DropVPS Team
Writer: Cooper Reagan
how to install and configure firewalld on debian 12
Table of Contents
What you will read?
- 1 Install FirewallD
- 2 Enable and Start the Service
- 3 Check Zones and Default Zone
- 4 Allow SSH to Prevent Lockout
- 5 Open Web and Custom Ports
- 6 Apply Permanent Configuration
- 7 Bind Interfaces and Set Default Zone
- 8 Use Rich Rules for Granular Control
- 9 Enable Masquerading and Port Forwarding (NAT)
- 10 Inspect, Log, and Test
- 11 Backup and Restore Configuration
- 12 Troubleshoot Common Conflicts
FirewallD on Debian 12 delivers dynamic, zone-based firewalling over nftables. Proper configuration hardens your server while keeping required services reachable. The steps below install FirewallD, enable it at boot, set zones, allow SSH and web traffic, apply rich rules, add NAT and port forwarding, enable logging, and safely persist changes.
Install FirewallD
Install the firewall daemon and confirm the version. Debian 12 packages use the nftables backend by default.
sudo apt update
sudo apt install -y firewalld
firewall-cmd --versionEnable and Start the Service
Start FirewallD now and ensure it loads at boot. Verify the service is healthy.
sudo systemctl enable --now firewalld
sudo systemctl status firewalld --no-pager● firewalld.service - firewalld - dynamic firewall daemon
Active: active (running)Check Zones and Default Zone
Zones group rules by trust level. Identify available zones, your default zone, and active rules.
firewall-cmd --get-zones
firewall-cmd --get-default-zone
firewall-cmd --list-allAllow SSH to Prevent Lockout
Add SSH to the runtime rules first to keep the current session safe, then make it persistent.
sudo firewall-cmd --add-service=ssh
sudo firewall-cmd --permanent --add-service=ssh
firewall-cmd --list-servicesOpen Web and Custom Ports
Permit HTTP/HTTPS and any custom TCP/UDP ports needed by your apps.
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
# Custom ports
sudo firewall-cmd --add-port=8080/tcp
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --permanent --add-port=5353/udpApply Permanent Configuration
Reload to apply permanent changes, or save the current runtime state as permanent.
sudo firewall-cmd --reload
# Alternatively, capture runtime into permanent
sudo firewall-cmd --runtime-to-permanentBind Interfaces and Set Default Zone
Attach network interfaces to zones and change the default zone when needed.
ip -o link show
firewall-cmd --get-active-zones
# Example: bind interface ens3 to public zone
sudo firewall-cmd --zone=public --add-interface=ens3
sudo firewall-cmd --permanent --zone=public --add-interface=ens3
# Change default zone
sudo firewall-cmd --set-default-zone=public
firewall-cmd --get-default-zoneUse Rich Rules for Granular Control
Rich rules allow source-based policies, drops, logging, and rate limits.
# Allow SSH only from a trusted IP
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=203.0.113.10/32 service name=ssh accept'
# Drop all SSH from an abusive IP
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=198.51.100.55 drop'
# Allow TCP/5432 from a subnet
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.10.0.0/16 port port=5432 protocol=tcp accept'
# Rate-limit SSH accepts (example: 30 per minute)
sudo firewall-cmd --permanent --add-rich-rule='rule service name=ssh limit value=30/m accept'
sudo firewall-cmd --reload
firewall-cmd --list-rich-rulesEnable Masquerading and Port Forwarding (NAT)
Enable NAT for egress and forward ports to local or internal services.
# Enable NAT (masquerade) on public zone
sudo firewall-cmd --permanent --zone=public --add-masquerade
# Forward external :80 to local :8080
sudo firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=8080
# Forward external :8443 to backend 10.0.0.10:443
sudo firewall-cmd --permanent --add-forward-port=port=8443:proto=tcp:toaddr=10.0.0.10:toport=443
sudo firewall-cmd --reload
firewall-cmd --zone=public --list-allInspect, Log, and Test
Turn on deny logging, inspect active rules, and test connectivity from a client.
# Log denied packets to journal
sudo firewall-cmd --set-log-denied=all
firewall-cmd --get-log-denied
# Show listeners and firewall state
ss -tulpen
firewall-cmd --state
firewall-cmd --list-all
firewall-cmd --list-rich-rules
# View raw nftables for debugging
sudo nft list ruleset | less
# Logs
journalctl -u firewalld -b --no-pagerBackup and Restore Configuration
Archive FirewallD configuration files so you can restore quickly on failures or migrations.
sudo tar czf /root/firewalld-backup-$(date +%F).tar.gz /etc/firewalld
# Restore example
sudo tar xzf /root/firewalld-backup-YYYY-MM-DD.tar.gz -C /
sudo firewall-cmd --reloadTroubleshoot Common Conflicts
Ensure only one firewall manager runs. Disable UFW if present before using FirewallD.
sudo systemctl disable --now ufw
sudo systemctl restart firewalld
firewall-cmd --list-allStrong, zone-based rules on Debian 12 keep services reachable and threats out. For more guides, support, and to buy servers, visit dropvps.com
