I tried to reproduce this, but am able to ssh to the macOS machine’s tailscale address.
“Connection closed by remote host” implies a TCP RST was sent to close the connection. Tailscale never sends an RST, even if an ACL blocks access it just times out. Is there possibly other software on the Mac which is blocking anything that doesn’t look like the LAN?
I was still able to ssh to the Mac with the macOS firewall turned on, it doesn’t appear to have a function which distinguishes LAN access.