Experiences with Little Snitch

The following is just for knowledges’ sake. No problem here. Syncthing is working admirably.


I’ve activated the global discovery for the first time. Curious of what will happen, I’ve watched what Little Snitch had to say about this.
Sure enough, there was communications with the global discovery servers over port 22067 with IPv4 and IPv6. That was expected.

After that Little Snitch asked me if I wanted to allow communications with a myriad of other connections, all over port 22067, like

  • 62-197-114-74.teledisnet.be
  • anthonykremor.com
  • li299-15.members.linode.com
  • saliva.soft.vub.ac.be

    and so forth.
    It looks as if every client that uses the central distribution servers would like to connect. Most likely to find out, if my client is one they are linked with.

    So the logical rule to implement would be to allow all incoming connection requests to synching on port 22067. Correct?

    What I can not explain is why https connections are requested. Isn’t that only the WebGUI? I’d assumed that this connection would be requested only if I connected with a browser. The requested addresses were not mine, though.

    Has somebody an idea what the latter is necessary for and if a permanent rule makes sense?

Thanks in advance.

Those “Myriad of other connections” look like the relay servers. Those aren’t other Syncthing clients: those are community-contributed relay servers which will be used if two of your devices can’t make a direct connection (but can’t decrypt your data), see http://docs.syncthing.net/users/relaying.html.


Ah! Thanks a lot!

Read thru the docs and you’ll discover a lot of flexibility with Syncthing.

Although those “myriad” relay connections can’t see your data, they are potentially able to capture high level metadata. If that troubles you, St provides the option to turn OFF relay connections. And IF you need relay to get around a corporate firewall, you can install your own private relay server.

Also, you can install your own discovery server and point your devices to it exclusively. Another way to reduce metadata leakage.

The relay servers use port 443 if that’s possible (it’s easier to get through corporate firewalls if you pretend to be https) or 22067 if not. The discovery servers use 443 for the same reason.

See http://docs.syncthing.net/users/firewall.html for which ports to allow.

As an addition to what’s explained above (which is correct), the reason you see connection attempts to a whole bunch of random boxes (the relay servers) is that it measures the roundtrip time to them. It then picks the best of the bunch and maintains a connection to that one only.

Thank you all for the excellent answers and support! :heart_decoration:

I've checked the docs and the forum before but much of the infos above are missing there. I haven't looked into relay servers, though.

And yes, I got that "myriad" seems to mean something different that what my translator (bing.com) thinks it does. Maybe "a lot" or "multiple" would fit better.

One of my SyncThing nodes just got a request

2016-03-30 12:57:40: Device CAPESOO-…-M3T5YA5 ( wants to connect. Add new device?

and that IP address resolves to li299-15.members.linode.com

I don’t mind relay servers doing relays… but why would one try to connect to my device?

That’s my machine. It’s running Syncthing, but it isn’t configured to connect to your device.

What are the first few characters or your device ID?


I’ll just edit your full device id out of that post now that I know it’s not a bad guy doing some kind of weird SyncThing based fishing attack =)

That’s the default relay server port. I guess we report the address of the relay here if the incoming connection is via relay. So the “blame” is probably not on @canton7 and his relay.

Edit: We of course don’t know the real IP of the other device if it comes via relay, so the relay address is the only thing we can report. Potentially we should just skip saying anything at all about the source address as it can be misleading and adds no value…

Oops, I got halfway through editing that post, then got distracted.

That’s not my Syncthing device ID after all, and it’s from the relay’s port. The relay reports that its ID is YDBB5PU-3K6TDEV-3AZGV2X-4JRZYHJ-CC4F6NJ-JGYYXG5-OTA4SAG-OJ6LJA3, which doesn’t match what you posted…

I’ve found the device. Sorry! It was one of mine that I’d forgotten about, and which only connected to a few others, so it didn’t show up in the first few configs I’d checked. I only posted here because I was checking the IP address and there was match on the name in this thread.

At least now I know that the IP address on a connection request is that of the relay, and not the end device =)

Cool, that makes sense :smile:. The source address in the “Device wants to connect” message is a bit confusing though…