koopa-admin-log/configs/firewalld/public-ports.md

32 lines
1.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# firewalld zone public (eno1)
## Current (2026-07-09)
```
firewall-cmd --list-ports
# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp
```
| Port | Purpose |
|------|---------|
| 80/tcp | `http-proxy.socket` → Caddy 9000 (needed for **IPv6** WAN HTTP/ACME) |
| **443/tcp** | `https-proxy.socket` → Caddy 9001 (**required for IPv6** AAAA `:15d6`) |
| 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) |
| 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) |
| 8080/tcp | Tor OR |
| 23235/tcp | SSH (VeciGate maps public 23235) |
| dhcpv6-client, ssh | services |
### Why 443 is required again
IPv4 public HTTPS is DNATd to **9001**, so opening only 9001 was enough.
IPv6 has **no DNAT**: clients hit `2a02:168:53a8:0:d584:9e34:13cf:15d6:443`
directly. Without 443/tcp in firewalld, AAAA looked like `ERR_ADDRESS_UNREACHABLE`
/ connect timeout while IPv4 still worked.
## History
| Port | Note |
|------|------|
| 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 |
| 8082/tcp removed | old Podman ACME |