An example of what an advanced ZeroTier network rule set might look like

zerotier_rules_example.ztrd

# This is an example from a work in progress, so final versions might
# be slightly different. Don't use as a guide after release!

# Define rule set macros

# Whitelist a TCP destination port on the network. Use this as a template to
# make your own rule sets for more advanced criteria like tag matches, etc.
# This works for both IPv4 and IPv6. Add an ethertype match to restrict it to
# one or the other.
macro tcp_whitelist_dest_port($port)
	# Accept SYN from any port to this destination port
	accept
		ipprotocol 6
		chr tcp_syn
		not chr tcp_ack
		dport $port $port # ports are ranges, in this case it's a range of size 1
	;
	# Accept SYN+ACK from this destination port back to any source port
	accept
		ipprotocol 6
		chr tcp_syn
		chr tcp_ack
		sport $port $port
	;
;

# To whitelist TCP we end by permitting all non-SYN TCP packets. SYNs that
# don't match will fall through and either be dropped at the end or will
# get picked up by a capability.
macro tcp_whitelist_end
	accept
		ipprotocol 6
		not chr tcp_syn
	;
;

# Create a "superuser" capability that we can assign to a few members that
# should be allowed to do anything. This could be useful for e.g. an active
# vulnerability scanner.
cap superuser
	id 10000 # capabilities must have unique IDs, range 0 to UINT32_MAX
	accept; # accept with no match criteria = always accept
;

# A tag we might use to group devices together as e.g. members of the same
# company department.
tag department
	id 1000 # Tags have arbitrary 32-bit IDs like capabilities
	enum 100 accounting
	enum 200 sales
	enum 300 finance
	enum 400 legal
	enum 500 engineering
;

# Rules for this network

# Allow only IPv4 (and ARP) and IPv6. Drop other traffic.
drop
	not ethertype 0x0800 # ... and ...
	not ethertype 0x0806 # ... and ...
	not ethertype 0x86dd # (multiple matches in an action are ANDed together!)
;

# Watch all TCP connections in real time. We use two security monitoring
# destinations. One will get all TCP SYN, RST, or FIN packets from the
# inbound side of each sender-receiver pair. Another will get them from
# the outbound side. This lets us detect hosts that are not complying
# with rules by looking for differences in reported TCP traffic as well
# as preventing dupes at each observer.
tee 128 deadbeef00
	ipprotocol 6
	chr inbound # receiver side
	chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match)
;
tee 128 deadbeef01
	ipprotocol 6
	not chr inbound # sender side
	chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match)
;

# Allow only HTTP and HTTPS TCP traffic on this network
include tcp_whitelist_dest_port(80)
include tcp_whitelist_dest_port(443)

# A variant on a normal TCP whitelist to allow ssh only between
# members tagged as part of the same department. Could also make
# this a macro but we only need it once here.
accept
	tdiff department 0 # no difference
	ipprotocol 6
	chr tcp_syn
	not chr tcp_ack
	dport 22 22 # ports are ranges, in this case it's a range of size 1
;
# Accept SYN+ACK from this destination port back to any source port
accept
	tdiff department 0 # no difference
	ipprotocol 6
	chr tcp_syn
	chr tcp_ack
	sport 22 22
;

# End of TCP whitelists
include tcp_whitelist_end

# Allow all UDP, ICMP, and IGMP
accept ipprotocol 17;
accept ipprotocol 1;
accept ipprotocol 2;

Thank you, very useful.

Thank you very much ;)

Unrecognized match type "$port".

Hi @adamierymenko. I want to have a node that can start connection and connect to all other nodes but I dont want other nodes to see anyone. It's possible?

I have made it like this:

# Drop not wanted stuff
drop
	not ethertype ipv4      # frame is not ipv4
	and not ethertype arp   # AND is not ARP
	and not ethertype ipv6  # AND is not ipv6
	or not chr ipauth       # OR IP addresses are not authenticated
;

# Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
break                     # break can be overridden by a capability
  chr tcp_syn             # TCP SYN (TCP flags will never match non-TCP packets)
  and not chr tcp_ack     # AND not TCP ACK
;

# Create a capability called "superuser" that lets its holders override all but the initial "drop"
cap superuser
  id 1000 # arbitrary, but must be unique
  accept; # allow with no match conditions means allow anything and everything
;

# Accept other packets
accept;

can anyone help me? I just wan't to redirect all traffic to my vpn server via traffic forwading