ZT Flow control - understanding mine

I am still trying to understand/read my flow control; can you see anything in here that is nonsense? Is there somewhere I can see what is working and not? Like a log?

edit: looks like I need to understand where/how to enter whitelist ip addresses, can that be all ZT ips? Should it be?
Thank you for your help in previous threads. I have been distracted from ZT for a while so revisiting now.

Flow is below.



This prevents IP spoofing but also blocks manual IP management at the OS level and

bridging unless special rules to exempt certain hosts or traffic are added before

this rule.

Whitelist only IPv4 (/ARP) and IPv6 traffic and allow only ZeroTier-assigned IP addresses

drop # drop cannot be overridden by capabilities
not ethertype ipv4 # frame is not ipv4
and not ethertype arp # AND is not ARP
and not ethertype ipv6 # AND is not ipv6
or not chr ipauth # OR IP addresses are not authenticated (1.2.0+ only!)

whitelist where?

Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above

break # break can be overridden by a capability
chr tcp_syn # TCP SYN (TCP flags will never match non-TCP packets)
and not chr tcp_ack # AND not TCP ACK

ditto whitelist where - here in this script? above?

tag server
id 2
enum 0 No
enum 1 Yes
default No;

if both members are not servers, break

break not tor server 1;

trying to allow one server (NAS) to connect to mine from WAN.

Create a capability called “superuser” that lets its holders override all but the initial “drop”

cap superuser
id 100656 # arbitrary, but must be unique
accept; # allow with no match conditions means allow anything and everything

trying to let myself in

Then above the SYN,!ACK break (or in a capability) add rules to

allow TCP packets with permitted destination ports:

Allow TCP port 80 (HTTP)

accept ipprotocol tcp and dport 80;

# Allow SSH, HTTP, and HTTPS by allowing all TCP packets (including SYN/!ACK) to these ports

ipprotocol tcp
and dport 22 or dport 80 or dport 443

# Allow REPLICATION by allowing all TCP packets (including SYN/!ACK) to these ports

ipprotocol tcp
and dport 3261 or dport 5566

Block TCP SYN,!ACK to prevent new non-whitelisted TCP connections from being initiated

unless previously whitelisted or allowed by a capability.

break chr tcp_syn and not tcp_ack;

Accept anything else. This is required since default is ‘drop’.

accept ;

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.