Need help on ziti firewall

ss_vinoth22 · October 23, 2024, 6:43pm

ip r
default via 192.168.1.1 dev enp1s0 proto dhcp src 192.168.xx.xx metric 100
100.64.0.0/10 dev ziti0 scope link
100.64.0.2 dev ziti0 scope link
100.64.0.3 dev ziti0 scope link
100.64.0.4 dev ziti0 scope link
100.64.0.5 dev ziti0 scope link
100.64.0.6 dev ziti0 scope link
192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.xxx
192.168.0.0/24 via 192.168.0.1 dev enp3s0 proto static
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.xx.xx metric 100
192.168.1.1 dev enp1s0 proto dhcp scope link src 192.168.xx.xx metric 100

sudo zfw -L
INGRESS FILTERS:
type   service id            	proto	origin              	destination                     mapping:                	interface list
------ ----------------------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
deny   0000000000000000000000	tcp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
accept 21wXRWsPgUCHUUEgnq2T62	tcp	0.0.0.0/0           	100.64.0.5/32                   dpts=1514:1514   	TUNMODE redirect:ziti0          []
accept 25PKCSIMbIHYqUbw6evT8K	tcp	0.0.0.0/0           	100.64.0.4/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 4OcvMNhXglb0bDxTCUZ4f1	tcp	0.0.0.0/0           	100.64.0.3/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 1MWGDlo11hNhtKDhjPwfMl	tcp	0.0.0.0/0           	100.64.0.6/32                   dpts=55000:55000 	TUNMODE redirect:ziti0          []
accept 1MWGDlo11hNhtKDhjPwfMl	tcp	0.0.0.0/0           	100.64.0.6/32                   dpts=1515:1515   	TUNMODE redirect:ziti0          []
accept 0000000000000000000000	udp	0.0.0.0/0           	100.64.0.2/32                   dpts=53:53       	TUNMODE redirect:ziti0          []
deny   0000000000000000000000	udp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
Rule Count: 8 / 250000
prefix_tuple_count: 7 / 100000

sudo zfw -L -z egress
EGRESS FILTERS:
type   service id            	proto	origin              	destination                     mapping:                	interface list
------ ----------------------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
deny   0000000000000000000000	udp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
accept 0000000000000000000000	tcp	0.0.0.0/0           	35.xxx.xx.xx/32                  dpts=443:443     	PASSTHRU to 35.xxx.xx.xx/32      [enp1s0]
accept 0000000000000000000000	udp	0.0.0.0/0           	1.1.1.1/32                      dpts=53:53       	PASSTHRU to 1.1.1.1/32          [enp1s0]
deny   0000000000000000000000	tcp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
Rule Count: 4 / 250000
prefix_tuple_count: 4 / 100000

telnet ziti-controller.xxxx.xxxx 443
Trying 35.xxx.xx.xx...
Connected to ziti-controller.xxxx.xxxx.
Escape character is '^]'.

It is not resolving ziti dns part

telnet keycloak.xxxx.xxxx 443
Trying 100.64.0.6...
telnet: Unable to connect to remote host: Connection refused

ss_vinoth22 · October 23, 2024, 7:30pm

Sorry my bad it is working. ignore my previous message

ss_vinoth22 · October 23, 2024, 8:50pm

Is it possible to set by default any request on this device should go only to Ziti DNS first then to 1.1.1.1 so that first will try to go through only ziti?

dariuszSki · October 24, 2024, 2:19am

You should set up ziti resolver as the first stub resolver in the list on Ubuntu. Then queries will go to it first.

dariuszSki · October 24, 2024, 2:29am

In our own ubuntu images we drop this file in the systemd directory.

cat /lib/systemd/resolved.conf.d/01-ziti.conf
#Ziti Added file
[Resolve]
DNS=10.1.0.6

then the global view would look like this.

resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 10.1.0.6
       DNS Servers: 10.1.0.6

Link 2 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 168.63.129.16
       DNS Servers: 168.63.129.16

ss_vinoth22 · October 24, 2024, 2:33am

Ok let me try it. Can you change the DNS IP range instead of 100.64.0.2? How to do that?
Let me try adding to netplan so that it can resolve in order

en0:
      #dhcp4: true
      addresses:
      # if they have any DNS to resolve, enable this and update the DNS IP accordingly
      nameservers:
         addresses:
           - 100.64.0.2
           - 1.1.1.1

dariuszSki · October 24, 2024, 2:36am

my ip is just an example, you can use 100.64.0.2

Topic		Replies	Views
Ziti basic architecture help Ziti Overlay	5	728	June 13, 2023
Open firewall (UFW) on Linux host only for traffic from ziti tunnel Ziti Tunnel	4	170	August 16, 2023
Openziti as VPN	6	901	August 27, 2023
Configuring LAN Gateway on Oracle Linux Ziti Overlay	9	309	September 4, 2022
Ziti Routing Question General Questions	15	447	September 29, 2023

Need help on ziti firewall

Related topics