[ngcc_hk]

That is not a feature it is a bug and a big hole.

The firewall is the system. Just like apple bypass its own firewall and just send packet back home. Or the chinese way.

Of course as said by one of the author the key is to control port 22 or rule for ssh. That is not a totally lost. Still, one that is ok … you are breaking the system by promoting a way to bypass it. Or just 1 rule. It is so hard to remember.

[tptacek]

No, it's not. Network access control is the whole point of Tailscale; it is the network filtering layer. It serves literally the same function that a Checkpoint Firewall-1 installation would have in 1997, and that's why people buy it. This is basic stuff from the Tailscale website; it doesn't even qualify as analysis. You really ought to understand how these things work before you describe things as "big holes".

[ikiris]

Because that's what we all want. Yet another place to look for ACL rules...

[tptacek]

If you're deploying Tailscale? Yeah, that's about right.

[samb1729]

Considering how simple it is to use Tailscale ACL rules with node auto-tagging, yes I absolutely want it.

[fomine3]

Anyway there's a loophole on your network. Tailscale is just a way to use it.