#+title: Firewalld
#+setupfile: ../org-templates/page.org

** Allow connections only from tailnet

Create a new zone for the ~tailscale0~ interface.

#+BEGIN_SRC shell
sudo firewall-cmd --permanent --new-zone=tailnet
sudo firewall-cmd --permanent --zone=tailnet --add-interface=tailscale0
sudo firewall-cmd --reload
#+END_SRC

Add services and ports to the ~tailnet~ zone.

#+BEGIN_SRC shell
sudo firewall-cmd --permanent --zone=tailnet --add-service={http,https,ssh}
sudo firewall-cmd --permanent --zone=tailnet --add-port=9100/tcp
sudo firewall-cmd --reload
#+END_SRC

Ensure the ~public~ zone does not have any interfaces or sources.

#+BEGIN_SRC shell
sudo firewall-cmd --permanent --zone=public --remove-interface=eth0
sudo firewall-cmd --reload
#+END_SRC

The firewall should now only allow traffic coming from the tailnet interface, ~tailscale0~.