firewalld
Firewalld acts as a front-end to Linux kernel’s netfilter framework. It is a default firewall management software for RHEL 7+ family of Linux distributions but can be used on Debian family of Linux distros.
Install Firewalld on Debian 11 / Debian 10
The firewalld package is available on the official Debian apt repositories. Installation is as quick as firing below commands in the terminal as root user or user with sudo privileges.
sudo apt update
sudo apt -y install firewalld
This will install firewalld on Debian 11/10 and set the service to start at boot. Pull package details with:
$ apt policy firewalld
firewalld:
Installed: 0.9.3-2
Candidate: 0.9.3-2
Version table:
*** 0.9.3-2 500
500 http://deb.debian.org/debian bullseye/main amd64 Packages
100 /var/lib/dpkg/status
Confirm that the service is in running state.
$ sudo firewall-cmd --state
running
debian@debian-bullseye-01:~$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-08-19 19:18:49 UTC; 39s ago
Docs: man:firewalld(1)
Main PID: 3317 (firewalld)
Tasks: 2 (limit: 2340)
Memory: 29.3M
CPU: 868ms
CGroup: /system.slice/firewalld.service
└─3317 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Aug 19 19:18:48 debian-bullseye-01 systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 19 19:18:49 debian-bullseye-01 systemd[1]: Started firewalld - dynamic firewall daemon.
If you have ufw enabled, disable it to make firewalld your default firewall
sudo ufw disable
Using Firewalld on Debian 10 / Debian 11
Now that the package has been installed and firewalld service started, let’ look at few usage examples on how it can be used to secure your server/workstation.
1. List all firewall rules configured
To list the current rules, use the command:
$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
ssh and dhcpv6-client services are allowed by default when you start firewalld service.
2. List services that can be enabled/disabled
To get a full list of services which can be enabled or disabled, use the following command.
sudo firewall-cmd --get-services
3. Enable service / List of services
To allow a service on the firewall, the command syntax is:
sudo firewall-cmd --add-service="servicename" --permanent
The example below will enable http service.
$ sudo firewall-cmd --add-service="http" --permanent
success
$ sudo firewall-cmd --reload
For a list of services, separate them with comma.
sudo firewall-cmd --add-service={http,https,smtp,imap} --permanent --zone=public
sudo firewall-cmd --reload
4. Enable TCP port
The syntax for enabling a TCP port is:
sudo firewall-cmd --add-port=port/tcp --permanent
sudo firewall-cmd --reload
Here is how to enable port 8080 and 8443.
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port={8080,8443}/tcp --permanent
sudo firewall-cmd --reload
For UDP ports, replace /tcp with /udp.
5. Create a new zone
To create a new firewall zone, use the command:
$ sudo firewall-cmd --new-zone=zonename --permanent
#E.g
$ sudo firewall-cmd --new-zone=private --permanent
$ sudo firewall-cmd --reload
6. Enable service/port on a specific zone
To enable a service/port in a specific zone, syntax is:
sudo firewall-cmd --zone=<zone> --add-port=<port>/tcp --permanent
sudo firewall-cmd --zone=<zone> --add-port=<port>/udp --permanent
sudo firewall-cmd --zone=<zone> --add-service=<service> --permanent
sudo firewall-cmd --zone=<zone> --add-service={service1,service2,service3} --permanent
7. Add an interface to a zone
For systems with more than one interface, you can add an interface to a zone. E.g Backend web servers to private zone, and fronted applications to public zone.
sudo firewall-cmd --get-zone-of-interface=eth1 --permanent
sudo firewall-cmd --zone=<zone> --add-interface=eth1 --permanent
8. Allow access to a port from specific subnet/IP
Access to a service or port can be restricted to be from specific IP address or subnet. with the use of rich rules.
$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="192.168.0.12/32" accept' --permanent
$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="10.1.1.0/24" accept' --permanent
9. List rich rules
List rich rules by using the following command:
sudo firewall-cmd --list-rich-rules
10. Configure Port forwarding
See examples below.
# Enable masquerading
sudo firewall-cmd --add-masquerade --permanent
# Port forward to a different port within same server ( 22 > 2022)
sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022 --permanent
# Port forward to same port on a different server (local:22 > 192.168.2.10:22)
sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.168.2.10 --permanent
# Port forward to different port on a different server (local:7071 > 10.50.142.37:9071)
sudo firewall-cmd --add-forward-port=port=7071:proto=tcp:toport=9071:toaddr=10.50.142.37 --permanent
11. Removing a port or service
To remove a port or service from the firewall, replace –add with –-remove in each command used in enabling service.