I've just added a port forwarding rule to forward UDP port 41641 to my linux server which runs Tailscale to allow me to access plex, jellyfin, immich etc when away from home. Without port forwarding I was being DERP relayed which isn't great for plex etc as the bandwidth is pretty low. With a direct connection I get better performance out of my synchronous gigabit connection.
However I would also like to limit what can connect to this port so I first created a host alias for the two new Tailscale FQDNs 'login.tailscale.com' and 'controlplane.tailscale.com' and then the IPv4 and IPv6 rules below to effectively only allow connections from these hosts.
This is working as in I can still connect to may server when remote, but would appreciate and comments on whether this will achieve what I'm trying to do in terms of blocking anything else or isn't effective etc. In the rules below, "BRSK" is my WAN interface. 192.168.1.9/32 is the IPv4 address of my server and I have obfuscated the IPv6 address. I get a static /48 from my ISP and therefore my LAN gets a static /64 delegated.