From 763e76797e2f6d05f007032734eaf8332cba5530 Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Sun, 31 May 2026 14:21:05 -0500
Subject: docs: note that Tailscale traffic traverses ufw on ratio

---
 CLAUDE.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CLAUDE.md b/CLAUDE.md
index 093cb78..9b90e25 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -119,6 +119,7 @@ Full palette reference: `assets/color-themes/dupre/dupre-palette.org`
 ## Notes
 - Desktop file overrides go in `dotfiles/hyprland/.local/share/applications/`
 - MPD is configured but mpv handles audio file associations
+- Firewall is ufw (configured in `archsetup`, default-deny incoming, explicit allow list). Tailscale traffic **does** traverse ufw on ratio — a probe from a tailnet IP is still blocked unless a rule covers the port. Don't assume tailnet-only services bypass the firewall; they need an explicit ufw rule like any other.
 - This machine is **ratio**; **velox** is a laptop. Both run Hyprland (Wayland). archsetup still supports dwm/X11, but no current machine uses it.
 - Remote repository on cjennings.net
 - .ai/ is gitignored; living project context is in .ai/notes.org
-- 
cgit v1.2.3