-
Notifications
You must be signed in to change notification settings - Fork 1
/
ztrules
83 lines (69 loc) · 2.56 KB
/
ztrules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Format for the rules are taken from the zerotier flow rules on the my.zertotier.com which displayes
# flow rules in json format.
# The syntax here is something I created for my own purposes to make it easy to parse and create rules.
# These are limited to how I normally use it for my own networks.
# If you want to allow all traffic based on the default zerotier configuration then uncommment the lines below
# It allows arp so hosts can find each other, IPv4 Protocols and IPv6.
### accept:arp
### accept:ipv4
### accept:ipv6
### end:main:protocols
### default:accept
# If you want to drop a specific protoocl then use:
# Remember to put allow rules above these
# drop:tcp
# drop:udp
# for example
## Lines beginning with # are ignored.
### Current rules supported are:
### Allow/Deny a protocl and port
### accept:tcp:dport:443
### drop:tcp:dport:443
###
### Allow/deny port to an IP and only from a specific IP or network
### accept:tcp:dport:22:srcip:192.168.69.40/32:destip:192.168.69.217/32
### deny:tcp:dport:22:srcip:192.168.69.40/32:destip:192.168.69.217/32
###
### # Action:protocol:direction:
### # Allow ssh but not to 192.168.69.217
### accept:tcp:dport:22:destip:not 192.168.69.217/32
###
### #Allow ssh to 192.168.69.217 but only from 192.168.69.40
### accept:tcp:dport:22:srcip:192.168.69.40/32:destip:192.168.69.217/32
###
### Allow port to a specific IP
### accept:udp:dport:53:destip:192.168.69.53/32
###
### Allow specific port from an IP and to a specific host or network
### This example assumes the default is to deny a protocol.
### The example below allows the DNS to return DNS queries back to
### hosts on the LAN
### It is related to the example above that allows all hosts on the LAN
### to connect to the DNS server on port 53
### accept:udp:sport:53:srcip:192.168.69.53/32:destip:192.168.69.0/24
# Allow default protocols
accept:arp
accept:ipv4
accept:ipv6
end:main:protocols
# Allow HTTP to all
accept:tcp:dport:80
# Allow HTTPS to all
accept:tcp:dport:443
# Allow portmap to specific IP running nfs server
accept:udp:dport:111:destip:192.168.69.111/32
# Allow SSH to all hosts on LAN
accept:tcp:dport:22
# Allow SMTP to all
accept:tcp:dport:25
# Allow udp 53 to 192.168.69.53
accept:udp:dport:53:destip:192.168.69.53/32
# Allow udp from 192.168.69.53 with source port 53 to 192.168.69.0/24
# Allows returning dns traffic since default is to drop UDP
accept:udp:sport:53:srcip:192.168.69.53/32:destip:192.168.69.0/24
# Drop all UDP except rules above
drop:udp
# Drop TCP except rules above
drop:tcp
# Allow all other traffic
default:accept