Zerotier open tcp ports listening (in addition to UDP?)

On these docs:

It says zerotier listens to 3 UDP ports, but when I looked at my linux laptop with netstat I see the zerotier-one service listening on TCP ports in addition to UDP ports. Has there been a change since the documentation was written? I’d like to update my firewall rules but do I need to allow the TCP ports in addition to the UDP ports?

The TCP port is what listens for commands from zerotier-cli and the desktop UI.

Thanks! So I can block those since I only connect using the zerotier-cli locally? (can communicate via loopback instead)?

Yes it should be fine to block port 9993/TCP. (Not UDP though).

There are also some high random TCP ports associated with zerotier-one in addition to 9993. Are those also related to the gui and cli?

Had to go look up some stuff and ask a few questions. ZeroTier’s TCP control port listens on all the same ports as UDP, so that’s why you’re seeing that.