An example of what an advanced ZeroTier network rule set might look like
# This is an example from a work in progress, so final versions might | |
# be slightly different. Don't use as a guide after release! | |
# Define rule set macros | |
# Whitelist a TCP destination port on the network. Use this as a template to | |
# make your own rule sets for more advanced criteria like tag matches, etc. | |
# This works for both IPv4 and IPv6. Add an ethertype match to restrict it to | |
# one or the other. | |
macro tcp_whitelist_dest_port($port) | |
# Accept SYN from any port to this destination port | |
accept | |
ipprotocol 6 | |
chr tcp_syn | |
not chr tcp_ack | |
dport $port $port # ports are ranges, in this case it's a range of size 1 | |
; | |
# Accept SYN+ACK from this destination port back to any source port | |
accept | |
ipprotocol 6 | |
chr tcp_syn | |
chr tcp_ack | |
sport $port $port | |
; | |
; | |
# To whitelist TCP we end by permitting all non-SYN TCP packets. SYNs that | |
# don't match will fall through and either be dropped at the end or will | |
# get picked up by a capability. | |
macro tcp_whitelist_end | |
accept | |
ipprotocol 6 | |
not chr tcp_syn | |
; | |
; | |
# Create a "superuser" capability that we can assign to a few members that | |
# should be allowed to do anything. This could be useful for e.g. an active | |
# vulnerability scanner. | |
cap superuser | |
id 10000 # capabilities must have unique IDs, range 0 to UINT32_MAX | |
accept; # accept with no match criteria = always accept | |
; | |
# A tag we might use to group devices together as e.g. members of the same | |
# company department. | |
tag department | |
id 1000 # Tags have arbitrary 32-bit IDs like capabilities | |
enum 100 accounting | |
enum 200 sales | |
enum 300 finance | |
enum 400 legal | |
enum 500 engineering | |
; | |
# Rules for this network | |
# Allow only IPv4 (and ARP) and IPv6. Drop other traffic. | |
drop | |
not ethertype 0x0800 # ... and ... | |
not ethertype 0x0806 # ... and ... | |
not ethertype 0x86dd # (multiple matches in an action are ANDed together!) | |
; | |
# Watch all TCP connections in real time. We use two security monitoring | |
# destinations. One will get all TCP SYN, RST, or FIN packets from the | |
# inbound side of each sender-receiver pair. Another will get them from | |
# the outbound side. This lets us detect hosts that are not complying | |
# with rules by looking for differences in reported TCP traffic as well | |
# as preventing dupes at each observer. | |
tee 128 deadbeef00 | |
ipprotocol 6 | |
chr inbound # receiver side | |
chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match) | |
; | |
tee 128 deadbeef01 | |
ipprotocol 6 | |
not chr inbound # sender side | |
chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match) | |
; | |
# Allow only HTTP and HTTPS TCP traffic on this network | |
include tcp_whitelist_dest_port(80) | |
include tcp_whitelist_dest_port(443) | |
# A variant on a normal TCP whitelist to allow ssh only between | |
# members tagged as part of the same department. Could also make | |
# this a macro but we only need it once here. | |
accept | |
tdiff department 0 # no difference | |
ipprotocol 6 | |
chr tcp_syn | |
not chr tcp_ack | |
dport 22 22 # ports are ranges, in this case it's a range of size 1 | |
; | |
# Accept SYN+ACK from this destination port back to any source port | |
accept | |
tdiff department 0 # no difference | |
ipprotocol 6 | |
chr tcp_syn | |
chr tcp_ack | |
sport 22 22 | |
; | |
# End of TCP whitelists | |
include tcp_whitelist_end | |
# Allow all UDP, ICMP, and IGMP | |
accept ipprotocol 17; | |
accept ipprotocol 1; | |
accept ipprotocol 2; |
This comment has been minimized.
This comment has been minimized.
Thank you very much ;) |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Hi @adamierymenko. I want to have a node that can start connection and connect to all other nodes but I dont want other nodes to see anyone. It's possible? |
This comment has been minimized.
This comment has been minimized.
I have made it like this:
|
This comment has been minimized.
This comment has been minimized.
can anyone help me? I just wan't to redirect all traffic to my vpn server via traffic forwading |
This comment has been minimized.
This comment has been minimized.
Public ip dependency can anyone help when i am working from home my public ip is different and the server is not accessible. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Thank you, very useful.