ufw rules to get zscaler working on linux

zscaler_ufw.txt

sudo ufw allow in on zcctun0 proto any from 10.0.0.0/8    to 100.64.0.1 port 9000
sudo ufw allow in on zcctun0 proto any from 100.64.0.0/16 to 100.64.0.1 port 9000
sudo ufw allow in on zcctun0 proto any from 100.64.0.0/16 to 100.64.0.1 port 9010
sudo ufw allow in on zcctun0 proto udp from 100.64.0.0/16 to 100.64.0.1

Was seeing stuff like:

[UFW BLOCK] IN=tun0 OUT= MAC= SRC=100.64.0.6 DST=100.64.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50264 DF PROTO=TCP SPT=35296 DPT=9000 WINDOW=64240 RES=0x00 SYN URGP=0 

the udp rule is for dns queries, otherwise the first dns query times out after 5 seconds (second query with your usual dns servers works). This is because when you enable zscaler it prepends a dns server to your usual list and that one gets blocked by ufw. You can see your dns config with

cat /etc/resolv.conf

ip route | grep tun0
10.0.0.0/8 via 100.64.0.1 dev tun0 scope link 
100.64.0.0/16 via 100.64.0.1 dev tun0 scope link 
100.64.0.0/16 dev tun0 proto kernel scope link src 100.64.0.1 

ok trying to access stuff behind zscaler I see I might be missing other rules 😭

ok so was trying to connect to a server in 10.0.0.0/8 and it wasn't working, so added another rule:

sudo ufw allow in on tun0 proto tcp from 10.0.0.0/8 to 100.64.0.1 port 9000

Was having issues updating zscaler, saw that apparmor was blocking zscaler, found https://help.zscaler.com/client-connector/resolving-auto-update-issues-zscaler-client-connector-linux-1.2

Had to uppate the ufw rules as the interface name is now zcctun0, used to be tun0.

This solved the Endpoint FW/AV Error issue I was having on Manjaro with ZScaler 1.4.1.41, thanks!

Works perfectly on Ubuntu 22.04 with ZScaler 1.5.0.37. Thank you!