Skip to content

Instantly share code, notes, and snippets.

@adamierymenko
Last active December 5, 2024 05:09
Show Gist options
  • Save adamierymenko/7bcc66b5f7627699236cda8ac13f923b to your computer and use it in GitHub Desktop.
Save adamierymenko/7bcc66b5f7627699236cda8ac13f923b to your computer and use it in GitHub Desktop.
An example of what an advanced ZeroTier network rule set might look like
# This is an example from a work in progress, so final versions might
# be slightly different. Don't use as a guide after release!
# Define rule set macros
# Whitelist a TCP destination port on the network. Use this as a template to
# make your own rule sets for more advanced criteria like tag matches, etc.
# This works for both IPv4 and IPv6. Add an ethertype match to restrict it to
# one or the other.
macro tcp_whitelist_dest_port($port)
# Accept SYN from any port to this destination port
accept
ipprotocol 6
chr tcp_syn
not chr tcp_ack
dport $port $port # ports are ranges, in this case it's a range of size 1
;
# Accept SYN+ACK from this destination port back to any source port
accept
ipprotocol 6
chr tcp_syn
chr tcp_ack
sport $port $port
;
;
# To whitelist TCP we end by permitting all non-SYN TCP packets. SYNs that
# don't match will fall through and either be dropped at the end or will
# get picked up by a capability.
macro tcp_whitelist_end
accept
ipprotocol 6
not chr tcp_syn
;
;
# Create a "superuser" capability that we can assign to a few members that
# should be allowed to do anything. This could be useful for e.g. an active
# vulnerability scanner.
cap superuser
id 10000 # capabilities must have unique IDs, range 0 to UINT32_MAX
accept; # accept with no match criteria = always accept
;
# A tag we might use to group devices together as e.g. members of the same
# company department.
tag department
id 1000 # Tags have arbitrary 32-bit IDs like capabilities
enum 100 accounting
enum 200 sales
enum 300 finance
enum 400 legal
enum 500 engineering
;
# Rules for this network
# Allow only IPv4 (and ARP) and IPv6. Drop other traffic.
drop
not ethertype 0x0800 # ... and ...
not ethertype 0x0806 # ... and ...
not ethertype 0x86dd # (multiple matches in an action are ANDed together!)
;
# Watch all TCP connections in real time. We use two security monitoring
# destinations. One will get all TCP SYN, RST, or FIN packets from the
# inbound side of each sender-receiver pair. Another will get them from
# the outbound side. This lets us detect hosts that are not complying
# with rules by looking for differences in reported TCP traffic as well
# as preventing dupes at each observer.
tee 128 deadbeef00
ipprotocol 6
chr inbound # receiver side
chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match)
;
tee 128 deadbeef01
ipprotocol 6
not chr inbound # sender side
chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match)
;
# Allow only HTTP and HTTPS TCP traffic on this network
include tcp_whitelist_dest_port(80)
include tcp_whitelist_dest_port(443)
# A variant on a normal TCP whitelist to allow ssh only between
# members tagged as part of the same department. Could also make
# this a macro but we only need it once here.
accept
tdiff department 0 # no difference
ipprotocol 6
chr tcp_syn
not chr tcp_ack
dport 22 22 # ports are ranges, in this case it's a range of size 1
;
# Accept SYN+ACK from this destination port back to any source port
accept
tdiff department 0 # no difference
ipprotocol 6
chr tcp_syn
chr tcp_ack
sport 22 22
;
# End of TCP whitelists
include tcp_whitelist_end
# Allow all UDP, ICMP, and IGMP
accept ipprotocol 17;
accept ipprotocol 1;
accept ipprotocol 2;
@cryptmin
Copy link

cryptmin commented May 2, 2018

Thank you, very useful.

@AlexisTM
Copy link

AlexisTM commented Aug 9, 2018

Thank you very much ;)

@memanga1
Copy link

Unrecognized match type "$port".
1

@filipeandre
Copy link

filipeandre commented Dec 11, 2018

Hi @adamierymenko. I want to have a node that can start connection and connect to all other nodes but I dont want other nodes to see anyone. It's possible?

@filipeandre
Copy link

filipeandre commented Dec 11, 2018

I have made it like this:

# Drop not wanted stuff
drop
	not ethertype ipv4      # frame is not ipv4
	and not ethertype arp   # AND is not ARP
	and not ethertype ipv6  # AND is not ipv6
	or not chr ipauth       # OR IP addresses are not authenticated
;

# Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
break                     # break can be overridden by a capability
  chr tcp_syn             # TCP SYN (TCP flags will never match non-TCP packets)
  and not chr tcp_ack     # AND not TCP ACK
;

# Create a capability called "superuser" that lets its holders override all but the initial "drop"
cap superuser
  id 1000 # arbitrary, but must be unique
  accept; # allow with no match conditions means allow anything and everything
;

# Accept other packets
accept;

@Mercurial
Copy link

can anyone help me? I just wan't to redirect all traffic to my vpn server via traffic forwading

@amolvishwakarma
Copy link

Public ip dependency can anyone help when i am working from home my public ip is different and the server is not accessible.

@ZenitH-AT
Copy link

@filipeandre is there any way to have superuser be a tag enum value instead of a capability?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment