How to Use firewalld for Enhanced Security in Debian 12 Bookworm

Learn how to use firewalld for enhanced security on a Debian 12 system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

With increasing cybersecurity threats, implementing a robust firewall is crucial for securing Linux servers and workstations. Debian 12 Bookworm provides multiple firewall solutions, and among them, firewalld stands out due to its flexibility and ease of use. Originally designed for Fedora and RHEL-based systems, firewalld is now widely adopted in Debian-based distributions as well.

In this guide, we will cover the installation, configuration, and advanced usage of firewalld to enhance security on a Debian 12 system.

Understanding firewalld

firewalld is a dynamic firewall management tool that provides more granular control over firewall rules using zones and services. It works with iptables in the backend but offers a simplified and more user-friendly interface.

Key Features of firewalld

  • Supports both IPv4 and IPv6.
  • Uses zones to manage different trust levels for networks.
  • Can dynamically update firewall rules without disrupting active connections.
  • Provides an easy-to-use interface for managing firewall rules and services.

Installing firewalld on Debian 12

By default, Debian 12 does not include firewalld, but it can be easily installed from the official repositories.

Step 1: Update Your System

Before installing any package, update your package lists:

sudo apt update && sudo apt upgrade -y

Step 2: Install firewalld

Run the following command to install firewalld:

sudo apt install firewalld -y

Step 3: Enable and Start firewalld

Once installed, start the firewalld service and enable it to start on boot:

sudo systemctl start firewalld
sudo systemctl enable firewalld

To verify that firewalld is running, use:

sudo systemctl status firewalld

Understanding firewalld Zones

firewalld organizes network traffic into predefined zones, each with its own set of rules. The most commonly used zones include:

  • drop: All incoming connections are dropped without any notification.
  • block: Similar to drop, but the system sends a reject response.
  • public: Suitable for use in untrusted networks.
  • external: For use with NAT and external-facing networks.
  • dmz: Used for demilitarized zones where only selected services are exposed.
  • work: Trusted environment suitable for office or company networks.
  • home: Designed for home use where the network is trusted.
  • trusted: All incoming connections are allowed.

To check the default zone, run:

firewall-cmd --get-default-zone

To see active zones and their interfaces:

firewall-cmd --get-active-zones

To set a different default zone:

sudo firewall-cmd --set-default-zone=home

Configuring Firewall Rules

Allowing and Denying Services

To allow a service, such as SSH, run:

sudo firewall-cmd --zone=public --add-service=ssh --permanent

To remove a service:

sudo firewall-cmd --zone=public --remove-service=ssh --permanent

To apply changes, reload firewalld:

sudo firewall-cmd --reload

Allowing and Blocking Specific Ports

To allow a specific port, such as 8080 for a web application:

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

To block a port:

sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent

Managing IP Address Rules

To allow traffic from a specific IP address:

sudo firewall-cmd --zone=public --add-source=192.168.1.100 --permanent

To block an IP address:

sudo firewall-cmd --zone=public --remove-source=192.168.1.100 --permanent

Advanced firewalld Configurations

Using Rich Rules

Rich rules provide more granular control. For example, to allow SSH traffic only from a specific subnet:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'

Configuring Masquerading for NAT

If your system acts as a router, enable masquerading:

sudo firewall-cmd --zone=external --add-masquerade --permanent

Setting Up Port Forwarding

To forward port 8080 to an internal service on port 80:

sudo firewall-cmd --permanent --zone=public --add-forward-port=port=8080:proto=tcp:toport=80

Logging and Monitoring with firewalld

To enable logging for dropped packets:

sudo firewall-cmd --set-log-denied=all

To check firewall logs, use:

tail -f /var/log/firewalld

For a more detailed firewall status, run:

sudo firewall-cmd --list-all

Disabling firewalld (If Necessary)

If you need to disable firewalld temporarily or permanently:

Stop firewalld Temporarily

sudo systemctl stop firewalld

Disable firewalld Permanently

sudo systemctl disable firewalld

sudo apt remove --purge firewalld

Conclusion

Implementing firewalld on Debian 12 Bookworm significantly enhances system security by providing dynamic, flexible firewall management. By properly configuring zones, services, and rich rules, administrators can fine-tune network security to match their specific needs. Regular monitoring and maintenance of firewall rules ensure that security policies remain effective against emerging threats. For any production server, using firewalld is a best practice that helps mitigate unauthorized access and potential security breaches.

With the steps outlined in this guide, you can confidently use firewalld to secure your Debian 12 system effectively.


< How to Scan a Debian System for Vulnerabilities on Debian 12 BookwormHow to Set Up Multi-Factor Authentication (MFA) on Debian 12 Bookworm >