Block incoming connections
This feature is available on Windows, Mac, and Linux for Tailscale v0.98.197 and up. If you don’t see this option, you may need to update your client.
You may want to block devices on your Tailscale network from connecting to you. Let’s say you have a development computer and several webservers on Tailscale. You want to SSH from your computer into a webserver, but you don’t want to allow your webserver to SSH back to you.
To block incoming connections, open the device you’d like to protect and uncheck “Allow incoming connections.” When unchecked, your device will still be visible and allowed to send traffic, but won’t accept any connections over Tailscale, including pings.
This toggle is intended for individual users. For network admins who need to set rules for many devices, we recommend using our Access Control Lists (ACLs) feature. ACLs allow setting granular rules for your whole network in one place.
By default Linux clients accept all incoming connections. To disable incoming
tailscale up with the following flag:
sudo tailscale up --shields-up
From the system tray, right click on the Tailscale icon and check/uncheck “Allow incoming connections.”
From the menu bar, click on Tailscale and check/uncheck “Allow incoming connections.”
iOS doesn’t allow exposing external services, so there’s no need to block incoming traffic on iOS devices.