hii, i am using mnajaro xfce. i want to activate ufw to give me a safe feeling. may i know what rule to set in ufw to allow syncthing to work ?
thanks
hii, i am using mnajaro xfce. i want to activate ufw to give me a safe feeling. may i know what rule to set in ufw to allow syncthing to work ?
thanks
What ports syncthing uses is described in the docs. What rules that translates into ufw, I don’t know, but I suspect someone must have written it up somewhere on the internet, so Google might help you.
I use Syncthing on Ubuntu and installed via the syncthing.net apt repository. ufw app rules were added automatically via the ufw app
verb. See “Application integration” in the ufw man for more info.
rules were added automatically ? is that good for a firewall ? just pondering is there way to see live firewall logs ? or something that i can see incoming connection and outgoing connection of the firewall ?
thx
There’s both a section about ufw in the docs (https://docs.syncthing.net/users/firewall.html#uncomplicated-firewall-ufw) and then even shipped ufw rules with a readme (https://github.com/syncthing/syncthing/tree/main/etc/firewall-ufw).
ya, i saw it:
$ sudo ufw app info syncthing
Profile: syncthing
Title: Syncthing
Description: Syncthing file synchronisation
Ports:
22000/tcp
21027/udp
thx
i wonder why there are duplicates of ports (although didn’t have the app name listed along side)
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip
To Action From
-- ------ ----
1716/tcp DENY IN Anywhere
1714:1764/udp DENY IN Anywhere
22000/tcp (syncthing) ALLOW IN Anywhere
21027/udp (syncthing) ALLOW IN Anywhere
8384/tcp (syncthing-gui) ALLOW IN Anywhere
1716/tcp (v6) DENY IN Anywhere (v6)
1714:1764/udp (v6) DENY IN Anywhere (v6)
22000/tcp (syncthing (v6)) ALLOW IN Anywhere (v6)
21027/udp (syncthing (v6)) ALLOW IN Anywhere (v6)
8384/tcp (syncthing-gui (v6)) ALLOW IN Anywhere (v6)
since sudo ufw allow syncthing-gui
is to allow access of web gui from anywhere (not just from localhost), i don’t need that function right now, i hav set “deny” to this 2 rules.
can anybody tell me is the ufw is correct ? any thing need to be change ?
thx
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
1716/tcp DENY IN Anywhere
1714:1764/udp DENY IN Anywhere
22000/tcp (syncthing) ALLOW IN Anywhere
21027/udp (syncthing) ALLOW IN Anywhere
8384/tcp (syncthing-gui) DENY IN Anywhere
1716/tcp (v6) DENY IN Anywhere (v6)
1714:1764/udp (v6) DENY IN Anywhere (v6)
22000/tcp (syncthing (v6)) ALLOW IN Anywhere (v6)
21027/udp (syncthing (v6)) ALLOW IN Anywhere (v6)
8384/tcp (syncthing-gui (v6)) DENY IN Anywhere (v6)
There are separate rules for IPv4 and IPv6 traffic, hence two rules each.
The rules you’ve listed that are marked as syncthing look fine.
However I do see a possible minor bug in the application profile: the port for local discovery 21027 doesn’t need to be included since ufw allows local traffic by default. It ought not to be left open to the WAN for the purposes of completeness. The v6 rule for 21027 is in itself superfluous as that’s for v4 traffic only, I believe.
Would someone else confirm this? I should be able to fix it myself if it does need fixing.
were u refering to this udp port due to ufw auto have these rules made ?
any v6 rules are extra ?
may i know how do you tell which rule is default by ufw , as you have said "the port for local discovery 21027 doesn’t need to be included since ufw allows local traffic by default. how do you tell or know that which traffic are default ? is it anything on 127.0.0.* are considered default ? not right,right ?
sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 1716/tcp DENY IN Anywhere
[ 2] 1714:1764/udp DENY IN Anywhere
[ 3] syncthing ALLOW IN Anywhere
[ 4] syncthing-gui DENY IN Anywhere
[ 5] 1716/tcp (v6) DENY IN Anywhere (v6)
[ 6] 1714:1764/udp (v6) DENY IN Anywhere (v6)
[ 7] syncthing (v6) ALLOW IN Anywhere (v6)
[ 8] syncthing-gui (v6) DENY IN Anywhere (v6)
Local discovery happens via v4 and v6, and I think on the same port.
22000 and 22000 v6 both need to open in ufw. 21027 does not - it is used to discover local devices on IPv4 networks.
v4 and v6 have their own rules, so yes, v6 are extra.
man ufw
states that local traffic is allowed by default. Same goes for 127.0.0.0
/::1
. Since port 20127 is used by syncthing only to receive local announcements it does not need to be included in ufw - I think
I don’t know ufw but make sure “local traffic” means what you think. “From 127.0.0.1” and “from anyone on the local subnet(s)” are quite different.
hii,
you said port 22000 and 22000 v6 need to be open in ufw; my syncthing is currently working without issue . i only want it to be syncing locally and let the “local discovery” feature on. the rest i want to block. pls help me look thru my ufw rules… which are those can be set to denied for better security and why? note, i am not particular familiar with the way UFW makes it verbose list: i know these for sure need to be allowed on firewall:
22000 /tcp (syncthing)
21027/udp (syncthing) *i use local discovery of syncthing
i am guessing these can be denied:
22000/tcp (syncthing (v6)) *i can live without v6 right ?
how about these:
8384/tcp (syncthing-gui)
8384/tcp (syncthing-gui (v6))
i use web browser for syncthing gui, so i guess these should be allow as well ? or is it i can denied them, because web browser gui that i use to control syncthing is belong to “self loop” ?! not "local traffic " ?
what is 1716/tcp ? is that belong to syncthing as well ?
also, this i am not clear: all these below, are they refering to local traffic ? or "self loop " shld be local traffic right ? if self loop, then it can’t access to other local devices. also because they don’t have ip address attached to it, it looks to me as local traffic. **even though, local traffic can also have ip attaches to it…*confused
1716/tcp
1714:1764/udp
thx
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip
To Action From
-- ------ ----
1716/tcp DENY IN Anywhere
1714:1764/udp DENY IN Anywhere
22000/tcp (syncthing) ALLOW IN Anywhere
21027/udp (syncthing) ALLOW IN Anywhere
8384/tcp (syncthing-gui) DENY IN Anywhere
1716/tcp (v6) DENY IN Anywhere (v6)
1714:1764/udp (v6) DENY IN Anywhere (v6)
22000/tcp (syncthing (v6)) ALLOW IN Anywhere (v6)
21027/udp (syncthing (v6)) ALLOW IN Anywhere (v6)
8384/tcp (syncthing-gui (v6)) DENY IN Anywhere (v6)
ya, you are right, it is called “self loop” , not local traffic. [quote=“calmh, post:16, topic:15449”] local traffic” means what you think. “From 127.0.0.1” and “from anyone on the local subnet(s)” are quite different. [/quote]
Open 22000/tcp and 21027/udp for Syncthing. IPv4 and IPv6, there is no security consideration between them. Open 8384/tcp if you need to access the GUI from somewhere else and don’t use something like SSH forwarding.
The other ports mentioned are not related to Syncthing.
We’ve documented this quite clearly: https://docs.syncthing.net/users/firewall.html
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.