docs: verify firewalld 9200 for Forgejo git-SSH
This commit is contained in:
parent
0c7d96b584
commit
e194c16774
3 changed files with 52 additions and 41 deletions
|
|
@ -68,7 +68,7 @@ sudo systemctl reload caddy
|
||||||
|-------|------|
|
|-------|------|
|
||||||
| **VeciGate IPv4** | WAN **9200** → `192.168.100.95:9200`; hairpin LAN/LAN2 → public A:9200 |
|
| **VeciGate IPv4** | WAN **9200** → `192.168.100.95:9200`; hairpin LAN/LAN2 → public A:9200 |
|
||||||
| **VeciGate IPv6** | WAN→LAN forward **tcp/9200** |
|
| **VeciGate IPv6** | WAN→LAN forward **tcp/9200** |
|
||||||
| **koopa firewalld** | `public` **9200/tcp** |
|
| **koopa firewalld** | `public` **9200/tcp** (verified 2026-07-10: LAN + hairpin + `ssh -T`) |
|
||||||
|
|
||||||
Docs: `../vecigate-admin-log` (`ip/firewall/nat/`, `ipv6/firewall/filter/`, `docs/CHANGELOG.md`);
|
Docs: `../vecigate-admin-log` (`ip/firewall/nat/`, `ipv6/firewall/filter/`, `docs/CHANGELOG.md`);
|
||||||
host ports: `configs/firewalld/public-ports.md`.
|
host ports: `configs/firewalld/public-ports.md`.
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@
|
||||||
→ topic: `2026-07-10--bonfire-federate.md`; secrets: `koopa-admin-secrets/…/koopa-bonfire/`
|
→ topic: `2026-07-10--bonfire-federate.md`; secrets: `koopa-admin-secrets/…/koopa-bonfire/`
|
||||||
- **Forgejo rootless** on `git.hacktivism.ch` (HTTP **9024**, git-SSH **9200**); no free registration; admin `hernani`
|
- **Forgejo rootless** on `git.hacktivism.ch` (HTTP **9024**, git-SSH **9200**); no free registration; admin `hernani`
|
||||||
→ topic: `2026-07-10--forgejo-rootless.md`; secrets: `koopa-admin-secrets/…/koopa-forgejo/`
|
→ topic: `2026-07-10--forgejo-rootless.md`; secrets: `koopa-admin-secrets/…/koopa-forgejo/`
|
||||||
- **git-SSH :9200** exposed: VeciGate DNAT/hairpin + IPv6 forward; koopa firewalld **9200/tcp**
|
- **git-SSH :9200** exposed + **verified**: VeciGate DNAT/hairpin + IPv6; firewalld **9200/tcp** (LAN/hairpin/`ssh -T` OK)
|
||||||
→ vecigate-admin-log CHANGELOG 2026-07-10; `configs/firewalld/public-ports.md`
|
→ vecigate-admin-log CHANGELOG 2026-07-10; `configs/firewalld/public-ports.md`
|
||||||
- **admin-log origin** → Forgejo `hernani/koopa-admin-log` on git.hacktivism.ch (public; SSH :9200)
|
- **admin-log origin** → Forgejo `hernani/koopa-admin-log` on git.hacktivism.ch (public; SSH :9200)
|
||||||
→ topic: `2026-07-10--admin-log-origin-forgejo.md`
|
→ topic: `2026-07-10--admin-log-origin-forgejo.md`
|
||||||
|
|
|
||||||
|
|
@ -1,50 +1,61 @@
|
||||||
# firewalld zone public (eno1)
|
# firewalld zone public (eno1)
|
||||||
|
|
||||||
## Current (2026-07-10)
|
## Current (2026-07-10, verified)
|
||||||
|
|
||||||
|
Expected open ports after Forgejo git-SSH:
|
||||||
|
|
||||||
```
|
```
|
||||||
firewall-cmd --list-ports
|
|
||||||
# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp 9200/tcp
|
|
||||||
```
|
|
||||||
|
|
||||||
| Port | Purpose |
|
|
||||||
|------|---------|
|
|
||||||
| 80/tcp | `http-proxy.socket` → Caddy 9000 (needed for **IPv6** WAN HTTP/ACME) |
|
|
||||||
| **443/tcp** | `https-proxy.socket` → Caddy 9001 (**required for IPv6** AAAA `:15d6`) |
|
|
||||||
| 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) |
|
|
||||||
| 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) |
|
|
||||||
| 8080/tcp | Tor OR |
|
|
||||||
| 23235/tcp | SSH (VeciGate maps public 23235 → host 22) |
|
|
||||||
| **9200/tcp** | **Forgejo git-SSH** (VeciGate WAN/hairpin/IPv6 → host 9200 → container 2222) |
|
|
||||||
| dhcpv6-client, ssh | services |
|
|
||||||
|
|
||||||
