in the policy editor, i have commented out the default accept rule.
there are no accept rules at all yet ping/ssh still work?
here is the entire json file
{
// Declare convenient hostname aliases to use in place of IP addresses.
"Hosts":
{
"en08": "xxx.xxx.xxx.xxx",
"pi4": "xxx.xxx.xxx.xxx",
"server02": "xxx.xxx.xxx.xxx"
}
// Access control lists.
// "ACLs":
// [ // Match absolutely everything. Comment out this section if you want to define specific ACL restrictions.
// { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] }
// ]
}
and as a new user i cannot post more than one image.
the image i wanted to post, shows the service for the pi4, and if click the circle, i get a pop-up
“who can access this service?
this service is not accessible to any users in your network.”
and i really am surprised that there is not a simple web gui to hide the complex and somewhat scary json
and to have a way to auto-create those test rules.
Can you please email all these details with all images you wanted to share on support@tailscale.com ?
Usually, if you own that node you will be allowed to access those without any permission unless you tag those nodes and give explicit access permissions.
Regular ACLs are applied to Users and whether that User is allowed to connect. Default deny means that a User is not allowed to connect to anything owned by other Users unless there is an ACL allowing it.
normally, if there is some syntax problem, i get this with the line/col of the issue. Error: line 1 col 2: invalid character 'd' looking for beginning of object key string
from that link you shared, i copy and pasted the example and i also pasted the text below.
in both cases i get Error: parser: json: cannot unmarshal string into Go value of type policy.Policy
please advise?
It’s default deny with the exception of you not defining ACLs at all. If the “ACLs” key is not defined in the JSON, then everything is permitted.
Hmm, there’s some confusing stuff above. I think we should remove whatever feature causes default-allow when the ACLs section is missing. That’s not a common thing to do, but it’s still risky to have it fall back in this way. Filed https://github.com/tailscale/tailscale/issues/2799 for this.
Also, someone suggested above that connections between two of a user’s own devices are not affected by ACLs. That’s not true. ACLs affect all connections incoming over Tailscale.
If you try to reach the Tailscale IP of same device you’re on, without traversing the Tailscale network, you might not be restricted by ACLs.
Anyway, once you have an empty set of ACL rules, you could write rules referring to specific IP addresses (not recommended) or using ACL Tags (the recommended approach). So you could have tag:api-client and tag:api-server, and write rules that allow any device tagged as tag:api-client to initiate connections to tag:api-server, but not vice versa.
i am glad default-allow issue will get fixed.
fwiw, i always test using the simplest config as possible and build up from that.
i could not find complete policy example, on tailscale website or on the internet.
to allow one node to ssh into another node.
please, can you share an example?
to all, this is an example for a node to node rules.
once again, the mistake i made is with basic json syntax, super unfriendly for end-users.
really surprised tailscale does not have a simple webpage to hide the json file.
and the different syntax for Hosts and ACL, only makes it more confusing.
Glad you got it working, I think the confusion here is from a networking / firewall POV, you’d do your allow rules first then deny all last, I’ve not needed to use ACLs yet but good to know for the future!
That first example where the node cannot ssh isn’t valid JSON. The object in the array is delineated by the curly brace on line two and completed on line 5, and in between you duplicate definitions for the Action, Users, and Ports properties of the object. My guess is that their huJSON parser must be using the second definitions to overwrite the first, thus no access.
The second example is correct because the individual ACL objects are defined independently.
This is easier to understand and easier to modify and replicate without adding redudancy, the way you’ve writing it, if you need to access 10 hosts, you would add 10 lines, instead of just declaring those hosts on the same rule.