Firewalld

Allow connections only from tailnet

Create a new zone for the tailscaled0 interface.

1sudo firewall-cmd --permanent --new-zone=tailnet
2sudo firewall-cmd --permanent --zone=tailnet --add-interface=tailscale0
3sudo firewall-cmd --reload

Add services and ports to the tailnet zone.

1sudo firewall-cmd --permanent --zone=tailnet --add-service={http,https,ssh}
2sudo firewall-cmd --permanent --zone=tailnet --add-port=9100/tcp
3sudo firewall-cmd --reload

Ensure the public zone does not have any interfaces or sources.

1sudo firewall-cmd --permanent --zone=public --remove-interface=eth0
2sudo firewall-cmd --reload

The firewall should now only allow traffic coming from the tailnet interface.

Reply to this post by email ↪