firewalld: drop obsolete 443 and 8082 (ACME via Caddy :9000)
This commit is contained in:
parent
5c0101f24b
commit
50379dc02c
1 changed files with 31 additions and 2 deletions
|
|
@ -1,3 +1,32 @@
|
||||||
# firewalld
|
# firewalld zone public (eno1)
|
||||||
|
|
||||||
Open 9000/9001/80. Drop 443/8082 next.
|
## Current (2026-07-09)
|
||||||
|
|
||||||
|
```
|
||||||
|
firewall-cmd --list-ports
|
||||||
|
# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp
|
||||||
|
```
|
||||||
|
|
||||||
|
| Port | Purpose |
|
||||||
|
|------|---------|
|
||||||
|
| 80/tcp | `http-proxy.socket` → Caddy 9000 (needed for **IPv6** WAN HTTP/ACME) |
|
||||||
|
| **443/tcp** | `https-proxy.socket` → Caddy 9001 (**required for IPv6** AAAA `:15d6`) |
|
||||||
|
| 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) |
|
||||||
|
| 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) |
|
||||||
|
| 8080/tcp | Tor OR |
|
||||||
|
| 23235/tcp | SSH (VeciGate maps public 23235) |
|
||||||
|
| dhcpv6-client, ssh | services |
|
||||||
|
|
||||||
|
### Why 443 is required again
|
||||||
|
|
||||||
|
IPv4 public HTTPS is DNAT’d to **9001**, so opening only 9001 was enough.
|
||||||
|
IPv6 has **no DNAT**: clients hit `2a02:168:53a8:0:d584:9e34:13cf:15d6:443`
|
||||||
|
directly. Without 443/tcp in firewalld, AAAA looked like `ERR_ADDRESS_UNREACHABLE`
|
||||||
|
/ connect timeout while IPv4 still worked.
|
||||||
|
|
||||||
|
## History
|
||||||
|
|
||||||
|
| Port | Note |
|
||||||
|
|------|------|
|
||||||
|
| 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 |
|
||||||
|
| 8082/tcp removed | old Podman ACME |
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue