Install and Use FirewallD on Debian 11

by

By the end of this article, you will have learned how to install and Use FirewallD on Debian 11. FirewallD is one of the Linux firewalls but it has a special feature called zones. Zones are used to control traffic entering your system. Firewalld uses firewall-cmd component to manage all the firewall rules, i.e. adding and removing the rules.

Assuming you have Debian 11 up and running with root privileges, continue with the article to install and Use FirewallD on Debian 11.

Install and Use FirewallD on Debian 11

If you already have UFW installed, disable it.

sudo ufw disable

Next, update system packages:

sudo apt update

Now install firewalld from the apt repository

sudo apt -y install firewalld

Confirm if firewalld has been installed by checking the version

sudo firewall-cmd --version

Check the firewall status

$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor pre>
     Active: active (running) since Fri 2022-07-15 17:50:18 EAT; 1min 44s ago
       Docs: man:firewalld(1)
   Main PID: 3531 (firewalld)
      Tasks: 2 (limit: 3498)
     Memory: 25.6M
        CPU: 2.270s
     CGroup: /system.slice/firewalld.service
             └─3531 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Jul 15 17:50:01 itnixpro systemd[1]: Starting firewalld - dynamic firewall daem>
Jul 15 17:50:18 itnixpro systemd[1]: Started firewalld - dynamic firewall daemo>

Enable firewalld service

If you want firewalld to run at system boot, enable this using the command:

sudo systemctl enable firewalld

Using Firewalld on Debian 11

With firewalld installed, let’s look at the usage using various examples.

List all zones

Check all the available zones by using command:

sudo firewall-cmd --list-all-zones

Opening a port

To permanently open a port in all the zones, use the command syntax sudo firewall-cmd --add-port=port/protocol--permanent

For instance, open TCP port 26267

sudo firewall-cmd --zone=public --add-port=26267/tcp --permanent

In case you want to open multiple ports, separate the ports with commas. Let’s say you want to open ports 8080, 8081 and 8082, use the command

sudo firewall-cmd --zone=public --add-port={8080,8081,8082}/tcp --permanent

Reload firewalld to effect the changes

sudo firewall-cmd --reload

To use UDP port, replace TCP with UDP.

Display all open ports

Use firewall-cmd --list-ports command to output open ports

sudo firewall-cmd --list-ports
8080/tcp 8081/tcp 8082/tcp 26267/tcp

List rules configured

Display all list rules configured in the firewall.

$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources: 
  services: dhcpv6-client ssh
  ports: 26267/tcp 8080/tcp 8081/tcp 8082/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

List services that can be enabled/disabled

Show full list of services that can be enabled or disabled:

sudo firewall-cmd --get-services

Enable service

Use the command syntax below to allow a service on the firewall

sudo firewall-cmd --add-service="servicename" --permanent

For example, enable https service

sudo firewall-cmd --add-service="https" --permanent

Then reload the firewalld

sudo firewall-cmd --reload

In case you want to add multiple services, separate the services with commas i.e.

sudo firewall-cmd --add-service={http,https,smtp,imap} --permanent --zone=public

Create a new zone

Create a new firewall zone using the command:

sudo firewall-cmd --new-zone=zonename --permanent

Create a zone called itnixpro then reload the firewall.

sudo firewall-cmd --new-zone=itnixpro --permanent
sudo firewall-cmd --reload

Enable service/port on a specific zone

Replace the zone, service, protocol and port in the commands below.

sudo firewall-cmd --zone=<zone> --add-port=<port>/protocol--permanent  
sudo firewall-cmd --zone=<zone> --add-service=<service> --permanent

Do the same if you want to enable multiple services:

sudo firewall-cmd --zone=<zone> --add-service={service1,service2,service3} --permanent

Add an interface to a zone

If your system has more than one interface, add an interface to a zone e.g. Backend web servers to use private zone, and fronted applications to use public zone.

sudo firewall-cmd --get-zone-of-interface=eth3 --permanent
sudo firewall-cmd --zone=<zone> --add-interface=eth3 --permanent

Allow access to a port from specific subnet/IP

You can deny or allow access from specific IP address or subnet with the use of rich rules. For example:

sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="192.168.8.10/24" accept' --permanent

List rich rules

Show rules with the command:

sudo firewall-cmd --list-rich-rules

Configure Port forwarding

Allow masquerading:

sudo firewall-cmd --add-masquerade --permanent

Forward a port to a different port within same server ( 22 > 2022):

sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022 --permanent

Forward a port to same port but on a different server (local:22 > 192.168.8.10:22):

sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.168.8.10:22 --permanent

Forward a port to different port on a different server (local:7071 > 192.168.8.50:22:9071):

sudo firewall-cmd --add-forward-port=port=7071:proto=tcp:toport=9071:toaddr=192.168.8.50 --permanent

Removing a port or service

Replace --add with –-remove in each command used above to remove a specific port/service.

Conclusion

Congrats! That is the end of the article. You have managed to install and Use FirewallD on Debian 11.

Find more information on firewalld official website.

Install DokuWiki on Debian 11

Install Skype on Debian 11

Install Anydesk on Debian 11

Android Developer | Linux | Technical Writer | Backend Developer

Leave a Comment