GUI at 0.0.0.0:8384 without password

I’m confused about the following paragraph in the documentation

Note that specifying your computer’s LAN address (e.g. 192.168.0.123:8384 ) will NOT restrict access to only devices on your local network! Connections with that address as destination will then be accepted, regardless of their origin. Proper network configuration and security (especially a firewall) is required to enforce such filtering, as it cannot be done reliably by Syncthing itself.

If the GUI is at 0.0.0.0:8384 and the firewall at Syncthing computer doesn’t allow incoming 8384, there is no issue. Like, in most common use cases that people install Synchting on their PCs, the incoming traffic is blocked by default. So password is not needed on local machines.

If GUI is set at the LAN address 192.168.0.123:8384, and port 8384 is open at syncthing computer, then LAN devices can access GUI. WAN devices cannot access it, unless port 8384 is forwarded from the router to the Synchting computer, and that port is open at syncthing computer as well (which I don’t know why would anyone do). If the Synchting computer is a laptop, has port 8384 open, and moves to a different LAN, obviously GUI might be accessible in the new network too.

I assume Synchting doesn’t change firewall settings (automatically opening ports for the gui address, 22000 or 21027).

Can someone verify that my understanding is correct?

Yes, syncthing itself doesn’t touch your firewall settings (it’s a mostly OS-agnostic software that wouldn’t even know how), but third party (Windows) installers might touch Windows Firewall settings - I don’t know (but it’s not that uncommon).

As to the “open ports”: whether a port is open or not depends on your network perspective. All syncthing does is bind sockets to those ports. However, if your system does not employ a (restrictive) firewall that implies that the port is open from a LAN perspective. Whether a port is open or not is always dependent on various network setup/configuration switches and thus not really something that syncthing can tell you on its own.

Port forwardings for routers also imply the presence of a NAT and/or firewall, which, although highly common in consumer IPv4 ISPs, isn’t necessarily present in all setups. Consider for example a user with a router without integrated firewall but IPv6 support: In such a case, a port forward on the router is not necessary for WAN devices to reach syncthing, if not blocked by the local machine.

Also, port forwards can be implicitly created via hole punching for example, so there’s never a full guarantee that WAN devices can’t reach you just because there’s no manual port forward set. As such, the manual advises users that access restrictions from LAN/WAN are the firewall’s responsibility - either on a capable router or the device itself (or both).

Additionally, because you also mentioned the sync port 22000: For that port specifically, syncthing by default will attempt to create a port forward on your router via UPnP, if supported. This is not done for the GUI port or the LAN discovery port.

Not necessarily, Windows Firewall settings are easily weakened. It typically asks once if you want to allow an app and if you click yes, it will allow both outgoing and incoming connections. On Linux it highly depends on your distro defaults, but generally it’s open for all. So I would disagree here: I think it’s common to not block anything.

2 Likes

You might already be aware that 0.0.0.0 is generally interpreted by operating systems to mean “all”.

If Syncthing’s GUI is configured to listen on 0.0.0.0:8384, Syncthing is going to bind to all available network interfaces, whether it’s one for a standard UTP wired interface, Wi-Fi, a virtual interface for a VPN connection, a mobile data link, a USB network link, Bluetooth, etc. One or more of those links might not be firewalled (or even possible in the case of a USB network link).

And even if all available network interfaces are protected by a host firewall, there are side-channel attacks such as this: August 7, 2024 – 0.0.0.0 Day: Exploiting Localhost APIs From the Browser

So, as the saying goes, better to err on the side of caution.

2 Likes

Thanks for mentioning Bluetooth and other hidden ways.

To be sure, I do ssh port forwarding to local host.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.