Rules FAQ
[](/)
Service Providers
Rules FAQ
On this page
info
Check the manual for theory about how rules work.
Do you have a couple server or admin nodes, but you don't want members to be able to talk to each other?
Add the following to the beginning of your rules code:
This will only block traffic on the ZeroTier overlay network, not your physical network.
A network that can only be used for remote desktop.
This is a common request, but we're not sure this is best pattern for rules. See the manual and the other examples in the wiki.
In particular, this has the disadvantage of blocking RDP's UDP mode.
Locking down UDP
A network that gives limited access to Authorized members.
More access can be gradually granted with the rules engine.
This could be used on a public or a private network.
Service Providers
Rules FAQ
On this page
info
Check the manual for theory about how rules work.
Client Isolation[](#client-isolation "Direct link to Client Isolation")
Do you have a couple server or admin nodes, but you don't want members to be able to talk to each other?
accept ethertype arp;tag server id 2 enum 0 No enum 1 Yes default No;# if neither member is a "server", breakbreak not tor server 1;# This is required because the default action is 'drop'.accept;See the "Tags Matrix" in the section below after saving the rules. Set your servers to "Yes"Block all traffic on ZeroTier network[](#block-all-traffic-on-zerotier-network "Direct link to Block all traffic on ZeroTier network")
Add the following to the beginning of your rules code:
drop;This will only block traffic on the ZeroTier overlay network, not your physical network.
Remote Desktop Only[](#rdp-only "Direct link to Remote Desktop Only")
A network that can only be used for remote desktop.
Check the manual for more information.accept ethertype arp; # so nodes can find each otherdrop not ipprotocol tcp;accept dport 3389; # Destination is RDPdrop chr tcp_syn and not chr tcp_ack; # No new TCP connections (except RDP)accept; # Accept what's left, returning RDP trafficThis is a common request, but we're not sure this is best pattern for rules. See the manual and the other examples in the wiki.
In particular, this has the disadvantage of blocking RDP's UDP mode.
Locking down UDP
Gradual Permissions[](#gradual-permissions "Direct link to Gradual Permissions")
A network that gives limited access to Authorized members.
More access can be gradually granted with the rules engine.
This could be used on a public or a private network.
tag admin # employee workstations id 1 flag 0 yes default 0 ;# authorized members can't do anything but be ssh'd into# use ssh to login to member device, get it's serial number, name, etc to find out what kind of access it should have# arp and ping only work if at least one node is "admin"accept ethertype arp and tor admin 1; accept ipprotocol icmp4 and tor admin 1; # allow return traffic for established tcp connectionsaccept chr tcp_ack;# ssh initiated from admins is allowedaccept dport 22 and ipprotocol tcp and tseq admin 1; # once approved, member is allowed to participate in network as normalcap approved id 1 accept;;break; # N=# M=# TOKEN=# CAP_ID=1# curl -X POST https://my.zerotier.com/api/network/$N/member/$M --header "Authorization: token $TOKEN" -d "{\"config\": { \"capabilities\": [$CAP_ID] }}"Updated on: 12/07/2024
Thank you!