1.1 KiB
1.1 KiB
firewalld zone public (eno1)
Current (2026-07-09)
firewall-cmd --list-ports
# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp
| Port | Purpose |
|---|---|
| 80/tcp | http-proxy.socket → Caddy 9000 (needed for IPv6 WAN HTTP/ACME) |
| 443/tcp | https-proxy.socket → Caddy 9001 (required for IPv6 AAAA :15d6) |
| 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) |
| 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) |
| 8080/tcp | Tor OR |
| 23235/tcp | SSH (VeciGate maps public 23235) |
| dhcpv6-client, ssh | services |
Why 443 is required again
IPv4 public HTTPS is DNAT’d to 9001, so opening only 9001 was enough.
IPv6 has no DNAT: clients hit 2a02:168:53a8:0:d584:9e34:13cf:15d6:443
directly. Without 443/tcp in firewalld, AAAA looked like ERR_ADDRESS_UNREACHABLE
/ connect timeout while IPv4 still worked.
History
| Port | Note |
|---|---|
| 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 |
| 8082/tcp removed | old Podman ACME |