firewalld: drop obsolete 443 and 8082 (ACME via Caddy :9000)

This commit is contained in:
Hernâni Marques 2026-07-08 16:20:21 +02:00
parent 5c0101f24b
commit 50379dc02c
No known key found for this signature in database

View file

@ -1,3 +1,32 @@
# firewalld # firewalld zone public (eno1)
Open 9000/9001/80. Drop 443/8082 next. ## Current (2026-07-09)
```
firewall-cmd --list-ports
# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp
```
| Port | Purpose |
|------|---------|
| 80/tcp | `http-proxy.socket` → Caddy 9000 (needed for **IPv6** WAN HTTP/ACME) |
| **443/tcp** | `https-proxy.socket` → Caddy 9001 (**required for IPv6** AAAA `:15d6`) |
| 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) |
| 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) |
| 8080/tcp | Tor OR |
| 23235/tcp | SSH (VeciGate maps public 23235) |
| dhcpv6-client, ssh | services |
### Why 443 is required again
IPv4 public HTTPS is DNATd to **9001**, so opening only 9001 was enough.
IPv6 has **no DNAT**: clients hit `2a02:168:53a8:0:d584:9e34:13cf:15d6:443`
directly. Without 443/tcp in firewalld, AAAA looked like `ERR_ADDRESS_UNREACHABLE`
/ connect timeout while IPv4 still worked.
## History
| Port | Note |
|------|------|
| 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 |
| 8082/tcp removed | old Podman ACME |