### Add / verify 9200
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo firewall-cmd --permanent --add-port=9200/tcp
|
|
||||||
sudo firewall-cmd --reload
|
|
||||||
sudo firewall-cmd --list-ports
|
sudo firewall-cmd --list-ports
|
||||||
ss -lntp | grep 9200
|
# … 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp 9200/tcp
|
||||||
```
|
```
|
||||||
|
|
||||||
### Why 443 is required again
|
| Port | Purpose | LAN probe (2026-07-10) |
|
||||||
|
|------|---------|------------------------|
|
||||||
|
| 80/tcp | `http-proxy` → Caddy 9000 (IPv6 HTTP/ACME) | via Caddy path |
|
||||||
|
| **443/tcp** | `https-proxy` → Caddy 9001 (IPv6 HTTPS) | via Caddy path |
|
||||||
|
| 9000/tcp | Caddy HTTP (WAN:80 → 9000) | **OK** |
|
||||||
|
| 9001/tcp | Caddy HTTPS (WAN:443 → 9001) | **OK** |
|
||||||
|
| 8080/tcp | Tor OR | — |
|
||||||
|
| 23235/tcp | (legacy list; host SSH is :22, WAN via VeciGate 23235→22) | — |
|
||||||
|
| **9200/tcp** | **Forgejo git-SSH** (podman rootlessport) | **OK** after add+reload |
|
||||||
|
|
||||||
IPv4 public HTTPS is DNAT’d to **9001**, so opening only 9001 was enough.
|
### Not opened on purpose
|
||||||
IPv6 has **no DNAT**: clients hit `2a02:168:53a8:0:d584:9e34:13cf:15d6:443`
|
|
||||||
directly. Without 443/tcp in firewalld, AAAA looked like `ERR_ADDRESS_UNREACHABLE`
|
|
||||||
/ connect timeout while IPv4 still worked.
|
|
||||||
|
|
||||||
### Why 9200
|
|
||||||
|
|
||||||
Forgejo advertises `SSH_PORT=9200`. Rootless podman publishes `0.0.0.0:9200→2222`.
|
|
||||||
VeciGate DNATs WAN:9200 and hairpins public A:9200; IPv6 forwards :9200 to koopa.
|
|
||||||
Without firewalld **9200/tcp**, external/LAN clients see **connection refused** even
|
|
||||||
though `ss` shows LISTEN on the host (local-only path still works).
|
|
||||||
|
|
||||||
## History
|
|
||||||
|
|
||||||
| Port | Note |
|
| Port | Note |
|
||||||
|------|------|
|
|------|------|
|
||||||
| 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 |
|
| 9020–9024 | rootless apps; public HTTP only via Caddy → `127.0.0.1:90xx` |
|
||||||
| 8082/tcp removed | old Podman ACME |
|
| 9024 | Forgejo HTTP internal to Caddy only |
|
||||||
| **9200/tcp added** | 2026-07-10 Forgejo git-SSH |
|
|
||||||
|
LAN `nc` to 9021/9024 → **connection refused** is expected without firewalld open (and not required).
|
||||||
|
|
||||||
|
### Commands
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo firewall-cmd --permanent --add-port=9200/tcp
|
||||||
|
sudo firewall-cmd --reload # or systemctl restart firewalld
|
||||||
|
sudo firewall-cmd --list-ports
|
||||||
|
```
|
||||||
|
|
||||||
|
### Verify (from another host on LAN / WAN)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nc -vz 192.168.100.95 9200
|
||||||
|
nc -vz 212.51.151.254 9200 # hairpin / public A
|
||||||
|
ssh -p 9200 -T git@git.hacktivism.ch
|
||||||
|
# expect: Hi there, … authenticated … Forgejo does not provide shell access.
|
||||||
|
```
|
||||||
|
|
||||||
|
### Why 443
|
||||||
|
|
||||||
|
IPv4 HTTPS is DNAT’d to **9001**. IPv6 has **no DNAT** — clients hit host **:443** directly.
|
||||||
|
|
||||||
|
### Why 9200
|
||||||
|
|
||||||
|
Forgejo advertises `SSH_PORT=9200`. Traffic hits **host:9200** (not Caddy). Without firewalld **9200/tcp**, clients get **connection refused** even while `ss` shows LISTEN and localhost works.
|
||||||
|
|
||||||
|
## History
|
||||||
|
|
||||||
|
| When | Change |
|
||||||
|
|------|--------|
|
||||||
|
| 2026-07-09 | 443/tcp re-added for IPv6 |
|
||||||
|
| 2026-07-10 | **9200/tcp** for Forgejo git-SSH (verified LAN + hairpin + SSH auth) |
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue