Well I’ve been trying this for a few hours now, and haven’t got it to work, so I thought I’d see if smarter people than me can tell me where I’ve got this wrong.
Here is the default “every one access everything” ACL, which is working.
{
// Declare static groups of users beyond those in the identity service.
"groups": {
"group:admins": ["me@domain.org", "him@domain.org"],
},
// Tags let you set policy on groups of things.
"tagOwners": {
"tag:server": ["group:admins"],
"tag:user": ["group:admins"],
},
// Declare convenient hostname aliases to use in place of IP addresses.
"hosts": {
"webserver": "100.12.15.123",
},
// Access control lists.
"acls": [
// 1. Match absolutely everything.
{"action": "accept", "src": ["*"], "dst": ["*:*"]},
// 2. admins group can access webserver on all ports
// { "action": "accept", "src": ["group:admins"], "dst": ["webserver:*"] },
],
}
With rule 1 in place, then everything is accessible, as you might expect. If I comment out rule 1, and uncomment rule 2. then I can access exactly nothing.
If I look in the editor “Preview Rules” section it tells me that I, as a member of the admin group, can access webserver. But when I try, I can’t access anything. In fact I can’t ‘tailscale ping’ it either, by its hostname or by its IP. And tailscale status returns nothing, just my own local node.
Furthermore, I’ve replaced dst with 100.12.15.123:* , with tags:server:*, and with : and none of these let me access the server, ping it, or see it on tailscale status. When I roll back to rule 1, everything is fine.
So have I misunderstood something here? As someone who’s wrestled with firewalls for 20 years or so, I’ve usually managed to figure things out, but this one has me scratching my head.