Syncthing firewall rules (allow syncthing only)

Hello QOS community,

my situation:
VM with Syncthing → synchronizing with devices which are online via mobile internet (not only local).
I want to get the Qube more “isolated” - and allow only Syncthing app to go online - and nothing else (otherwise no internet connection for this vm necessary).

Via firewall rules - allow all outgoing traffic → syncthing detects my devices and synchronization takes place (but only via WAN IP - local detection not working - but still ok for me).

I tried:

  • enter local IP of devices
  • allow TCP 22000 / UDP 22000 / UDP 21027
    With this rules - syncthing does not detect the devices.

Does someone have more tips to get syncthing detect the local devices + (more important) to detect and connect in general to my devices (not only local) but at same time allow only Syncthing to go online?

On my preceding Debian 12 system - i used in the same network (same Notebook) the ufw firewall.
Via “sudo ufw allow syncthing” everything was solved. But with Qubes i cant get this to work properly.

Best regards

syncthing uses a collection of online relays, so it uses extra ports for both discovery and relay.

Discovery servers runs on tcp/8443 by default while relay are on tcp/22067

added the additional rules - without success :frowning:

you can check the logs of the qube’s netvm, the blocked traffic should be logged IIRC

ok, it was a rare training for me to look for linux logs (debian user since 2018 - moved from Windows). Which logfile should i look for to see network traffic related things in Qubes?

hmm, I thought logging was enabled by default in the firewall on Qubes OS, but it’s not the case.

Instead, I’d recommend using tcpdump if you are familiar with it.

1 Like

will check tomorrow - you gave me the direction. Even if i never checked via tcpdump - i will check other sources to find how to check and use and give feedback. Thank you.

  • install tcpdump
  • run tcpdump -i eth0 -nn and check which ports are used

you may have see a lot of traffic though :sweat_smile:

you can remove ports you identified one by one using sudo tcpdump -i eth0 -nn not tcp port 22000 and not udp port 22000 and not tcp port ....

I ran into the same problem. I believe it is caused by syncthing using relays that are accessed via port 443. I tried adding a rule to allow 443 but that also didn’t work. If i disable outgoing firewall for my qube then syncthing works perfectly. if anyone has any updates on what the rules should be to resolve this that would be great.

you may need TCP ports 22067 and 8443

So - all my Syncthing issues solved.
I have following setup:

  • Qubes OS Notebook with Syncthing in a “Syncthing AppVM”
  • Graphene OS Smartphone with Rethink DNS (Firewall and DNS FIlter)
  • need only direct local connection, no need to synchronize when in other LAN or mobile

Setup:
Smartphone:

  • in Graphene OS adjustment: VPN only connection allowed, VPN always active
  • RethinkDNS: configuration → Apps → Syncthing: bypass DNS & Firewall activated (option Bypass app from all proxies enabled too).
  • Syncthing Fork: assigned a static IP (from my network of the QubesOS Notebook)

Notebook (QubesOS):

  • AppVM with syncthing → firewall-rules: allow only connection to the static ip of Smartphone
  • assigned static ip of the Smarthone device

Solution is based on the information from this thread:

Everything works fine. Full speed (27MB/s) synchronisation speed). Connects immediately. No need for mobile synchronisation.

Hope this will help some people.
I have a standard QubesOS setup: AppVM → sys-firewall → sys-net → network → GrapheneOS smartphone.
Adjustments only done in AppVM - and on smartphone.