fcenobi/zerotier_rules_example.ztrd

## zerotier_rules_example.ztrd
# This is an example from a work in progress, so final versions might
# be slightly different. Don't use as a guide after release!

# Define rule set macros

# Whitelist a TCP destination port on the network. Use this as a template to
# make your own rule sets for more advanced criteria like tag matches, etc.
# This works for both IPv4 and IPv6. Add an ethertype match to restrict it to
# one or the other.
macro tcp_whitelist_dest_port($port)
	# Accept SYN from any port to this destination port
	accept
		ipprotocol 6
		chr tcp_syn
		not chr tcp_ack
		dport $port $port # ports are ranges, in this case it's a range of size 1
	;
	# Accept SYN+ACK from this destination port back to any source port
	accept
		ipprotocol 6
		chr tcp_syn
		chr tcp_ack
		sport $port $port
	;
;

# To whitelist TCP we end by permitting all non-SYN TCP packets. SYNs that
# don't match will fall through and either be dropped at the end or will
# get picked up by a capability.
macro tcp_whitelist_end
	accept
		ipprotocol 6
		not chr tcp_syn
	;
;

# Create a "superuser" capability that we can assign to a few members that
# should be allowed to do anything. This could be useful for e.g. an active
# vulnerability scanner.
cap superuser
	id 10000 # capabilities must have unique IDs, range 0 to UINT32_MAX
	accept; # accept with no match criteria = always accept
;

# A tag we might use to group devices together as e.g. members of the same
# company department.
tag department
	id 1000 # Tags have arbitrary 32-bit IDs like capabilities
	enum 100 accounting
	enum 200 sales
	enum 300 finance
	enum 400 legal
	enum 500 engineering
;

# Rules for this network

# Allow only IPv4 (and ARP) and IPv6. Drop other traffic.
drop
	not ethertype 0x0800 # ... and ...
	not ethertype 0x0806 # ... and ...
	not ethertype 0x86dd # (multiple matches in an action are ANDed together!)
;

# Watch all TCP connections in real time. We use two security monitoring
# destinations. One will get all TCP SYN, RST, or FIN packets from the
# inbound side of each sender-receiver pair. Another will get them from
# the outbound side. This lets us detect hosts that are not complying
# with rules by looking for differences in reported TCP traffic as well
# as preventing dupes at each observer.
tee 128 deadbeef00
	ipprotocol 6
	chr inbound # receiver side
	chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match)
;
tee 128 deadbeef01
	ipprotocol 6
	not chr inbound # sender side
	chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match)
;

# Allow only HTTP and HTTPS TCP traffic on this network
include tcp_whitelist_dest_port(80)
include tcp_whitelist_dest_port(443)

# A variant on a normal TCP whitelist to allow ssh only between
# members tagged as part of the same department. Could also make
# this a macro but we only need it once here.
accept
	tdiff department 0 # no difference
	ipprotocol 6
	chr tcp_syn
	not chr tcp_ack
	dport 22 22 # ports are ranges, in this case it's a range of size 1
;
# Accept SYN+ACK from this destination port back to any source port
accept
	tdiff department 0 # no difference
	ipprotocol 6
	chr tcp_syn
	chr tcp_ack
	sport 22 22
;

# End of TCP whitelists
include tcp_whitelist_end

# Allow all UDP, ICMP, and IGMP
accept ipprotocol 17;
accept ipprotocol 1;
accept ipprotocol 2;
	# This is an example from a work in progress, so final versions might
	# be slightly different. Don't use as a guide after release!

	# Define rule set macros

	# Whitelist a TCP destination port on the network. Use this as a template to
	# make your own rule sets for more advanced criteria like tag matches, etc.
	# This works for both IPv4 and IPv6. Add an ethertype match to restrict it to
	# one or the other.
	macro tcp_whitelist_dest_port($port)
	# Accept SYN from any port to this destination port
	accept
	ipprotocol 6
	chr tcp_syn
	not chr tcp_ack
	dport $port $port # ports are ranges, in this case it's a range of size 1
	;
	# Accept SYN+ACK from this destination port back to any source port
	accept
	ipprotocol 6
	chr tcp_syn
	chr tcp_ack
	sport $port $port
	;
	;

	# To whitelist TCP we end by permitting all non-SYN TCP packets. SYNs that
	# don't match will fall through and either be dropped at the end or will
	# get picked up by a capability.
	macro tcp_whitelist_end
	accept
	ipprotocol 6
	not chr tcp_syn
	;
	;

	# Create a "superuser" capability that we can assign to a few members that
	# should be allowed to do anything. This could be useful for e.g. an active
	# vulnerability scanner.
	cap superuser
	id 10000 # capabilities must have unique IDs, range 0 to UINT32_MAX
	accept; # accept with no match criteria = always accept
	;

	# A tag we might use to group devices together as e.g. members of the same
	# company department.
	tag department
	id 1000 # Tags have arbitrary 32-bit IDs like capabilities
	enum 100 accounting
	enum 200 sales
	enum 300 finance
	enum 400 legal
	enum 500 engineering
	;

	# Rules for this network

	# Allow only IPv4 (and ARP) and IPv6. Drop other traffic.
	drop
	not ethertype 0x0800 # ... and ...
	not ethertype 0x0806 # ... and ...
	not ethertype 0x86dd # (multiple matches in an action are ANDed together!)
	;

	# Watch all TCP connections in real time. We use two security monitoring
	# destinations. One will get all TCP SYN, RST, or FIN packets from the
	# inbound side of each sender-receiver pair. Another will get them from
	# the outbound side. This lets us detect hosts that are not complying
	# with rules by looking for differences in reported TCP traffic as well
	# as preventing dupes at each observer.
	tee 128 deadbeef00
	ipprotocol 6
	chr inbound # receiver side
	chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match)
	;
	tee 128 deadbeef01
	ipprotocol 6
	not chr inbound # sender side
	chr tcp_syn,tcp_rst,tcp_fin # multiple characteristics in the same match rule are ORed (any bit set will match)
	;

	# Allow only HTTP and HTTPS TCP traffic on this network
	include tcp_whitelist_dest_port(80)
	include tcp_whitelist_dest_port(443)

	# A variant on a normal TCP whitelist to allow ssh only between
	# members tagged as part of the same department. Could also make
	# this a macro but we only need it once here.
	accept
	tdiff department 0 # no difference
	ipprotocol 6
	chr tcp_syn
	not chr tcp_ack
	dport 22 22 # ports are ranges, in this case it's a range of size 1
	;
	# Accept SYN+ACK from this destination port back to any source port
	accept
	tdiff department 0 # no difference
	ipprotocol 6
	chr tcp_syn
	chr tcp_ack
	sport 22 22
	;

	# End of TCP whitelists
	include tcp_whitelist_end

	# Allow all UDP, ICMP, and IGMP
	accept ipprotocol 17;
	accept ipprotocol 1;
	accept ipprotocol 2;