koopa-admin-log/configs/firewalld/public-ports.md

1.7 KiB
Raw Blame History

firewalld zone public (eno1)

Current (2026-07-10)

firewall-cmd --list-ports
# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp 9200/tcp
Port Purpose
80/tcp http-proxy.socket → Caddy 9000 (needed for IPv6 WAN HTTP/ACME)
443/tcp https-proxy.socket → Caddy 9001 (required for IPv6 AAAA :15d6)
9000/tcp Caddy HTTP (VeciGate IPv4 WAN:80 → 9000)
9001/tcp Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001)
8080/tcp Tor OR
23235/tcp SSH (VeciGate maps public 23235 → host 22)
9200/tcp Forgejo git-SSH (VeciGate WAN/hairpin/IPv6 → host 9200 → container 2222)
dhcpv6-client, ssh services

Add / verify 9200

sudo firewall-cmd --permanent --add-port=9200/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports
ss -lntp | grep 9200

Why 443 is required again

IPv4 public HTTPS is DNATd to 9001, so opening only 9001 was enough. IPv6 has no DNAT: clients hit 2a02:168:53a8:0:d584:9e34:13cf:15d6:443 directly. Without 443/tcp in firewalld, AAAA looked like ERR_ADDRESS_UNREACHABLE / connect timeout while IPv4 still worked.

Why 9200

Forgejo advertises SSH_PORT=9200. Rootless podman publishes 0.0.0.0:9200→2222. VeciGate DNATs WAN:9200 and hairpins public A:9200; IPv6 forwards :9200 to koopa. Without firewalld 9200/tcp, external/LAN clients see connection refused even though ss shows LISTEN on the host (local-only path still works).

History

Port Note
443 removed earlier “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6
8082/tcp removed old Podman ACME
9200/tcp added 2026-07-10 Forgejo git-SSH