# firewalld zone public (eno1) ## Current (2026-07-10, verified) Expected open ports after Forgejo git-SSH: ``` sudo firewall-cmd --list-ports # … 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp 9200/tcp ``` | Port | Purpose | LAN probe (2026-07-10) | |------|---------|------------------------| | 80/tcp | `http-proxy` → Caddy 9000 (IPv6 HTTP/ACME) | via Caddy path | | **443/tcp** | `https-proxy` → Caddy 9001 (IPv6 HTTPS) | via Caddy path | | 9000/tcp | Caddy HTTP (WAN:80 → 9000) | **OK** | | 9001/tcp | Caddy HTTPS (WAN:443 → 9001) | **OK** | | 8080/tcp | Tor OR | — | | 23235/tcp | (legacy list; host SSH is :22, WAN via VeciGate 23235→22) | — | | **9200/tcp** | **Forgejo git-SSH** (podman rootlessport) | **OK** after add+reload | ### Not opened on purpose | Port | Note | |------|------| | 9020–9024 | rootless apps; public HTTP only via Caddy → `127.0.0.1:90xx` | | 9024 | Forgejo HTTP internal to Caddy only | LAN `nc` to 9021/9024 → **connection refused** is expected without firewalld open (and not required). ### Commands ```bash sudo firewall-cmd --permanent --add-port=9200/tcp sudo firewall-cmd --reload # or systemctl restart firewalld sudo firewall-cmd --list-ports ``` ### Verify (from another host on LAN / WAN) ```bash nc -vz 192.168.100.95 9200 nc -vz 212.51.151.254 9200 # hairpin / public A ssh -p 9200 -T git@git.hacktivism.ch # expect: Hi there, … authenticated … Forgejo does not provide shell access. ``` ### Why 443 IPv4 HTTPS is DNAT’d to **9001**. IPv6 has **no DNAT** — clients hit host **:443** directly. ### Why 9200 Forgejo advertises `SSH_PORT=9200`. Traffic hits **host:9200** (not Caddy). Without firewalld **9200/tcp**, clients get **connection refused** even while `ss` shows LISTEN and localhost works. ## History | When | Change | |------|--------| | 2026-07-09 | 443/tcp re-added for IPv6 | | 2026-07-10 | **9200/tcp** for Forgejo git-SSH (verified LAN + hairpin + SSH auth) |