UFW blocks tcp-connection

balir · October 31, 2017, 10:41am

Hi!

I started using syncthing just few days ago. I have two linux computers with UFW blocking anything but my VPN connections. I allowed syncthing and also ports 22000 and 21027 (just to make sure) for UFW. I have also forwarded the port 22000 from my router and VPN settings. Syncthing still doesn’t connect to tcp-server, but only to relay-server. Did I forget something? It also doesn’t connect to my android device at all. When UFW is turned off everything works just fine. In the web interface the discovery is 3/8.

AudriusButkevicius · October 31, 2017, 11:04am

You probably need to allow the ports both ways, as you are probably allowing outbound traffic and not inbound.

balir · October 31, 2017, 11:19am

Allowing syncthing allows inbound, but not outbound.

To                         Action      From
--                         ------      ----               
22000/tcp (syncthing)      ALLOW IN    Anywhere                  
21027/udp (syncthing)      ALLOW IN    Anywhere

balir · October 31, 2017, 11:39am

This is from daemon output. I tried allowing 239.255.255.250 from UFW, but no change.

[NLJ33] 13:35:57 INFO: write udp4 0.0.0.0:52006->239.255.255.250:1900: sendto: operation not permitted
[NLJ33] 13:35:57 INFO: write udp4 0.0.0.0:53971->239.255.255.250:1900: sendto: operation not permitted
[NLJ33] 13:35:57 INFO: write udp4 0.0.0.0:54367->239.255.255.250:1900: sendto: operation not permitted
[NLJ33] 13:35:57 INFO: write udp4 0.0.0.0:53714->239.255.255.250:1900: sendto: operation not permitted

AudriusButkevicius · October 31, 2017, 2:01pm

Have you verified that when you allow, the firewall actually allows, and not just says it does?

balir · October 31, 2017, 9:25pm

Yes with

ufw status verbose

is there other way to check it?

AudriusButkevicius · November 1, 2017, 2:46am

You can try using a different networked application on the same port.

balir · November 2, 2017, 1:20pm

Seems to be open:

sudo netstat -anp | grep 21027
udp        0      0 0.0.0.0:21027           0.0.0.0:*                           618/syncthing       
udp6       0      0 :::21027                :::*                                618/syncthing

and

sudo netstat -anp | grep 22000
tcp6       0      0 :::22000                :::*                    LISTEN      618/syncthing

AudriusButkevicius · November 2, 2017, 3:18pm

This doesn’t mean much, it just shows that it’s listening, but that doesn’t mean the kernel lets the traffic through. Best if you do some sort of netcat test.

balir · November 2, 2017, 3:36pm

Thanks, I’m quite new on these internet-things. But I got it solved. Apparently allow syncthing won’t allow outbound connections. So allowing outbound connections for the ports manually made it work. Thank you for getting me on the right track!

system · December 2, 2017, 3:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.