Install and Configure Firewalld on Debian 10/11

In this tutorial, we will look at how to install and configure Firewalld on Debian 10 / Debian 11. Firewalld is Linux firewall management tool with support for IPv4, IPv6, Ethernet bridges and ipset firewall settings.

Firewalld acts as a front-end to Linux kernel’s netfilter framework. It is a default firewall management software for RHEL 7+ family of Linux distributions but can be used on Debian family of Linux distros.

The firewalld package is available on the official Debian apt repositories. Installation is as quick as firing below commands in the terminal as root user or user with sudo privileges.

sudo apt update

sudo apt -y install firewalld

This will install firewalld on Debian 11/10 and set the service to start at boot. Pull package details with:

$ apt policy firewalld

firewalld:

Installed: 0.9.3-2

Candidate: 0.9.3-2

Version table:

*** 0.9.3-2 500

500 http://deb.debian.org/debian bullseye/main amd64 Packages

100 /var/lib/dpkg/status

Confirm that the service is in running state.

$ sudo firewall-cmd --state

running



debian@debian-bullseye-01:~$ systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon

Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

Active: active (running) since Thu 2021-08-19 19:18:49 UTC; 39s ago

Docs: man:firewalld(1)

Main PID: 3317 (firewalld)

Tasks: 2 (limit: 2340)

Memory: 29.3M

CPU: 868ms

CGroup: /system.slice/firewalld.service

└─3317 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid



Aug 19 19:18:48 debian-bullseye-01 systemd[1]: Starting firewalld - dynamic firewall daemon...

Aug 19 19:18:49 debian-bullseye-01 systemd[1]: Started firewalld - dynamic firewall daemon.

If you have ufw enabled, disable it to make firewalld your default firewall

sudo ufw disable

Now that the package has been installed and firewalld service started, let’ look at few usage examples on how it can be used to secure your server/workstation.

To list the current rules, use the command:

$ sudo firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: ens33

sources:

services: dhcpv6-client ssh

ports:

protocols:

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

ssh and dhcpv6-client services are allowed by default when you start firewalld service.

To get a full list of services which can be enabled or disabled, use the following command.

sudo firewall-cmd --get-services

To allow a service on the firewall, the command syntax is:

sudo firewall-cmd --add-service="servicename" --permanent

The example below will enable http service.

$ sudo firewall-cmd --add-service="http" --permanent

success



$ sudo firewall-cmd --reload

For a list of services, separate them with comma.

sudo firewall-cmd --add-service=http,https,smtp,imap --permanent --zone=public

sudo firewall-cmd --reload

The syntax for enabling a TCP port is:

sudo firewall-cmd --add-port=port/tcp --permanent

sudo firewall-cmd --reload

Here is how to enable port 8080 and 8443.

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

sudo firewall-cmd --zone=public --add-port=8080,8443/tcp --permanent

sudo firewall-cmd --reload

For UDP ports, replace /tcp with /udp.

To create a new firewall zone, use the command:

$ sudo firewall-cmd --new-zone=zonename --permanent



#E.g

$ sudo firewall-cmd --new-zone=private --permanent

$ sudo firewall-cmd --reload

To enable a service/port in a specific zone, syntax is:

sudo firewall-cmd --zone= --add-port=/tcp --permanent

sudo firewall-cmd --zone= --add-port=/udp --permanent

sudo firewall-cmd --zone= --add-service= --permanent

sudo firewall-cmd --zone= --add-service=service1,service2,service3 --permanent

For systems with more than one interface, you can add an interface to a zone. E.g Backend web servers to private zone, and fronted applications to public zone.

sudo firewall-cmd --get-zone-of-interface=eth1 --permanent

sudo firewall-cmd --zone= --add-interface=eth1 --permanent

Access to a service or port can be restricted to be from specific IP address or subnet. with the use of rich rules.

$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \

source address="192.168.0.12/32" accept' --permanent



$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \

source address="10.1.1.0/24" accept' --permanent

List rich rules by using the following command:

sudo firewall-cmd --list-rich-rules

See examples below.

# Enable masquerading

sudo firewall-cmd --add-masquerade --permanent



# Port forward to a different port within same server ( 22 > 2022)

sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022 --permanent



# Port forward to same port on a different server (local:22 > 192.168.2.10:22)

sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.168.2.10 --permanent



# Port forward to different port on a different server (local:7071 > 10.50.142.37:9071)

sudo firewall-cmd --add-forward-port=port=7071:proto=tcp:toport=9071:toaddr=10.50.142.37 --permanent

To remove a port or service from the firewall, replace --add with –-remove in each command used in enabling service.

Enjoy using Firewalld on Debian 10 /Debian 11 Linux. For further reading, check Firewalld Documentation

https://www.computingpost.com/install-and-configure-firewalld-on-debian-10-11/?feed_id=18298&_unique_id=636cef2500cda

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ComputingPost

ComputingPost — Linux Howtos, Tutorials, Guides, News, Tips and Tricks.