In this tutorial, we will look at how to install and configure Firewalld on Debian 10 (Buster). Firewalld is Linux firewall management tool with support for IPv4, IPv6, Ethernet bridges and ipset firewall settings.

Firewalld acts as a front-end to Linux kernel’s netfilter framework. It is a default firewall management software for RHEL 7+ family of Linux distributions but can be used on Debian family of Linux distros.

Install Firewalld on Debian 10 (Buster)

The firewalld package is available on the official Debian 10 apt repositories. Installation is as quick as firing below commands in the terminal as root user or user with sudo privileges.

sudo apt update
sudo apt -y install firewalld

This will install firewalld on Debian 10 and set the service to start at boot. Pull package details with:

$ apt policy firewalld
firewalld:
  Installed: 0.6.3-5
  Candidate: 0.6.3-5
  Version table:
 *** 0.6.3-5 500
        500 http://deb.debian.org/debian buster/main amd64 Packages
        100 /var/lib/dpkg/status

Confirm that the service is in running state.

$ sudo firewall-cmd --state
 running

$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset
   Active: active (running) since Sun 2019-07-07 06:35:14 EDT; 1min 33s ago
     Docs: man:firewalld(1)
 Main PID: 7955 (firewalld)
    Tasks: 2 (limit: 2319)
   Memory: 24.5M
   CGroup: /system.slice/firewalld.service
           └─7955 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

If you have ufw enabled, disable it to make firewalld your default firewall

sudo ufw disable

Using Firewalld on Debian 10 (Buster)

Now that the package has been installed and firewalld service started, let’ look at few usage examples on how it can be used to secure your server/workstation.

1 – List all firewall rules configured

To list the current rules, use the command:

$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

ssh and dhcpv6-client services are allowed by default when you start firewalld service.

2 – List services that can be enabled/disabled

To get a full list of services which can be enabled or disabled, use the following command.

sudo firewall-cmd --get-services

3 – Enable service / List of services

To allow a service on the firewall, the command syntax is:

$ sudo firewall-cmd --add-service="servicename" --permanent

The example below will enable http service.

$ sudo firewall-cmd --add-service="http" --permanent
success
$ sudo firewall-cmd --reload

For a list of services, separate them with comma.

$ sudo firewall-cmd --add-service={http,https,smtp,imap} --permanent --zone=public
$ sudo firewall-cmd --reload

4 – Enable TCP port

The syntax for enabling a TCP port is:

$ sudo firewall-cmd --add-port=port/tcp --permanent
$ sudo firewall-cmd --reload

Here is how to enable port 8080 and 8443.

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port={8080,8443}/tcp --permanent
sudo firewall-cmd --reload

For UDP ports, replace /tcp with /udp.

5 – Create a new zone

To create a new firewall zone, use the command:

$ sudo firewall-cmd --new-zone=zonename --permanent

E.g

$ sudo firewall-cmd --new-zone=private --permanent
$ sudo firewall-cmd --reload

6 – Enable service/port on a specific zone

To enable a service/port in a specific zone, syntax is:

sudo firewall-cmd --zone=<zone> --add-port=<port>/tcp --permanent
sudo firewall-cmd --zone=<zone> --add-port=<port>/udp --permanent
sudo firewall-cmd --zone=<zone> --add-service=<service> --permanent
sudo firewall-cmd --zone=<zone> --add-service={service1,service2,service3} --permanent

7 – Add an interface to a zone

For systems with more than one interface, you can add an interface to a zone. E.g Backend web servers to private zone, and fronted applications to public zone.

sudo firewall-cmd --get-zone-of-interface=eth1 --permanent
sudo firewall-cmd --zone=<zone> --add-interface=eth1 --permanent

8 – Allow access to a port from specific subnet/IP

Access to a service or port can be restricted to be from specific IP address or subnet. with the use of rich rules.

$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="192.168.0.12/32" accept' --permanent
$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="10.1.1.0/24" accept' --permanent

9 – List rich rules

sudo firewall-cmd --list-rich-rules

10 – Configure Port forwarding

See examples below.

# Enable masquerading
$ sudo firewall-cmd --add-masquerade --permanent

# Port forward to a different port within same server ( 22 > 2022)
$ sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022 --permanent

# Port forward to same port on a different server (local:22 > 192.168.2.10:22)
$ sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.168.2.10 --permanent

# Port forward to different port on a different server (local:7071 > 10.50.142.37:9071)
$ sudo firewall-cmd --add-forward-port=port=7071:proto=tcp:toport=9071:toaddr=10.50.142.37 --permanent

11 – Removing a port or service

To remove a port or service from the firewall, replace --add with –-remove in each command used in enabling service.

Enjoy using Firewalld on Debian 10 (Buster) Linux. For further reading, check Firewalld Documentation

Best LPIC-1 and LPIC-2 certification study books

Best Linux Books for Beginners & Experts