Appearance
Ports
Every well-known port in the system, in one table. The short version: nothing you run at home listens on the network. The gateway and CLI only dial out (WSS to a relay), the gateway's console binds loopback only, and the only component that opens public ports is a relay — the system relay fleet, or an edge you host yourself.
| Port | Component | Bind | Purpose |
|---|---|---|---|
443/tcp | Relay (system + edge) | public | The WSS carrier endpoints everything dials: gateways (/ws/gateway + /ws/gateway/signal), clients (/ws/client), and the relay's own links up to the console. On an edge this is the tls_listen listener, default :443, settable or off for a LAN-only edge. With the nginx front installed, nginx owns :443 and passes through. |
443/udp (QUIC) | Relay (system + edge) | public, optional | The QUIC transport on the system relay fleet. On an edge, QUIC has no default — it is off unless quic_addr is set in ~/.burrowee/edge/config (or --quic-addr), and it binds exactly the address you give; nginx does not front it. |
16518/tcp | Gateway | 127.0.0.1 only | The local console — the gateway's web UI + JSON API. Never reachable from the network; disable with --console off. |
8448/tcp | Edge | LAN interfaces | The nginx LAN TLS front (nginx --listen-lan, default 8448). Terminates the pinned LAN cert and proxies to the edge's loopback listener below. This is the port advertised in LAN endpoints. |
9448/tcp | Edge | 127.0.0.1 only | The edge's plain-WS LAN listener (lan_listen, default 127.0.0.1:9448) — only ever reached through the nginx front on 8448. |
9100/tcp | Console (server-side) | 127.0.0.1 only | The burrowee-console control-plane upstream (--addr, default 127.0.0.1:9100), fronted by nginx in production. Listed for completeness — it runs on Burrowee's servers, not on anything you install. |
| ephemeral | CLI | 127.0.0.1:0 | The local forward listener connect/ssh opens for each tunnel (--local to pin one). ssh always uses an ephemeral loopback port. |
Unix sockets (not TCP, listed for completeness)
| Socket | Component | Purpose |
|---|---|---|
~/.burrowee/cli/sockets/transport.sock | CLI daemon | Transport IPC — stream consumers and relays use/priority/pair/probe (not relays list, which reads config.json) |
~/.burrowee/gateway/sockets/register.sock | Gateway | burrowee-register registers local services |
Each lives under its component home (~/.burrowee/<cli\|gateway>/sockets/). On a pathologically long home path the transport socket overflows to $XDG_RUNTIME_DIR/burrowee/transport.sock (OS temp dir when XDG_RUNTIME_DIR is unset) and the register socket to the fixed path /usr/local/var/burrowee/gateway/sockets/register.sock. Paths and overrides: Config homes & files.
What dials what
Outbound-only summary — useful for firewall rules:
| From | To | Protocol |
|---|---|---|
| CLI | relay :443 (and QUIC if configured); LAN-published edge origins first when present | WSS / QUIC |
| Gateway | every configured relay :443 | WSS (carrier + signal) |
| Edge | the Burrowee console (compiled-in host) | WSS (carrier + signal) + HTTPS |
| Gateway → local service | e.g. 127.0.0.1:22 on the gateway host | plain TCP (the target you exposed) |