koopa-admin-log/configs/firewalld/public-ports.md
2026-07-10 14:45:56 +02:00

1.9 KiB
Raw Permalink Blame History

firewalld zone public (eno1)

Current (2026-07-10, verified)

Expected open ports after Forgejo git-SSH:

sudo firewall-cmd --list-ports
# … 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp 9200/tcp
Port Purpose LAN probe (2026-07-10)
80/tcp http-proxy → Caddy 9000 (IPv6 HTTP/ACME) via Caddy path
443/tcp https-proxy → Caddy 9001 (IPv6 HTTPS) via Caddy path
9000/tcp Caddy HTTP (WAN:80 → 9000) OK
9001/tcp Caddy HTTPS (WAN:443 → 9001) OK
8080/tcp Tor OR
23235/tcp (legacy list; host SSH is :22, WAN via VeciGate 23235→22)
9200/tcp Forgejo git-SSH (podman rootlessport) OK after add+reload

Not opened on purpose

Port Note
90209024 rootless apps; public HTTP only via Caddy → 127.0.0.1:90xx
9024 Forgejo HTTP internal to Caddy only

LAN nc to 9021/9024 → connection refused is expected without firewalld open (and not required).

Commands

sudo firewall-cmd --permanent --add-port=9200/tcp
sudo firewall-cmd --reload   # or systemctl restart firewalld
sudo firewall-cmd --list-ports

Verify (from another host on LAN / WAN)

nc -vz 192.168.100.95 9200
nc -vz 212.51.151.254 9200          # hairpin / public A
ssh -p 9200 -T git@git.hacktivism.ch
# expect: Hi there, … authenticated … Forgejo does not provide shell access.

Why 443

IPv4 HTTPS is DNATd to 9001. IPv6 has no DNAT — clients hit host :443 directly.

Why 9200

Forgejo advertises SSH_PORT=9200. Traffic hits host:9200 (not Caddy). Without firewalld 9200/tcp, clients get connection refused even while ss shows LISTEN and localhost works.

History

When Change
2026-07-09 443/tcp re-added for IPv6
2026-07-10 9200/tcp for Forgejo git-SSH (verified LAN + hairpin + SSH auth)