32 lines
1.1 KiB
Markdown
32 lines
1.1 KiB
Markdown
# firewalld zone public (eno1)
|
||
|
||
## Current (2026-07-09)
|
||
|
||
```
|
||
firewall-cmd --list-ports
|
||
# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp
|
||
```
|
||
|
||
| Port | Purpose |
|
||
|------|---------|
|
||
| 80/tcp | `http-proxy.socket` → Caddy 9000 (needed for **IPv6** WAN HTTP/ACME) |
|
||
| **443/tcp** | `https-proxy.socket` → Caddy 9001 (**required for IPv6** AAAA `:15d6`) |
|
||
| 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) |
|
||
| 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) |
|
||
| 8080/tcp | Tor OR |
|
||
| 23235/tcp | SSH (VeciGate maps public 23235) |
|
||
| dhcpv6-client, ssh | services |
|
||
|
||
### Why 443 is required again
|
||
|
||
IPv4 public HTTPS is DNAT’d to **9001**, so opening only 9001 was enough.
|
||
IPv6 has **no DNAT**: clients hit `2a02:168:53a8:0:d584:9e34:13cf:15d6:443`
|
||
directly. Without 443/tcp in firewalld, AAAA looked like `ERR_ADDRESS_UNREACHABLE`
|
||
/ connect timeout while IPv4 still worked.
|
||
|
||
## History
|
||
|
||
| Port | Note |
|
||
|------|------|
|
||
| 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 |
|
||
| 8082/tcp removed | old Podman ACME |
|