Recommended firewall rules do break anacrolix requests

[AskAlexSharov]

We recommend next list of firewall rules (with references to RFC's): https://github.com/ledgerwatch/erigon#hetzner-expecting-strict-firewall-rules But seems it breaking some anacrolix/torrent requests. Next error in logs:

error sending packet: write udp4 0.0.0.0:42069->172.248.195.186:42069: sendto: operation not permitted 

I'm not network-hero - don't really understand the source of problem. Maybe sending packets to wrong sub-net, or maybe I miss-configured something (for example - maybe I need apply NAT ExternalIP resolution to all peers connections).

Do you have any advise?

Other comments on this topic: https://github.com/ledgerwatch/erigon/issues/6034#issuecomment-1506735329

[anacrolix]

I would guess that you have a peer that has an address of 172.248.195.186, and you've blocked them with the rule -A OUTPUT -p udp -d 172.0.0.0/8 -j DROP. The rule that Hetzner provide, 172.16.0.0/12, would not block that address. The peer address likely comes from a tracker or DHT query. Try relaxing the firewall rule to 172.16.0.0/12.