koopa-admin-log/configs/firewalld/public-ports.md

1.1 KiB
Raw Blame History

firewalld zone public (eno1)

Current (2026-07-09)

firewall-cmd --list-ports
# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp
Port Purpose
80/tcp http-proxy.socket → Caddy 9000 (needed for IPv6 WAN HTTP/ACME)
443/tcp https-proxy.socket → Caddy 9001 (required for IPv6 AAAA :15d6)
9000/tcp Caddy HTTP (VeciGate IPv4 WAN:80 → 9000)
9001/tcp Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001)
8080/tcp Tor OR
23235/tcp SSH (VeciGate maps public 23235)
dhcpv6-client, ssh services

Why 443 is required again

IPv4 public HTTPS is DNATd to 9001, so opening only 9001 was enough. IPv6 has no DNAT: clients hit 2a02:168:53a8:0:d584:9e34:13cf:15d6:443 directly. Without 443/tcp in firewalld, AAAA looked like ERR_ADDRESS_UNREACHABLE / connect timeout while IPv4 still worked.

History

Port Note
443 removed earlier “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6
8082/tcp removed old Podman ACME