How to Install Firewalld on Debian 12, 11 or 10 - LinuxCapable (2024)

Firewalld stands out with its dynamic approach to firewall management. It offers real-time adaptability, a feature that distinguishes it from traditional tools like iptables and ufw. This real-time flexibility positions Firewalld as a preferred choice for users who value security and ease of use.

Key Advantages of Firewalld:

  • Zone-Based Management: Firewalld employs a zone-based system, focusing on user-centric connection management, a departure from iptables’ per-packet operations.
  • Instant Updates: With Firewalld, changes take effect immediately without needing restarts, unlike iptables, which often necessitate service reloads, potentially disrupting active connections.
  • User-Friendly Commands: Firewalld’s command structure is more intuitive than ufw, making it incredibly user-friendly for those new to firewall configurations.
  • Comprehensive Documentation: Firewalld is backed by thorough documentation and an active user community, ensuring users have ample support and resources.
  • Seamless Integration with Debian: Combining Firewalld’s dynamic features with Debian’s renowned stability offers an unparalleled experience for both desktop users and server administrators.

With the foundational knowledge, this guide will walk you through seamlessly integrating Firewalld into your Debian system.

Install Firewalld via Terminal Commands

Update Debian Before Firewalld Installation

Before embarking on any new software installation, updating the Debian system package database is crucial with the following command:

sudo apt update

This command instructs the system to fetch the latest package data from all configured repositories.

Proceed with Installation of Firewalld via APT Command

With the system’s updated package information, you can now install Firewalld. The Debian package manager, also known as APT, simplifies this task. To initiate the installation, run the following command:

sudo apt install firewalld

This command tells the package manager to download and install the Firewalld software package.

Confirm Firewalld Installation

Once you install Firewalld, check to ensure you installed it correctly and set it up to run appropriately. To view the Firewalld version on your system, use:

firewall-cmd --version

This command shows the Firewalld version number, confirming its installation.

Now, start Firewalld and set it to run when the system boots. Use this command:

sudo systemctl enable --now firewalld

Understanding Firewalld Zones

In firewalld “zones,” network traffic rules are dictated based on the trustworthiness of the connected network, ranging from public untrusted settings to private home networks.

Let’s go over some of these and what they mean in detail:

The Role of Zones in Firewalld:

  • Firewalld operates using the concept of “zones.”
  • A “zone” in Firewalld is essentially a predefined set of rules. These rules dictate the type of network traffic that is permitted or denied based on the trustworthiness of the network the computer is on.

Examples of How Zones Work:

  • Public Zone: This zone is designed for networks in public locations, such as cafes or airports. You can’t trust most other devices in these settings, so the rules are more restrictive to protect your system.
  • Home Zone: This zone assumes a safer environment, like your home. Here, you’re likely familiar with all the devices, so the rules are less stringent, allowing for more communication between devices.

List of Some Common Predefined Zones in Firewalld:

  • Drop: Drops all incoming packets without any response. Most restrictive.
  • Block: Similar to ‘Drop’, but will send a reject response to the source.
  • Public: For public, untrusted networks.
  • External: Used when your system acts as a gateway or firewall.
  • DMZ (Demilitarized Zone): For computers in your DMZ, offer limited access to an isolated computer from the internet.
  • Work: For work environments where you trust many users but still need protective measures.
  • Home: Relaxed rules for home environments.
  • Internal: For internal sections of a public or private network.
  • Trusted: All network connections are accepted. Least restrictive.

Common Firewalld Commands

In this section, we delve into the most frequently used Firewalld commands. These commands are pivotal for managing and configuring your Firewalld setup, enabling you to secure your Debian environment effectively.

Firewalld Command Syntax and Options

The general syntax of Firewalld commands is relatively straightforward. Below, we will discuss the syntax and options so you better understand what they are.

First, the syntax for firewalld commands is as follows:

firewall-cmd [options] command

Here is a brief explanation of the syntax components:

  • firewall-cmd: This is the main command used for Firewalld operations.
  • options: These modify the behavior of the command. They are optional and can be omitted.
  • command: This specifies what operation you want to perform.

When it comes to options, Firewalld offers a variety. A few commonly used ones include:

  • --zone=zone: Specifies the zone to operate on. If no zone is specified, the default zone is used.
  • --add-service=service: Adds the specified service to the zone. The change is effective immediately but not persistent across reboots unless --permanent is added.
  • --get-active-zones: Lists all currently active zones along with their associated interfaces.
  • --get-services: Lists all available services known to Firewalld.
  • --reload: Reloads the Firewalld configuration, implementing any changes made with --permanent without requiring a system reboot.

For more detailed information, you can always consult the Firewalld man page by running man firewall-cmd in your terminal.

Listing all Active Firewalld Zones

Understanding which zones are active on your Firewalld installation provides a solid foundation for managing your firewall configurations. You can retrieve this information with the following command:

sudo firewall-cmd --get-active-zones

This command prompts Firewalld to list all active zones, each accompanied by its associated network interfaces.

