Update #11 - Syncthing UFW DDNS Cron Recovery & Long-Term Rule Persistence

Date: May 11, 2025 Category: Security / Automation Backlink: Update #10 – Fail2Ban IP Geolocation Lookup Script with Auto-Filtering 

 Overview 

 This update builds upon our existing Syncthing and UFW/DDNS configuration and addresses the issue of persistent firewall rules disappearing after system events such as upgrades or restarts. It introduces mechanisms to automatically recover and persist UFW rules linked to DDNS-resolved IPs, as well as implement log rotation for our custom scripts. 

 Problem Summary 

 

 

 UFW rules allowing DDNS-bound access to Syncthing ports (8384, 22000, 21027) were occasionally disappearing. 

 

 

 There was no persistent re-application of these rules on reboot or after package upgrades. 

 

 

 A need existed to reduce log file size growth from regular UFW rule updates. 

 

 

 Key Changes Implemented 

 1. Syncthing DDNS-based UFW Script Improvements 

 

 

 Script Path: /usr/local/bin/update-syncthing-ufw.sh 

 

 

 Now includes: 

 

 

 Cleanup of old rules 

 

 

 Re-application of DDNS-resolved IP 

 

 

 IPv6 exception handling 

 

 

 Console output when run manually 

 

 

 Logged output when run via cron 

 

 

 

 

 #!/bin/bash

DDNS_HOST="your-ddns.example.com"

PORTS=(8384/tcp 22000/tcp 21027/udp)

LOG_TAG="Syncthing DDNS Access"

# Resolve IP

IP=$(dig +short "$DDNS_HOST" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | head -n1)

if [[ -z "$IP" ]]; then

 echo "❌ Failed to resolve IP for $DDNS_HOST"

 exit 1

fi

# Clean up existing rules for this tag

for port in "${PORTS[@]}"; do

 ufw status numbered | grep "$LOG_TAG" | grep "$port" | awk -F'[][]' '{print $2}' | tac | while read -r num; do

 ufw --force delete "$num"

 done

done

# Add new rules

for port in "${PORTS[@]}"; do

 ufw allow from "$IP" to any port "${port%/*}" proto "${port##*/}" comment "$LOG_TAG"

done

echo "✅ Cleaned and updated UFW rules for Syncthing from $IP"

 

 2. Cron Automation for Rule Recovery 

 

 

 Location: sudo crontab -e 

 

 

 Jobs Added: 

 

 

 # Run daily at 3:00 AM

0 3 * * * /usr/local/bin/update-syncthing-ufw.sh

# Run every 10 minutes, prevents overlapping runs

*/10 * * * * flock -n /tmp/ufw-ddns.lock /usr/local/bin/update-syncthing-ufw.sh >> /var/log/update-syncthing-ufw.log 2>&1

# Run on reboot

@reboot /usr/local/bin/update-syncthing-ufw.sh >> /var/log/update-syncthing-ufw.log 2>&1

 

 

 3. Logrotate Setup for UFW Update Logs 

 

 

 File: /etc/logrotate.d/update-syncthing-ufw 

 

 

 Content: 

 

 

 /var/log/update-syncthing-ufw.log {

 su root root

 daily

 rotate 7

 compress

 missingok

 notifempty

 create 644 root root

}

 

 Additional Files and Paths 

 

 

 

 Script 

 Path 

 

 

 

 

 Syncthing DDNS UFW Script 

 /usr/local/bin/update-syncthing-ufw.sh 

 

 

 Cron Log File 

 /var/log/update-syncthing-ufw.log 

 

 

 Logrotate Config 

 /etc/logrotate.d/update-syncthing-ufw 

 

 

 

 Testing 

 

 

 Verified successful rule refresh via sudo ufw status 

 

 

 Confirmed script logs rotation using logrotate --debug 

 

 

 Confirmed cron execution via grep update-syncthing-ufw /var/log/syslog 

 

 

 Script executes correctly manually and via cron. 

 

 

 Conclusion 

 This update ensures that DDNS-based access to Syncthing is consistently maintained with automatic recovery and no risk of bloat from excessive log growth. The solution is now reliable through reboots, daily updates, and in the event of system changes like package upgrades