Need help on ziti firewall

ip r
default via 192.168.1.1 dev enp1s0 proto dhcp src 192.168.xx.xx metric 100
100.64.0.0/10 dev ziti0 scope link
100.64.0.2 dev ziti0 scope link
100.64.0.3 dev ziti0 scope link
100.64.0.4 dev ziti0 scope link
100.64.0.5 dev ziti0 scope link
100.64.0.6 dev ziti0 scope link
192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.xxx
192.168.0.0/24 via 192.168.0.1 dev enp3s0 proto static
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.xx.xx metric 100
192.168.1.1 dev enp1s0 proto dhcp scope link src 192.168.xx.xx metric 100
sudo zfw -L
INGRESS FILTERS:
type   service id            	proto	origin              	destination                     mapping:                	interface list
------ ----------------------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
deny   0000000000000000000000	tcp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
accept 21wXRWsPgUCHUUEgnq2T62	tcp	0.0.0.0/0           	100.64.0.5/32                   dpts=1514:1514   	TUNMODE redirect:ziti0          []
accept 25PKCSIMbIHYqUbw6evT8K	tcp	0.0.0.0/0           	100.64.0.4/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 4OcvMNhXglb0bDxTCUZ4f1	tcp	0.0.0.0/0           	100.64.0.3/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 1MWGDlo11hNhtKDhjPwfMl	tcp	0.0.0.0/0           	100.64.0.6/32                   dpts=55000:55000 	TUNMODE redirect:ziti0          []
accept 1MWGDlo11hNhtKDhjPwfMl	tcp	0.0.0.0/0           	100.64.0.6/32                   dpts=1515:1515   	TUNMODE redirect:ziti0          []
accept 0000000000000000000000	udp	0.0.0.0/0           	100.64.0.2/32                   dpts=53:53       	TUNMODE redirect:ziti0          []
deny   0000000000000000000000	udp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
Rule Count: 8 / 250000
prefix_tuple_count: 7 / 100000
sudo zfw -L -z egress
EGRESS FILTERS:
type   service id            	proto	origin              	destination                     mapping:                	interface list
------ ----------------------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
deny   0000000000000000000000	udp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
accept 0000000000000000000000	tcp	0.0.0.0/0           	35.xxx.xx.xx/32                  dpts=443:443     	PASSTHRU to 35.xxx.xx.xx/32      [enp1s0]
accept 0000000000000000000000	udp	0.0.0.0/0           	1.1.1.1/32                      dpts=53:53       	PASSTHRU to 1.1.1.1/32          [enp1s0]
deny   0000000000000000000000	tcp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
Rule Count: 4 / 250000
prefix_tuple_count: 4 / 100000
telnet ziti-controller.xxxx.xxxx 443
Trying 35.xxx.xx.xx...
Connected to ziti-controller.xxxx.xxxx.
Escape character is '^]'.

It is not resolving ziti dns part

telnet keycloak.xxxx.xxxx 443
Trying 100.64.0.6...
telnet: Unable to connect to remote host: Connection refused

Sorry my bad it is working. ignore my previous message

Is it possible to set by default any request on this device should go only to Ziti DNS first then to 1.1.1.1 so that first will try to go through only ziti?

You should set up ziti resolver as the first stub resolver in the list on Ubuntu. Then queries will go to it first.

In our own ubuntu images we drop this file in the systemd directory.

cat /lib/systemd/resolved.conf.d/01-ziti.conf
#Ziti Added file
[Resolve]
DNS=10.1.0.6

then the global view would look like this.

resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 10.1.0.6
       DNS Servers: 10.1.0.6

Link 2 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 168.63.129.16
       DNS Servers: 168.63.129.16

Ok let me try it. Can you change the DNS IP range instead of 100.64.0.2? How to do that?
Let me try adding to netplan so that it can resolve in order

en0:
      #dhcp4: true
      addresses:
      # if they have any DNS to resolve, enable this and update the DNS IP accordingly
      nameservers:
         addresses:
           - 100.64.0.2
           - 1.1.1.1

my ip is just an example, you can use 100.64.0.2

1 Like