50 lines
1.7 KiB
Markdown
50 lines
1.7 KiB
Markdown
# firewalld zone public (eno1)
|
||
|
||
## Current (2026-07-10)
|
||
|
||
```
|
||
firewall-cmd --list-ports
|
||
# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp 9200/tcp
|
||
```
|
||
|
||
| Port | Purpose |
|
||
|------|---------|
|
||
| 80/tcp | `http-proxy.socket` → Caddy 9000 (needed for **IPv6** WAN HTTP/ACME) |
|
||
| **443/tcp** | `https-proxy.socket` → Caddy 9001 (**required for IPv6** AAAA `:15d6`) |
|
||
| 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) |
|
||
| 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) |
|
||
| 8080/tcp | Tor OR |
|
||
| 23235/tcp | SSH (VeciGate maps public 23235 → host 22) |
|
||
| **9200/tcp** | **Forgejo git-SSH** (VeciGate WAN/hairpin/IPv6 → host 9200 → container 2222) |
|
||
| dhcpv6-client, ssh | services |
|
||
|
||
### Add / verify 9200
|
||
|
||
```bash
|
||
sudo firewall-cmd --permanent --add-port=9200/tcp
|
||
sudo firewall-cmd --reload
|
||
sudo firewall-cmd --list-ports
|
||
ss -lntp | grep 9200
|
||
```
|
||
|
||
### Why 443 is required again
|
||
|
||
IPv4 public HTTPS is DNAT’d to **9001**, so opening only 9001 was enough.
|
||
IPv6 has **no DNAT**: clients hit `2a02:168:53a8:0:d584:9e34:13cf:15d6:443`
|
||
directly. Without 443/tcp in firewalld, AAAA looked like `ERR_ADDRESS_UNREACHABLE`
|
||
/ connect timeout while IPv4 still worked.
|
||
|
||
### Why 9200
|
||
|
||
Forgejo advertises `SSH_PORT=9200`. Rootless podman publishes `0.0.0.0:9200→2222`.
|
||
VeciGate DNATs WAN:9200 and hairpins public A:9200; IPv6 forwards :9200 to koopa.
|
||
Without firewalld **9200/tcp**, external/LAN clients see **connection refused** even
|
||
though `ss` shows LISTEN on the host (local-only path still works).
|
||
|
||
## History
|
||
|
||
| Port | Note |
|
||
|------|------|
|
||
| 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 |
|
||
| 8082/tcp removed | old Podman ACME |
|
||
| **9200/tcp added** | 2026-07-10 Forgejo git-SSH |
|