Created
December 20, 2022 07:13
-
-
Save krisek/447efef5baa3fe3d993504de0548b561 to your computer and use it in GitHub Desktop.
ZeroTier basic Hub and Spoke
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a tag for which department someone is in | |
| tag department | |
| id 1000 # arbitrary, but must be unique | |
| enum 100 spoke # has no meaning to filter, but used in UI to offer a selection | |
| enum 200 hub | |
| ; | |
| # Whitelist only IPv4 (/ARP) and IPv6 traffic and allow only ZeroTier-assigned IP addresses | |
| drop # drop cannot be overridden by capabilities | |
| not ethertype ipv4 # frame is not ipv4 | |
| and not ethertype arp # AND is not ARP | |
| and not ethertype ipv6 # AND is not ipv6 | |
| or not chr ipauth # OR IP addresses are not authenticated (1.2.0+ only!) | |
| ; | |
| # Drop communications between spokes | |
| drop | |
| tseq department 100 | |
| and treq department 100 | |
| and not ethertype arp | |
| ; | |
| # Allow SSH, HTTPS by allowing all TCP packets (including SYN/!ACK) to these ports from spokes | |
| accept | |
| ipprotocol tcp | |
| and dport 48022 or dport 443 | |
| and tseq department 100 | |
| ; | |
| # Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above | |
| break # break can be overridden by a capability | |
| chr tcp_syn # TCP SYN (TCP flags will never match non-TCP packets) | |
| and not chr tcp_ack # AND not TCP ACK | |
| ; | |
| # Create a capability called "superuser" that lets its holders override all but the initial "drop" | |
| cap superuser | |
| id 1000 # arbitrary, but must be unique | |
| accept; # allow with no match conditions means allow anything and everything | |
| ; | |
| # Accept other packets | |
| accept; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment