Here is my updated rule set that I use on my personal ZT network. # Whitelist only IPv4 (/ARP) and IPv6 traffic and allow only ZeroTier-assigned IP addresses drop # drop cannot be overridden by capabilities not ethertype ipv4 # frame is not ipv4 and not ethertype arp # AND is not ARP and not ethertype ipv6 # AND is not ipv6 # or not chr ipauth # OR IP addresses are not authenticated (1.2.0+ only!) ; # Allow SSH, SMTP, HTTP, HTTPS, and Cockpit by allowing all TCP packets (including SYN/!ACK) to these ports accept ipprotocol tcp and dport 22 or dport 25 or dport 80 or dport 443 or dport 9090 ; # Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above break # break can be overridden by a capability chr tcp_syn # TCP SYN (TCP flags will never match non-TCP packets) and not chr tcp_ack # AND not TCP ACK ; # Accept other packets accept;