# Update #11 - Syncthing UFW DDNS Cron Recovery & Long-Term Rule Persistence #### **Date:** May 11, 2025 **Category:** Security / Automation **Backlink:** [Update #10 – Fail2Ban IP Geolocation Lookup Script with Auto-Filtering](https://docs.natenetworks.com/books/02-project-notes/page/update-10-fail2ban-ip-geolocation-lookup-script-with-auto-filtering) ### Overview This update builds upon our existing Syncthing and UFW/DDNS configuration and addresses the issue of persistent firewall rules disappearing after system events such as upgrades or restarts. It introduces mechanisms to automatically recover and persist UFW rules linked to DDNS-resolved IPs, as well as implement log rotation for our custom scripts. ### Problem Summary - UFW rules allowing DDNS-bound access to Syncthing ports (8384, 22000, 21027) were occasionally disappearing. - There was no persistent re-application of these rules on reboot or after package upgrades. - A need existed to reduce log file size growth from regular UFW rule updates. ### Key Changes Implemented #### 1. **Syncthing DDNS-based UFW Script Improvements** - Script Path: `/usr/local/bin/update-syncthing-ufw.sh` - Now includes: - Cleanup of old rules - Re-application of DDNS-resolved IP - IPv6 exception handling - Console output when run manually - Logged output when run via cron ```bash #!/bin/bash DDNS_HOST="your-ddns.example.com" PORTS=(8384/tcp 22000/tcp 21027/udp) LOG_TAG="Syncthing DDNS Access" # Resolve IP IP=$(dig +short "$DDNS_HOST" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | head -n1) if [[ -z "$IP" ]]; then echo "❌ Failed to resolve IP for $DDNS_HOST" exit 1 fi # Clean up existing rules for this tag for port in "${PORTS[@]}"; do ufw status numbered | grep "$LOG_TAG" | grep "$port" | awk -F'[][]' '{print $2}' | tac | while read -r num; do ufw --force delete "$num" done done # Add new rules for port in "${PORTS[@]}"; do ufw allow from "$IP" to any port "${port%/*}" proto "${port##*/}" comment "$LOG_TAG" done echo "✅ Cleaned and updated UFW rules for Syncthing from $IP" ``` #### 2. **Cron Automation for Rule Recovery** - **Location:** `sudo crontab -e` - **Jobs Added:** ```cron # Run daily at 3:00 AM 0 3 * * * /usr/local/bin/update-syncthing-ufw.sh # Run every 10 minutes, prevents overlapping runs */10 * * * * flock -n /tmp/ufw-ddns.lock /usr/local/bin/update-syncthing-ufw.sh >> /var/log/update-syncthing-ufw.log 2>&1 # Run on reboot @reboot /usr/local/bin/update-syncthing-ufw.sh >> /var/log/update-syncthing-ufw.log 2>&1 ``` --- #### 3. **Logrotate Setup for UFW Update Logs** - **File:** `/etc/logrotate.d/update-syncthing-ufw` - **Content:** ```text /var/log/update-syncthing-ufw.log { su root root daily rotate 7 compress missingok notifempty create 644 root root } ``` ### Additional Files and Paths
ScriptPath
Syncthing DDNS UFW Script`/usr/local/bin/update-syncthing-ufw.sh`
Cron Log File`/var/log/update-syncthing-ufw.log`
Logrotate Config`/etc/logrotate.d/update-syncthing-ufw`
### Testing - Verified successful rule refresh via `sudo ufw status` - Confirmed script logs rotation using `logrotate --debug` - Confirmed cron execution via `grep update-syncthing-ufw /var/log/syslog` - Script executes correctly manually and via cron. ### Conclusion This update ensures that DDNS-based access to Syncthing is consistently maintained with automatic recovery and no risk of bloat from excessive log growth. The solution is now reliable through reboots, daily updates, and in the event of system changes like package upgrades