How Can We Help?
Firewalld Configuration on Debian
Overview of Firewalld configuration on Debian
Firewalld serves as a front-end to the Linux kernel’s netfilter framework, providing a dynamic interface for managing firewall functionalities. It is the default firewall management tool for RHEL 7 and newer distributions and is also compatible with Debian-based systems. This guide covers everything you need to know about Firewalld Configuration on Debian to secure your network effectively.
Installation
To install Firewalld on Debian systems, execute the following commands with root or sudo privileges:
sudo apt update
sudo apt -y install firewalldThis will install Firewalld and configure it to start automatically at boot. You can verify the installation with:
$ apt policy firewalld
firewalld:
Installed: 0.9.3-2
Candidate: 0.9.3-2
Version table:
*** 0.9.3-2 500
500 http://deb.debian.org/debian bullseye/main amd64 Packages
100 /var/lib/dpkg/statusTo ensure the service is active and running:
$ sudo firewall-cmd --state
running
debian@debian-bullseye-01:~$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-08-19 19:18:49 UTC; 39s ago
Docs: man:firewalld(1)
Main PID: 3317 (firewalld)
Tasks: 2 (limit: 2340)
Memory: 29.3M
CPU: 868ms
CGroup: /system.slice/firewalld.service
└─3317 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Aug 19 19:18:48 debian-bullseye-01 systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 19 19:18:49 debian-bullseye-01 systemd[1]: Started firewalld - dynamic firewall daemon.If you have UFW enabled, disable it to make Firewalld your default firewall:
sudo ufw disableUsage
With Firewalld installed and running, here are some common commands to manage your firewall as part of your Firewalld Configuration on Debian:
1. Listing All Rules
To display the current configuration:
$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:By default, services like ssh and dhcpv6-client are allowed.
2. Listing Available Services
To view all predefined services that can be managed:
sudo firewall-cmd --get-services3. Allowing a Service
To permit a specific service through the firewall:
sudo firewall-cmd --add-service="servicename" --permanentThe example below will enable http service.
$ sudo firewall-cmd --add-service="http" --permanent
success
$ sudo firewall-cmd --reloadFor multiple services:
sudo firewall-cmd --add-service={http,https,smtp,imap} --permanent --zone=public
sudo firewall-cmd --reload4. Opening a Port
To open a specific port:
sudo firewall-cmd --add-port=port/tcp --permanent
sudo firewall-cmd --reloadFor multiple ports:
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port={8080,8443}/tcp --permanent
sudo firewall-cmd --reloadReplace /tcp with /udp for UDP ports.
5. Creating a New Zone
To define a new zone:
$ sudo firewall-cmd --new-zone=zonename --permanent
#E.g
$ sudo firewall-cmd --new-zone=private --permanent
$ sudo firewall-cmd --reload6. Assigning Services or Ports to a Zone
To enable a service/port in a specific zone, syntax is:
sudo firewall-cmd --zone=<zone> --add-port=<port>/tcp --permanent
sudo firewall-cmd --zone=<zone> --add-port=<port>/udp --permanent
sudo firewall-cmd --zone=<zone> --add-service=<service> --permanent
sudo firewall-cmd --zone=<zone> --add-service={service1,service2,service3} --permanent7. Add an interface to a zone
For systems with more than one interface, you can add an interface to a zone. E.g Backend web servers to private zone, and fronted applications to public zone.
sudo firewall-cmd --get-zone-of-interface=eth1 --permanent
sudo firewall-cmd --zone=<zone> --add-interface=eth1 --permanent8. Allow access to a port from specific subnet/IP
Access to a service or port can be restricted to be from specific IP address or subnet. with the use of rich rules.
$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="192.168.0.12/32" accept' --permanent
$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="10.1.1.0/24" accept' --permanent9. List rich rules
List rich rules by using the following command:
sudo firewall-cmd --list-rich-rules10. Configure Port forwarding
See examples below.
# Enable masquerading
sudo firewall-cmd --add-masquerade --permanent
# Port forward to a different port within same server ( 22 > 2022)
sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022 --permanent
# Port forward to same port on a different server (local:22 > 192.168.2.10:22)
sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.168.2.10 --permanent
# Port forward to different port on a different server (local:7071 > 10.50.142.37:9071)
sudo firewall-cmd --add-forward-port=port=7071:proto=tcp:toport=9071:toaddr=10.50.142.37 --permanent11. Removing a port or service
To remove a port or service from the firewall, replace –add with –-remove in each command used in enabling service.
Learn More About Firewalld configuration on Debian
For comprehensive information and advanced configurations, refer to the official Firewalld documentation. This resource provides detailed explanations and examples to enhance your Firewalld Configuration on Debian.
By implementing these configurations, you can effectively manage and secure your system’s network traffic using Firewalld.
For a visual guide on configuring Firewalld, consider watching this tutorial: How to Configure Firewall in Linux | Firewalld Tutorial.
For more Linux administration guides, visit our Uncover Infinite in IT section. Additionally, learn about related topics like UFW Firewall Configuration on the official Ubuntu website.
