Last active
January 18, 2024 19:05
-
-
Save duboisf/40fa6f4036f708d32dd1c34a3af6805a to your computer and use it in GitHub Desktop.
ufw rules to get zscaler working on linux
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo ufw allow in on zcctun0 proto any from 10.0.0.0/8 to 100.64.0.1 port 9000 | |
| sudo ufw allow in on zcctun0 proto any from 100.64.0.0/16 to 100.64.0.1 port 9000 | |
| sudo ufw allow in on zcctun0 proto any from 100.64.0.0/16 to 100.64.0.1 port 9010 | |
| sudo ufw allow in on zcctun0 proto udp from 100.64.0.0/16 to 100.64.0.1 |
ip route | grep tun0
10.0.0.0/8 via 100.64.0.1 dev tun0 scope link
100.64.0.0/16 via 100.64.0.1 dev tun0 scope link
100.64.0.0/16 dev tun0 proto kernel scope link src 100.64.0.1
ok trying to access stuff behind zscaler I see I might be missing other rules 😭
ok so was trying to connect to a server in 10.0.0.0/8 and it wasn't working, so added another rule:
sudo ufw allow in on tun0 proto tcp from 10.0.0.0/8 to 100.64.0.1 port 9000
Was having issues updating zscaler, saw that apparmor was blocking zscaler, found https://help.zscaler.com/client-connector/resolving-auto-update-issues-zscaler-client-connector-linux-1.2
Had to uppate the ufw rules as the interface name is now zcctun0, used to be tun0.
This solved the Endpoint FW/AV Error issue I was having on Manjaro with ZScaler 1.4.1.41, thanks!
Works perfectly on Ubuntu 22.04 with ZScaler 1.5.0.37. Thank you!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
the
udprule is for dns queries, otherwise the first dns query times out after 5 seconds (second query with your usual dns servers works). This is because when you enable zscaler it prepends a dns server to your usual list and that one gets blocked by ufw. You can see your dns config with