Syncthing firewall rules (allow syncthing only)

Hello QOS community,

my situation:
VM with Syncthing → synchronizing with devices which are online via mobile internet (not only local).
I want to get the Qube more “isolated” - and allow only Syncthing app to go online - and nothing else (otherwise no internet connection for this vm necessary).

Via firewall rules - allow all outgoing traffic → syncthing detects my devices and synchronization takes place (but only via WAN IP - local detection not working - but still ok for me).

I tried:

  • enter local IP of devices
  • allow TCP 22000 / UDP 22000 / UDP 21027
    With this rules - syncthing does not detect the devices.

Does someone have more tips to get syncthing detect the local devices + (more important) to detect and connect in general to my devices (not only local) but at same time allow only Syncthing to go online?

On my preceding Debian 12 system - i used in the same network (same Notebook) the ufw firewall.
Via “sudo ufw allow syncthing” everything was solved. But with Qubes i cant get this to work properly.

Best regards

syncthing uses a collection of online relays, so it uses extra ports for both discovery and relay.

Discovery servers runs on tcp/8443 by default while relay are on tcp/22067

added the additional rules - without success :frowning:

you can check the logs of the qube’s netvm, the blocked traffic should be logged IIRC

ok, it was a rare training for me to look for linux logs (debian user since 2018 - moved from Windows). Which logfile should i look for to see network traffic related things in Qubes?

hmm, I thought logging was enabled by default in the firewall on Qubes OS, but it’s not the case.

Instead, I’d recommend using tcpdump if you are familiar with it.

1 Like

will check tomorrow - you gave me the direction. Even if i never checked via tcpdump - i will check other sources to find how to check and use and give feedback. Thank you.

  • install tcpdump
  • run tcpdump -i eth0 -nn and check which ports are used

you may have see a lot of traffic though :sweat_smile:

you can remove ports you identified one by one using sudo tcpdump -i eth0 -nn not tcp port 22000 and not udp port 22000 and not tcp port ....