1.9 KiB
1.9 KiB
firewalld zone public (eno1)
Current (2026-07-10, verified)
Expected open ports after Forgejo git-SSH:
sudo firewall-cmd --list-ports
# … 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp 9200/tcp
| Port | Purpose | LAN probe (2026-07-10) |
|---|---|---|
| 80/tcp | http-proxy → Caddy 9000 (IPv6 HTTP/ACME) |
via Caddy path |
| 443/tcp | https-proxy → Caddy 9001 (IPv6 HTTPS) |
via Caddy path |
| 9000/tcp | Caddy HTTP (WAN:80 → 9000) | OK |
| 9001/tcp | Caddy HTTPS (WAN:443 → 9001) | OK |
| 8080/tcp | Tor OR | — |
| 23235/tcp | (legacy list; host SSH is :22, WAN via VeciGate 23235→22) | — |
| 9200/tcp | Forgejo git-SSH (podman rootlessport) | OK after add+reload |
Not opened on purpose
| Port | Note |
|---|---|
| 9020–9024 | rootless apps; public HTTP only via Caddy → 127.0.0.1:90xx |
| 9024 | Forgejo HTTP internal to Caddy only |
LAN nc to 9021/9024 → connection refused is expected without firewalld open (and not required).
Commands
sudo firewall-cmd --permanent --add-port=9200/tcp
sudo firewall-cmd --reload # or systemctl restart firewalld
sudo firewall-cmd --list-ports
Verify (from another host on LAN / WAN)
nc -vz 192.168.100.95 9200
nc -vz 212.51.151.254 9200 # hairpin / public A
ssh -p 9200 -T git@git.hacktivism.ch
# expect: Hi there, … authenticated … Forgejo does not provide shell access.
Why 443
IPv4 HTTPS is DNAT’d to 9001. IPv6 has no DNAT — clients hit host :443 directly.
Why 9200
Forgejo advertises SSH_PORT=9200. Traffic hits host:9200 (not Caddy). Without firewalld 9200/tcp, clients get connection refused even while ss shows LISTEN and localhost works.
History
| When | Change |
|---|---|
| 2026-07-09 | 443/tcp re-added for IPv6 |
| 2026-07-10 | 9200/tcp for Forgejo git-SSH (verified LAN + hairpin + SSH auth) |