# firewalld zone public (eno1) ## Current (2026-07-09) ``` firewall-cmd --list-ports # 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp ``` | Port | Purpose | |------|---------| | 80/tcp | `http-proxy.socket` → Caddy 9000 (needed for **IPv6** WAN HTTP/ACME) | | **443/tcp** | `https-proxy.socket` → Caddy 9001 (**required for IPv6** AAAA `:15d6`) | | 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) | | 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) | | 8080/tcp | Tor OR | | 23235/tcp | SSH (VeciGate maps public 23235) | | dhcpv6-client, ssh | services | ### Why 443 is required again IPv4 public HTTPS is DNAT’d to **9001**, so opening only 9001 was enough. IPv6 has **no DNAT**: clients hit `2a02:168:53a8:0:d584:9e34:13cf:15d6:443` directly. Without 443/tcp in firewalld, AAAA looked like `ERR_ADDRESS_UNREACHABLE` / connect timeout while IPv4 still worked. ## History | Port | Note | |------|------| | 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 | | 8082/tcp removed | old Podman ACME |