As I mentioned in another thread, I have a remote system that I want to be able to log data to a MariaDB database on my NS8 system. It doesn’t otherwise need to be part of the cluster, so rather than go that route, I’ve joined both my NS8 system and the remote one to a Tailscale network. I’d like to open the MariaDB port (20012 on my system) to only the tailscale0 interface.
The documentation page for the firewall describes opening a port, but (as far as I understand it) that opens it on every interface. Is there a way to open it to only a specified interface, network, or address?
That sounds like the conclusion I was reaching as well–assign tailscale0 (or the Tailscale networks) to a zone, and allow port 20012 from that zone. I haven’t yet found whether it’s possible to assign that interface to an existing zone (like the trusted zone to which the wireguard network already belongs), but this seems like it would work.