ufw rules for syncthing

hii, i am using mnajaro xfce. i want to activate ufw to give me a safe feeling. may i know what rule to set in ufw to allow syncthing to work ?

thanks

What ports syncthing uses is described in the docs. What rules that translates into ufw, I don’t know, but I suspect someone must have written it up somewhere on the internet, so Google might help you.

I use Syncthing on Ubuntu and installed via the syncthing.net apt repository. ufw app rules were added automatically via the ufw app verb. See “Application integration” in the ufw man for more info.

rules were added automatically ? is that good for a firewall ? just pondering is there way to see live firewall logs ? or something that i can see incoming connection and outgoing connection of the firewall ?

thx

There’s both a section about ufw in the docs (https://docs.syncthing.net/users/firewall.html#uncomplicated-firewall-ufw) and then even shipped ufw rules with a readme (https://github.com/syncthing/syncthing/tree/main/etc/firewall-ufw).

1 Like

ya, i saw it:

$ sudo ufw app info syncthing
Profile: syncthing
Title: Syncthing
Description: Syncthing file synchronisation

Ports:
  22000/tcp
  21027/udp

thx

i wonder why there are duplicates of ports (although didn’t have the app name listed along side)

$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip

To                         Action      From
--                         ------      ----
1716/tcp                   DENY IN     Anywhere                  
1714:1764/udp              DENY IN     Anywhere                  
22000/tcp (syncthing)      ALLOW IN    Anywhere                  
21027/udp (syncthing)      ALLOW IN    Anywhere                  
8384/tcp (syncthing-gui)   ALLOW IN    Anywhere                  
1716/tcp (v6)              DENY IN     Anywhere (v6)             
1714:1764/udp (v6)         DENY IN     Anywhere (v6)             
22000/tcp (syncthing (v6)) ALLOW IN    Anywhere (v6)             
21027/udp (syncthing (v6)) ALLOW IN    Anywhere (v6)             
8384/tcp (syncthing-gui (v6)) ALLOW IN    Anywhere (v6)

since sudo ufw allow syncthing-gui is to allow access of web gui from anywhere (not just from localhost), i don’t need that function right now, i hav set “deny” to this 2 rules.

can anybody tell me is the ufw is correct ? any thing need to be change ?

thx

    $ sudo ufw status verbose
        Status: active
        Logging: on (low)
        Default: deny (incoming), allow (outgoing), disabled (routed)
        New profiles: skip

        To                         Action      From
        --                         ------      ----
        1716/tcp                   DENY IN     Anywhere                  
        1714:1764/udp              DENY IN     Anywhere                  
        22000/tcp (syncthing)      ALLOW IN    Anywhere                  
        21027/udp (syncthing)      ALLOW IN    Anywhere                  
        8384/tcp (syncthing-gui)   DENY IN     Anywhere                  
        1716/tcp (v6)              DENY IN     Anywhere (v6)             
        1714:1764/udp (v6)         DENY IN     Anywhere (v6)             
        22000/tcp (syncthing (v6)) ALLOW IN    Anywhere (v6)             
        21027/udp (syncthing (v6)) ALLOW IN    Anywhere (v6)             
        8384/tcp (syncthing-gui (v6)) DENY IN     Anywhere (v6)

There are separate rules for IPv4 and IPv6 traffic, hence two rules each.

The rules you’ve listed that are marked as syncthing look fine.

However I do see a possible minor bug in the application profile: the port for local discovery 21027 doesn’t need to be included since ufw allows local traffic by default. It ought not to be left open to the WAN for the purposes of completeness. The v6 rule for 21027 is in itself superfluous as that’s for v4 traffic only, I believe.

