Sync Protocol Listen Address needs to listen from anywhere?

I have a Raspberry Pi server running Syncthing. I disabled NAT Traversal, Local/Global Discovery, and Relaying because they are not necessary.

Anyway, regarding firewall rules, I have a default deny policy for incoming connections, as one should.

ufw allow from <client IP address> to any app my-syncthing

does not allow my client host machine and the Raspberry Pi to see each other, but

ufw allow from my-syncthing does.

The difference between the two is that the latter listens from anywhere, while the former only listens from the that IP address on the same network (which is fine, it’s my desktop machine). Shouldn’t the latter work? Is it necessary to have an open port to the open internet on the Raspberry Pi?

I confirmed the IP address is correct–I have a similar rule for ssh’ing from my desktop to the Pi and it works. Any ideas?

Sounds more like a firewall question than a syncthing question.

Syncthing either needs to dial out, out get an incoming connection in order to connect, this requirement doesn’t change based on your firewall configuration, so feels like you should seek help in your distribution forums as to how you should configure your firewall.

I assume you have the addresses hardcoded given all forms of discovery are disabled.

I have no idea what those commands do under the hood to advise, but I’d try to reproduce the same issue with netcat to better understand it.

Yes, the IP address is hardcoded. When not using NAT Traversal, Local/Global Discovery, and Relaying, the port for the protocol listen address (default port 22000) is the only port necessary, right? Just want to confirm, that’s the my-syncthing rule in my example.

Just leaving additional context: sudo ufw status verbose (first is the former case of allowing specific IP where Syncthing does not work, second is the latter case of allowing from anywhere where Syncthing does work:

To                         Action      From
--                         ------      ----
22/tcp (my-openssh)        LIMIT IN    <my IP address>
22005 (my-syncthing)       ALLOW IN    <my IP address>

To                         Action      From
--                         ------      ----
22/tcp (my-openssh)        LIMIT IN    <my IP address>
22005 (my-syncthing)       ALLOW IN    Anywhere

I don’t know a lot about ufw, but other firewalls usually require that you open the reverse connection too.

In the output of the ufw status verbose command above, the header should have said what the default policy for ingress and egress is. If it says “Default … allow (outgoing)”, you have some other problem (perhaps another firewall somewhere) but if it says “deny (outgoing)” you will need to open it up explicitly.

Disclaimer: I didn’t know ufw existed until today, I’m just basing this on my understanding of firewalls in general, which might be wrong in this case.