Skip to content

Instantly share code, notes, and snippets.

@adamierymenko adamierymenko/zerotier_rules_example.ztrd
Last active Jun 28, 2019

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
An example of what an advanced ZeroTier network rule set might look like
Raw
zerotier_rules_example.ztrd
# This is an example from a work in progress, so final versions might
# be slightly different. Don't use as a guide after release!
# Define rule set macros
# Whitelist a TCP destination port on the network. Use this as a template to
# make your own rule sets for more advanced criteria like tag matches, etc.
# This works for both IPv4 and IPv6. Add an ethertype match to restrict it to
# one or the other.
macro tcp_whitelist_dest_port($port)
# Accept SYN from any port to this destination port
accept
ipprotocol 6
chr tcp_syn
not chr tcp_ack
dport $port $port # ports are ranges, in this case it's a range of size 1
;
# Accept SYN+ACK from this destination port back to any source port
accept
ipprotocol 6
chr tcp_syn
chr tcp_ack
sport $port $port
;
;
# To whitelist TCP we end by permitting all non-SYN TCP packets. SYNs that
# don't match will fall through and either be dropped at the end or will
# get picked up by a capability.
macro tcp_whitelist_end
accept
ipprotocol 6
not chr tcp_syn
;
;
# Create a "superuser" capability that we can assign to a few members that
# should be allowed to do anything. This could be useful for e.g. an active
# vulnerability scanner.
cap superuser
id 10000 # capabilities must have unique IDs, range 0 to UINT32_MAX
accept; # accept with no match criteria = always accept
;
# A tag we might use to group devices together as e.g. members of the same
# company department.
tag department
id 1000 # Tags have arbitrary 32-bit IDs like capabilities
enum 100 accounting
enum 200 sales
enum 300 finance
enum 400 legal
enum 500 engineering
;
# Rules for this network
# Allow only IPv4 (and ARP) and IPv6. Drop other traffic.
drop
not ethertype 0x0800 # ... and ...
not ethertype 0x0806 # ... and ...
not ethertype 0x86dd # (multiple matches in an action are ANDed together!)
;
# Watch all TCP connections in real time. We use two security monitoring
# destinations. One will get all TCP SYN, RST, or FIN packets from the
# inbound side of each sender-receiver pair. Another will get them from
# the outbound side. This lets us detect hosts that are not complying
# with rules by looking for differences in reported TCP traffic as well
# as preventing dupes at each observer.
tee 128 deadbeef00
ipprotocol 6
chr inbound # receiver side
chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match)
;
tee 128 deadbeef01
ipprotocol 6
not chr inbound # sender side
chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match)
;
# Allow only HTTP and HTTPS TCP traffic on this network
include tcp_whitelist_dest_port(80)
include tcp_whitelist_dest_port(443)
# A variant on a normal TCP whitelist to allow ssh only between
# members tagged as part of the same department. Could also make
# this a macro but we only need it once here.
accept
tdiff department 0 # no difference
ipprotocol 6
chr tcp_syn
not chr tcp_ack
dport 22 22 # ports are ranges, in this case it's a range of size 1
;
# Accept SYN+ACK from this destination port back to any source port
accept
tdiff department 0 # no difference
ipprotocol 6
chr tcp_syn
chr tcp_ack
sport 22 22
;
# End of TCP whitelists
include tcp_whitelist_end
# Allow all UDP, ICMP, and IGMP
accept ipprotocol 17;
accept ipprotocol 1;
accept ipprotocol 2;
@cryptmin

This comment has been minimized.

Sign in to view
Copy link

commented May 2, 2018

Thank you, very useful.
@AlexisTM

This comment has been minimized.

Sign in to view
Copy link

commented Aug 9, 2018

Thank you very much ;)
@memanga1

This comment has been minimized.

Sign in to view
Copy link

commented Oct 23, 2018

Unrecognized match type "$port".
1
@filipeandre

This comment has been minimized.

Sign in to view
Copy link

commented Dec 11, 2018
edited

Hi @adamierymenko. I want to have a node that can start connection and connect to all other nodes but I dont want other nodes to see anyone. It's possible?
@filipeandre

This comment has been minimized.

Sign in to view
Copy link

commented Dec 11, 2018
edited

I have made it like this:

# Drop not wanted stuff
drop
	not ethertype ipv4      # frame is not ipv4
	and not ethertype arp   # AND is not ARP
	and not ethertype ipv6  # AND is not ipv6
	or not chr ipauth       # OR IP addresses are not authenticated
;

# Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
break                     # break can be overridden by a capability
  chr tcp_syn             # TCP SYN (TCP flags will never match non-TCP packets)
  and not chr tcp_ack     # AND not TCP ACK
;

# Create a capability called "superuser" that lets its holders override all but the initial "drop"
cap superuser
  id 1000 # arbitrary, but must be unique
  accept; # allow with no match conditions means allow anything and everything
;

# Accept other packets
accept;
@Mercurial

This comment has been minimized.

Sign in to view
Copy link

commented Jan 14, 2019

can anyone help me? I just wan't to redirect all traffic to my vpn server via traffic forwading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.