From 50379dc02c813d5ecfd51533c25b1ec30e56c653 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hern=C3=A2ni=20Marques?= Date: Wed, 8 Jul 2026 16:20:21 +0200 Subject: [PATCH] firewalld: drop obsolete 443 and 8082 (ACME via Caddy :9000) --- configs/firewalld/public-ports.md | 33 +++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/configs/firewalld/public-ports.md b/configs/firewalld/public-ports.md index bb31c9c..ac874c0 100644 --- a/configs/firewalld/public-ports.md +++ b/configs/firewalld/public-ports.md @@ -1,3 +1,32 @@ -# firewalld +# firewalld zone public (eno1) -Open 9000/9001/80. Drop 443/8082 next. +## Current (2026-07-09) + +``` +firewall-cmd --list-ports +# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp +``` + +| Port | Purpose | +|------|---------| +| 80/tcp | `http-proxy.socket` → Caddy 9000 (needed for **IPv6** WAN HTTP/ACME) | +| **443/tcp** | `https-proxy.socket` → Caddy 9001 (**required for IPv6** AAAA `:15d6`) | +| 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) | +| 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) | +| 8080/tcp | Tor OR | +| 23235/tcp | SSH (VeciGate maps public 23235) | +| dhcpv6-client, ssh | services | + +### Why 443 is required again + +IPv4 public HTTPS is DNAT’d to **9001**, so opening only 9001 was enough. +IPv6 has **no DNAT**: clients hit `2a02:168:53a8:0:d584:9e34:13cf:15d6:443` +directly. Without 443/tcp in firewalld, AAAA looked like `ERR_ADDRESS_UNREACHABLE` +/ connect timeout while IPv4 still worked. + +## History + +| Port | Note | +|------|------| +| 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 | +| 8082/tcp removed | old Podman ACME |