I am still trying to understand/read my flow control; can you see anything in here that is nonsense? Is there somewhere I can see what is working and not? Like a log?
edit: looks like I need to understand where/how to enter whitelist ip addresses, can that be all ZT ips? Should it be?
Thank you for your help in previous threads. I have been distracted from ZT for a while so revisiting now.
Flow is below.
This prevents IP spoofing but also blocks manual IP management at the OS level and
bridging unless special rules to exempt certain hosts or traffic are added before
Whitelist only IPv4 (/ARP) and IPv6 traffic and allow only ZeroTier-assigned IP addresses
drop # drop cannot be overridden by capabilities
not ethertype ipv4 # frame is not ipv4
and not ethertype arp # AND is not ARP
and not ethertype ipv6 # AND is not ipv6
or not chr ipauth # OR IP addresses are not authenticated (1.2.0+ only!)
Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
break # break can be overridden by a capability
chr tcp_syn # TCP SYN (TCP flags will never match non-TCP packets)
and not chr tcp_ack # AND not TCP ACK
ditto whitelist where - here in this script? above?
enum 0 No
enum 1 Yes
if both members are not servers, break
break not tor server 1;
trying to allow one server (NAS) to connect to mine from WAN.
Create a capability called “superuser” that lets its holders override all but the initial “drop”
id 100656 # arbitrary, but must be unique
accept; # allow with no match conditions means allow anything and everything
trying to let myself in
Then above the SYN,!ACK break (or in a capability) add rules to
allow TCP packets with permitted destination ports:
Allow TCP port 80 (HTTP)
accept ipprotocol tcp and dport 80;
# Allow SSH, HTTP, and HTTPS by allowing all TCP packets (including SYN/!ACK) to these ports
and dport 22 or dport 80 or dport 443
# Allow REPLICATION by allowing all TCP packets (including SYN/!ACK) to these ports
and dport 3261 or dport 5566
Block TCP SYN,!ACK to prevent new non-whitelisted TCP connections from being initiated
unless previously whitelisted or allowed by a capability.
break chr tcp_syn and not tcp_ack;
Accept anything else. This is required since default is ‘drop’.