Would someone else confirm this? I should be able to fix it myself if it does need fixing.

were u refering to this udp port due to ufw auto have these rules made ? :point_down:

any v6 rules are extra ?

may i know how do you tell which rule is default by ufw , as you have said "the port for local discovery 21027 doesn’t need to be included since ufw allows local traffic by default. how do you tell or know that which traffic are default ? is it anything on 127.0.0.* are considered default ? not right,right ?

sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 1716/tcp                   DENY IN     Anywhere                  
[ 2] 1714:1764/udp              DENY IN     Anywhere                  
[ 3] syncthing                  ALLOW IN    Anywhere                  
[ 4] syncthing-gui              DENY IN     Anywhere                  
[ 5] 1716/tcp (v6)              DENY IN     Anywhere (v6)             
[ 6] 1714:1764/udp (v6)         DENY IN     Anywhere (v6)             
[ 7] syncthing (v6)             ALLOW IN    Anywhere (v6)             
[ 8] syncthing-gui (v6)         DENY IN     Anywhere (v6)

Local discovery happens via v4 and v6, and I think on the same port.

1 Like

22000 and 22000 v6 both need to open in ufw. 21027 does not - it is used to discover local devices on IPv4 networks.

v4 and v6 have their own rules, so yes, v6 are extra.

man ufw states that local traffic is allowed by default. Same goes for 127.0.0.0/::1. Since port 20127 is used by syncthing only to receive local announcements it does not need to be included in ufw - I think :slight_smile:

I don’t know ufw but make sure “local traffic” means what you think. “From 127.0.0.1” and “from anyone on the local subnet(s)” are quite different.

hii,

you said port 22000 and 22000 v6 need to be open in ufw; my syncthing is currently working without issue . i only want it to be syncing locally and let the “local discovery” feature on. the rest i want to block. pls help me look thru my ufw rules… which are those can be set to denied for better security and why? note, i am not particular familiar with the way UFW makes it verbose list: i know these for sure need to be allowed on firewall:

22000 /tcp (syncthing) 
21027/udp (syncthing)  *i use local discovery of syncthing

i am guessing these can be denied:

22000/tcp (syncthing (v6)) *i can live without v6 right ? 

how about these:

8384/tcp (syncthing-gui) 
8384/tcp (syncthing-gui (v6))

i use web browser for syncthing gui, so i guess these should be allow as well ? or is it i can denied them, because web browser gui that i use to control syncthing is belong to “self loop” ?! not "local traffic " ?

what is 1716/tcp ? is that belong to syncthing as well ?

also, this i am not clear: all these below, are they refering to local traffic ? or "self loop " shld be local traffic right ? if self loop, then it can’t access to other local devices. also because they don’t have ip address attached to it, it looks to me as local traffic. **even though, local traffic can also have ip attaches to it…*confused

1716/tcp                                     
1714:1764/udp  

thx

ufw status verbose

$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip

To                         Action      From
--                         ------      ----
1716/tcp                   DENY IN     Anywhere                  
1714:1764/udp              DENY IN     Anywhere                  
22000/tcp (syncthing)      ALLOW IN    Anywhere                  
21027/udp (syncthing)      ALLOW IN    Anywhere                  
8384/tcp (syncthing-gui)   DENY IN     Anywhere                  
1716/tcp (v6)              DENY IN     Anywhere (v6)             
1714:1764/udp (v6)         DENY IN     Anywhere (v6)             
22000/tcp (syncthing (v6)) ALLOW IN    Anywhere (v6)             
21027/udp (syncthing (v6)) ALLOW IN    Anywhere (v6)             
8384/tcp (syncthing-gui (v6)) DENY IN     Anywhere (v6)

ya, you are right, it is called “self loop” , not local traffic. [quote=“calmh, post:16, topic:15449”] local traffic” means what you think. “From 127.0.0.1” and “from anyone on the local subnet(s)” are quite different. [/quote]

Open 22000/tcp and 21027/udp for Syncthing. IPv4 and IPv6, there is no security consideration between them. Open 8384/tcp if you need to access the GUI from somewhere else and don’t use something like SSH forwarding.

The other ports mentioned are not related to Syncthing.

We’ve documented this quite clearly: https://docs.syncthing.net/users/firewall.html

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.