ; # drop every other packet/traffic drop;
Thank you so much for every hint on that!