koopa-admin-log/configs/firewalld/public-ports.md

50 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# firewalld zone public (eno1)
## Current (2026-07-10)
```
firewall-cmd --list-ports
# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp 9200/tcp
```
| Port | Purpose |
|------|---------|
| 80/tcp | `http-proxy.socket` → Caddy 9000 (needed for **IPv6** WAN HTTP/ACME) |
| **443/tcp** | `https-proxy.socket` → Caddy 9001 (**required for IPv6** AAAA `:15d6`) |
| 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) |
| 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) |
| 8080/tcp | Tor OR |
| 23235/tcp | SSH (VeciGate maps public 23235 → host 22) |
| **9200/tcp** | **Forgejo git-SSH** (VeciGate WAN/hairpin/IPv6 → host 9200 → container 2222) |
| dhcpv6-client, ssh | services |
### Add / verify 9200
```bash
sudo firewall-cmd --permanent --add-port=9200/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports
ss -lntp | grep 9200
```
### Why 443 is required again
IPv4 public HTTPS is DNATd to **9001**, so opening only 9001 was enough.
IPv6 has **no DNAT**: clients hit `2a02:168:53a8:0:d584:9e34:13cf:15d6:443`
directly. Without 443/tcp in firewalld, AAAA looked like `ERR_ADDRESS_UNREACHABLE`
/ connect timeout while IPv4 still worked.
### Why 9200
Forgejo advertises `SSH_PORT=9200`. Rootless podman publishes `0.0.0.0:9200→2222`.
VeciGate DNATs WAN:9200 and hairpins public A:9200; IPv6 forwards :9200 to koopa.
Without firewalld **9200/tcp**, external/LAN clients see **connection refused** even
though `ss` shows LISTEN on the host (local-only path still works).
## History
| Port | Note |
|------|------|
| 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 |
| 8082/tcp removed | old Podman ACME |
| **9200/tcp added** | 2026-07-10 Forgejo git-SSH |