Syncthing firewall rules (allow syncthing only)

tr0ttel · December 8, 2024, 6:07pm

Hello QOS community,

my situation:
VM with Syncthing → synchronizing with devices which are online via mobile internet (not only local).
I want to get the Qube more “isolated” - and allow only Syncthing app to go online - and nothing else (otherwise no internet connection for this vm necessary).

Via firewall rules - allow all outgoing traffic → syncthing detects my devices and synchronization takes place (but only via WAN IP - local detection not working - but still ok for me).

I tried:

enter local IP of devices
allow TCP 22000 / UDP 22000 / UDP 21027
With this rules - syncthing does not detect the devices.

Does someone have more tips to get syncthing detect the local devices + (more important) to detect and connect in general to my devices (not only local) but at same time allow only Syncthing to go online?

On my preceding Debian 12 system - i used in the same network (same Notebook) the ufw firewall.
Via “sudo ufw allow syncthing” everything was solved. But with Qubes i cant get this to work properly.

Best regards

solene · December 9, 2024, 7:40am

syncthing uses a collection of online relays, so it uses extra ports for both discovery and relay.

Discovery servers runs on tcp/8443 by default while relay are on tcp/22067

tr0ttel · December 9, 2024, 6:30pm

added the additional rules - without success

solene · December 9, 2024, 7:24pm

you can check the logs of the qube’s netvm, the blocked traffic should be logged IIRC

tr0ttel · December 9, 2024, 7:29pm

ok, it was a rare training for me to look for linux logs (debian user since 2018 - moved from Windows). Which logfile should i look for to see network traffic related things in Qubes?

solene · December 9, 2024, 7:49pm

hmm, I thought logging was enabled by default in the firewall on Qubes OS, but it’s not the case.

Instead, I’d recommend using tcpdump if you are familiar with it.

tr0ttel · December 9, 2024, 7:53pm

will check tomorrow - you gave me the direction. Even if i never checked via tcpdump - i will check other sources to find how to check and use and give feedback. Thank you.

solene · December 9, 2024, 7:58pm

install tcpdump
run tcpdump -i eth0 -nn and check which ports are used

you may have see a lot of traffic though

you can remove ports you identified one by one using sudo tcpdump -i eth0 -nn not tcp port 22000 and not udp port 22000 and not tcp port ....

muntedcrocodile · March 2, 2025, 11:41am

I ran into the same problem. I believe it is caused by syncthing using relays that are accessed via port 443. I tried adding a rule to allow 443 but that also didn’t work. If i disable outgoing firewall for my qube then syncthing works perfectly. if anyone has any updates on what the rules should be to resolve this that would be great.

solene · March 2, 2025, 12:31pm

you may need TCP ports 22067 and 8443

tr0ttel · April 30, 2025, 5:30am

So - all my Syncthing issues solved.
I have following setup:

Qubes OS Notebook with Syncthing in a “Syncthing AppVM”
Graphene OS Smartphone with Rethink DNS (Firewall and DNS FIlter)
need only direct local connection, no need to synchronize when in other LAN or mobile

Setup:
Smartphone:

in Graphene OS adjustment: VPN only connection allowed, VPN always active
RethinkDNS: configuration → Apps → Syncthing: bypass DNS & Firewall activated (option Bypass app from all proxies enabled too).
Syncthing Fork: assigned a static IP (from my network of the QubesOS Notebook)

Notebook (QubesOS):

AppVM with syncthing → firewall-rules: allow only connection to the static ip of Smartphone
assigned static ip of the Smarthone device

Solution is based on the information from this thread:

Everything works fine. Full speed (27MB/s) synchronisation speed). Connects immediately. No need for mobile synchronisation.

Hope this will help some people.
I have a standard QubesOS setup: AppVM → sys-firewall → sys-net → network → GrapheneOS smartphone.
Adjustments only done in AppVM - and on smartphone.