I’m confused. What do you even mean?

It seems that I’d still need to modify net.ipv4.ip_unprivileged_port_start=80 in sysctl, which I don’t want to do. If I do it, the socket isn’t even strictly necessary.

Just a couple of friends use it. But I’d like to use this as a learning opportunity and do it the proper way. It seems that if I turn of masquerade in general, and use firewalld fine-grained rules to enable it when I actually need it, I might be able to achieve what I want. I’ll post an update to the original post if I can get it to work.

This is interesting. I need to figure out how it works for podman and it’ll be the perfect setup.

I think it’s the masquerade that’s causing problems for me. I have to keep it enabled since I’m running a tailscale exit node. But maybe I can selectively disable it here.

But that just makes most ports unprivileged. That is a solution, but less preferred than my current one.

I mentioned in the post that it seems to make the client IP opaque to caddy.