Firewall settings for the "Signal" encrypted communication app

Signal is a watsapp opensource alternative with an end to end encryption. I am having problems allowing the app to work behind IPFire firewall. The recommendations from the developers are the following:

Allow *, *, TCP port 443, and UDP traffic. If you have a transparent or reverse proxy it needs to support WebSockets. Signal uses a non-standard TCP port to catch filtering issues at the signaling step and also utilizes a random UDP port. All UDP ports will need to be opened. The underlying IPs are constantly changing, so it’d be hard to define accurate firewall rules.

Is it possible to use just the wui or I need to play with firewall.local setting? Unfortunately I still have problem understanding the logic behind the firewall settings. How do I say to the firewall “accept all the UDP ports”? I do not have any reverse proxy or transparent proxy.

The linux kernel doesn’t support fqdn’s in firewall rules. Special wildcards are not possible.

But with IPFire default settings this is allowed. I think you have added a rule to block https (port 443) or set the default forward policy to blocked.

Of course, I was blocking port 443! I feel really stupid now. Now it works. Thanks Arne.

I ran in a strange situation today.
several iPhones in my internal network were so far fine with using Signal, sending/receiving text as well as picture/video messages.
One of these iPhones suddenly failed sending any media, while text messages still were fine.
I never paid much attention to the rules explictly for Signal, as it always “just worked”.

Now searching for firewall rules for Signal, I found this thread, and also the Signal KB entry quoted in the entry post.

Now I (for test) setup a rule to “allow all UDP ports green->red” and suddenly the one fialing iPhone was back working fine, queued outgoing pictures sent out immediately.

Now I of course do not really like this general rule to be so wide open. but on the other hand I don’t know a way to setup some limiting factor in this rule with only these two wild card DNS names as targets.

I understand this is not possible. is there any better way then to allow all UDP ports the way I did it?