diff --git a/ipn/local.go b/ipn/local.go
index abf8d62f5..d20d771c9 100644
--- a/ipn/local.go
+++ b/ipn/local.go
@@ -16,6 +16,7 @@ import (
 	"github.com/tailscale/wireguard-go/wgcfg"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/ipn/policy"
 	"tailscale.com/portlist"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/empty"
@@ -377,27 +378,14 @@ func (b *LocalBackend) runPoller() {
 		}
 		sl := []tailcfg.Service{}
 		for _, p := range ports {
-			var proto tailcfg.ServiceProto
-			if p.Proto == "tcp" {
-				proto = tailcfg.TCP
-			} else if p.Proto == "udp" {
-				proto = tailcfg.UDP
-			}
-			if p.Port == 53 || p.Port == 68 ||
-				p.Port == 5353 || p.Port == 5355 {
-				// uninteresting system services
-				continue
-			}
-			if p.Proto == "udp" && strings.EqualFold(p.Process, "tailscaled") {
-				//  Skip our own.
-				continue
-			}
 			s := tailcfg.Service{
-				Proto:       proto,
+				Proto:       tailcfg.ServiceProto(p.Proto),
 				Port:        p.Port,
 				Description: p.Process,
 			}
-			sl = append(sl, s)
+			if policy.IsInterestingService(s, version.OS()) {
+				sl = append(sl, s)
+			}
 		}
 
 		b.mu.Lock()
diff --git a/ipn/policy/policy.go b/ipn/policy/policy.go
new file mode 100644
index 000000000..02232f2f7
--- /dev/null
+++ b/ipn/policy/policy.go
@@ -0,0 +1,42 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package policy contains various policy decisions that need to be
+// shared between the node client & control server.
+package policy
+
+import "tailscale.com/tailcfg"
+
+// IsInterestingService reports whether service s on the given operating
+// system (a version.OS value) is an interesting enough port to report
+// to our peer nodes for discovery purposes.
+func IsInterestingService(s tailcfg.Service, os string) bool {
+	if s.Proto != tailcfg.TCP {
+		return false
+	}
+	if os != "windows" {
+		// For non-Windows machines, assume all TCP listeners
+		// are interesting enough. We don't see listener spam
+		// there.
+		return true
+	}
+	// Windows has tons of TCP listeners. We need to move to a blacklist
+	// model later, but for now we just whitelist some common ones:
+	switch s.Port {
+	case 22, // ssh
+		80,    // http
+		443,   // https (but no hostname, so little useless)
+		3389,  // rdp
+		5900,  // vnc
+		32400, // plex
+
+		// And now some arbitary HTTP dev server ports:
+		// Eventually we'll remove this and make all ports
+		// work, once we nicely filter away noisy system
+		// ports.
+		8000, 8080, 8443, 8888:
+		return true
+	}
+	return false
+}