krisek/zero_rule_hub_and_spoke

## zero_rule_hub_and_spoke
# Create a tag for which department someone is in
tag department
  id 10                 # arbitrary, but must be unique
  enum 100 spoke          # has no meaning to filter, but used in UI to offer a selection
  enum 200 hub
  enum 300 super
;

# Whitelist only IPv4 (/ARP) and IPv6 traffic and allow only ZeroTier-assigned IP addresses
drop                      # drop cannot be overridden by capabilities
  not ethertype ipv4      # frame is not ipv4
  and not ethertype arp   # AND is not ARP
  and not ethertype ipv6  # AND is not ipv6
  or not chr ipauth       # OR IP addresses are not authenticated (1.2.0+ only!)
;

# Drop communications between spokes
drop
  tseq department 100
	and treq department 100
	and not ethertype arp
;


# Allow HTTP(S) by allowing all TCP packets (including SYN/!ACK) to these ports from spokes
accept
  ipprotocol tcp
  and tseq department 300
;


# Allow HTTP(S) by allowing all TCP packets (including SYN/!ACK) to these ports from spokes
accept
  ipprotocol tcp
  and dport 443 or dport 80 or dport 25 or dport 22000
	and tseq department 100
;

# Allow HTTP(S) by allowing all TCP packets (including SYN/!ACK) to these ports from spokes
accept
  ipprotocol udp
  and dport 21027 or dport 22000
	and tseq department 100
;

# Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
break                     # break can be overridden by a capability
  chr tcp_syn             # TCP SYN (TCP flags will never match non-TCP packets)
  and not chr tcp_ack     # AND not TCP ACK
;

# Create a capability called "superuser" that lets its holders override all but the initial "drop"
cap superuser
  id 1000 # arbitrary, but must be unique
  accept; # allow with no match conditions means allow anything and everything
;

# Accept other packets
accept;
	# Create a tag for which department someone is in
	tag department
	id 10 # arbitrary, but must be unique
	enum 100 spoke # has no meaning to filter, but used in UI to offer a selection
	enum 200 hub
	enum 300 super
	;

	# Whitelist only IPv4 (/ARP) and IPv6 traffic and allow only ZeroTier-assigned IP addresses
	drop # drop cannot be overridden by capabilities
	not ethertype ipv4 # frame is not ipv4
	and not ethertype arp # AND is not ARP
	and not ethertype ipv6 # AND is not ipv6
	or not chr ipauth # OR IP addresses are not authenticated (1.2.0+ only!)
	;

	# Drop communications between spokes
	drop
	tseq department 100
	and treq department 100
	and not ethertype arp
	;


	# Allow HTTP(S) by allowing all TCP packets (including SYN/!ACK) to these ports from spokes
	accept
	ipprotocol tcp
	and tseq department 300
	;


	# Allow HTTP(S) by allowing all TCP packets (including SYN/!ACK) to these ports from spokes
	accept
	ipprotocol tcp
	and dport 443 or dport 80 or dport 25 or dport 22000
	and tseq department 100
	;

	# Allow HTTP(S) by allowing all TCP packets (including SYN/!ACK) to these ports from spokes
	accept
	ipprotocol udp
	and dport 21027 or dport 22000
	and tseq department 100
	;

	# Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
	break # break can be overridden by a capability
	chr tcp_syn # TCP SYN (TCP flags will never match non-TCP packets)
	and not chr tcp_ack # AND not TCP ACK
	;

	# Create a capability called "superuser" that lets its holders override all but the initial "drop"
	cap superuser
	id 1000 # arbitrary, but must be unique
	accept; # allow with no match conditions means allow anything and everything
	;

	# Accept other packets
	accept;