search

zerotier / ZeroTierOne

A Smart Ethernet Switch for Earth
https://zerotier.com
Other
14.44k stars 1.68k forks source link

tags do behave erroneous in myzerotier.com #578

Closed whulshof closed 7 years ago

whulshof commented 7 years ago

I've defined four tags next to "superuser" (which is a capability). The UI only shows two tags in a column behind the device. If I try to manage the value of the tags in the device, pressing on the pencil, they all show, but if I fill out the second , three and four change also to "custom" or another wrong value. Effectively I can therefor only use two tags.

laduke commented 7 years ago

Can you post the rules?

whulshof commented 7 years ago

#

This is a default rule set that allows IPv4 and IPv6 traffic but otherwise

behaves like a standard Ethernet switch.

#

Please keep in mind that ZeroTier versions prior to 1.2.0 do NOT support advanced

network rules.

#

Since both senders and receivers enforce rules, you will get the following

behavior in a network with both old and new versions:

#

(old: 1.1.14 and older, new: 1.2.0 and newer)

#

old <--> old: No rules are honored.

old <--> new: Rules work but are only enforced by new side. Tags will NOT work, and

capabilities will only work if assigned to the new side.

new <--> new: Full rules engine support including tags and capabilities.

#

We recommend upgrading all your devices to 1.2.0 as soon as convenient. Version

1.2.0 also includes a significantly improved software update mechanism that is

turned on by default on Mac and Windows. (Linux and mobile are typically kept up

to date using package/app management.)

#

#

Allow only IPv4, IPv4 ARP, and IPv6 Ethernet frames.

# drop not ethertype ipv4 and not ethertype arp and not ethertype ipv6 ;

#

Uncomment to drop non-ZeroTier issued and managed IP addresses.

#

This prevents IP spoofing but also blocks manual IP management at the OS level and

bridging unless special rules to exempt certain hosts or traffic are added before

this rule.

#

drop

not chr ipauth

;

Allow SSH, HTTP, and HTTPS by allowing all TCP packets (including SYN/!ACK) to these ports

accept

ipprotocol tcp

and dport 22 or dport 80 or dport 443 or dport 8069 or dport 5432

;

Create a tag for which scenario someone is in

tag odoo id 1000 # arbitrary, but must be unique enum 100 chocque # has no meaning to filter, but used in UI to offer a selection enum 200 nsm enum 300 magnus enum 400 bdu ; tag odoo2 id 2000 # arbitrary, but must be unique enum 100 chocque # has no meaning to filter, but used in UI to offer a selection enum 200 nsm enum 300 magnus enum 400 bdu ; tag odoo3 id 2000 # arbitrary, but must be unique enum 100 chocque # has no meaning to filter, but used in UI to offer a selection enum 200 nsm enum 300 magnus enum 400 bdu ;

Create a tag to discriminate between users and services; users can connect to service, but not to eachother

tag starconfig id 2000 enum 10 users enum 20 service ;

drop

ipprotocol tcp

and teq odooscenario 100

and not dport 22 or not dport 80 or not dport 443 or not dport 8069

;

Allow SSH, HTTP, and HTTPS by allowing all TCP packets (including SYN/!ACK) to these ports between computers in the same scenario using a tag

and drop TCP packets when users try connecting to users or services to services. Exception for superuser cap.

accept ipprotocol tcp and tdiff odoo 0 or tdiff odoo2 0 or tdiff odoo3 0 # difference between odooscenario tags is 0, meaning they match and not tdiff starconfig 0 # difference between users tags is 0, meaning they match and dport 22 or dport 80 or dport 443 or dport 8069 ;

Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above

break # break can be overridden by a capability chr tcp_syn # TCP SYN (TCP flags will never match non-TCP packets) and not chr tcp_ack # AND not TCP ACK ;

Create a capability called "superuser" that lets its holders override all but the initial "drop"

cap superuser id 1000 # arbitrary, but must be unique accept; # allow with no match conditions means allow anything and everything

Accept anything else. This is required since default is 'drop'.

accept;

[cid:image001.png@01D32746.46132490]

Van: Travis LaDuke notifications@github.com Beantwoorden - Aan: zerotier/ZeroTierOne reply@reply.github.com Datum: woensdag 6 september 2017 18:43 Aan: zerotier/ZeroTierOne ZeroTierOne@noreply.github.com CC: Willem Hulshof w.hulshof@magnus.nl, Author author@noreply.github.com Onderwerp: Re: [zerotier/ZeroTierOne] tags do behave erroneous in myzerotier.com (#578)

Can you post the rules?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/zerotier/ZeroTierOne/issues/578#issuecomment-327543532, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AK1rqe92qxXJVDwEYc6sat4-OqXKalIlks5sfsu_gaJpZM4POKWq.

whulshof commented 7 years ago

I already see the problem. I copied the tag paragraphs and I did not change the id's. My mistake. Sorry.