ZT Firewall chr code

serverside · January 15, 2021, 9:00pm

## Allow only ZeroTier-assigned IP addresses.
drop
  not chr ipauth
;

So, chr is a flowcontrol match (or keyword?)

In Characteristics, there is no “ipauth” (which is meant to ## Allow only ZeroTier-assigned IP addresses. )

What am I missing here? As in is it a characteristic or not? 'cos the list of characteristics says it is not because it is not present.
Or is the list shown just a short list and a full list is in the manual? (looking now)

And here I was flushed with the success of tags discovery.

And thanks for helpers helping, lovely

Anthony

Michal · January 16, 2021, 5:36pm

I believe you can find answers in the manual.
Also this article is very interesting and explains a lot: Capability Based Security for Virtual Networks

serverside · January 16, 2021, 6:03pm

thanks - I have of course referred to the manual now, before asking questions, thanks for the reference. However ipauth is not mentioned.

Always happy to read docs.

So, one reference in the manual (of the three mentions) describes it:

ipauth : sender IP is assigned by ZeroTier to the sending node. So it is a characteristic - but absent from the novice guide.

EDIT and for my reference later it says in the first mention:

This creates a network that can pass IPv4 (and ARP) and IPv6 traffic but no other Ethernet frame types. In addition the not chr ipauth condition drops traffic between IP addresses that have not been assigned by ZeroTier to their respective sources or destinations, blocking all IP spoofing. These are enforced with a hard drop , preventing them from being overridden by any capability.

Which was the very first “rule” I was trying to create, lock them in to ZT only and keep them out of my own LAN - Correct? Even when they are connected to my NAS via ZT and my NAS is also connected to my 10.0.0.x LAN ?

Lovely, thanks. I hope this is right!

Anthony

p.s. that is one long read, I’m printing it which is very rare. ( Capability Based Security for Virtual Networks) I may be some time…

serverside · January 16, 2021, 6:54pm

Ok so that took a while, highlighter in hand.

It looks like one can nail down an admin user’s permissions from those assigned by the NAS, to only those needed to run a snapshot replication.

This would solve the Synology NAS cripple feature where such replications require admin rights, but we cannot give such rights to this user.

Really? Would be great, just have to figure out how to code it.

Anthony

Michal · January 17, 2021, 5:38pm

ipauth rule is about preventing nodes from using IP addresses other than assigned by administrator via web UI.

So let’s say that in ZT central you assign 10.0.0.2 to your friend within ZT network. Without this rule, he can manually set 10.0.0.5 address in his OS and pretend to be somebody else, try to intercept traffic, get around restrictions and all the usual spoofing fun.

system · January 24, 2021, 5:38pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.