Displaying Default Zone

To view the default zone configured in your Firewalld, execute the following command:

sudo firewall-cmd --get-default-zone

The output from this command specifies the default zone, which is crucial for understanding the default security policies and services applied to incoming network connections.

Changing the Default Zone

To change the default zone, use the following command:

sudo firewall-cmd --set-default-zone=your_zone_name

By replacing your_zone_name with the actual zone name, you alter the default zone of your Firewalld installation.

Listing Services in a Zone

You often need to know which services a specific zone permits. You can achieve this using:

sudo firewall-cmd --zone=your_zone_name --list-services

Just replace your_zone_name with the name of the zone for which you want to list the allowed services.

Adding a Service to a Zone

To add a new service to a zone, use the following command:

sudo firewall-cmd --zone=your_zone_name --add-service=your_service_name

With this command, your_service_name is added to your_zone_name. Be sure to replace these placeholders with your actual service and zone names.

Advanced Firewalld Commands and Scenarios

Firewalld offers a comprehensive suite of advanced commands and features that provide granular control over your firewall settings. Let’s delve into these commands, equipping you with the necessary knowledge to handle complex scenarios that may arise in your network management tasks.

Advanced Firewall Management with Firewalld

Defining a New Service

If you run a custom application on a specific port not listed in the predefined services, you can define that service yourself.

Use the following command to do this:

sudo firewall-cmd --permanent --new-service=myservice

Subsequently, you can add settings for your custom service. For instance, to set a short and descriptive name for the service:

sudo firewall-cmd --permanent --service=myservice --set-short="My Custom Service"

Adjusting Default Zone

When an incoming connection doesn’t have a specific zone defined, the system uses the default zone. You can modify the default zone to meet your needs.

sudo firewall-cmd --set-default-zone=home

This command sets the default zone to ‘home’. Ensure to replace ‘home’ with the desired zone based on your network environment and security requirements.

Creating a Custom Zone

If the predefined zones don’t meet your needs, you can create a custom zone:

sudo firewall-cmd --permanent --new-zone=customzone

After creating the zone, you can modify it by adding or removing services, ports, etc., to match your specifications.

Enabling Masquerading

You commonly use masquerading when your system serves as a gateway or router for other systems in your network. To enable masquerading in a specific zone, use:

sudo firewall-cmd --zone=public --add-masquerade

Remember, replace ‘public’ with the zone you want to enable masquerading.

Forwarding Ports

Firewalld also allows you to forward a specific port to another. This can be beneficial in numerous scenarios, such as when running services on non-standard ports:

sudo firewall-cmd --zone=public --add-forward-port=port=5000:proto=tcp:toport=80

This command forwards all incoming TCP connections from port 5000 to port 80 in the ‘public’ zone.

These examples represent only a tiny subset of Firewalld’s advanced capabilities. Many more commands and options are available depending on your specific networking and security needs. For more information, refer to Firewalld’s official documentation or use the ‘man’ command.

Troubleshooting Firewalld Issues

Managing firewalls can sometimes be complex, and you might encounter issues. However, Firewalld provides a comprehensive set of troubleshooting tools and techniques to help resolve such challenges. This section will guide you in diagnosing and fixing common firewall issues.

Investigating Firewalld Issues

Checking Firewalld Status

To diagnose any Firewalld issue, first check the service status with the following command:

sudo systemctl status firewalld

This command provides information about the Firewalld service status, whether it’s active, and if it encountered any errors during startup.

Reviewing Firewalld Logs

You can find invaluable information in the Firewalld logs when you troubleshoot issues. By default, Firewalld logs events to the system journal, which you can access using:

sudo journalctl -u firewalld

This command will output the Firewalld-related logs, helping you pinpoint errors or unusual behavior.

Verifying Configuration

Firewalld maintains its configuration files in the /etc/firewalld/ directory. If you encounter issues, it’s a good practice to verify these configuration files for any errors or discrepancies:

sudo less /etc/firewalld/firewalld.conf

This command allows you to view the main Firewalld configuration file.

Resolving Common Firewalld Issues

Issue: Firewalld not Responding to Commands

Sometimes, Firewalld might not react to your commands. An excellent initial action is to reload Firewalld. You can do this with the following command:

sudo firewall-cmd --reload

This command reloads the Firewalld configuration from the disk and discards all unsaved temporary changes. However, it doesn’t remove all the firewall rules.

Issue: Need to Reset Firewalld to Defaults

If you want to reset all the settings to default and remove all the custom rules, you should use the --complete-reload option. Please note that using this option will remove all runtime and permanent configurations and replace them with the default set of rules.

sudo firewall-cmd --complete-reload

Issue: Need to Remove a Specific Rule

To remove a specific rule, you need to use the --remove command. For instance, if you want to remove the HTTP service from the public zone in the permanent configuration, the command would be:

sudo firewall-cmd --permanent --zone=public --remove-service=http

Issue: The firewall Rule is Not Working

If a firewall rule doesn’t appear to function, often the reason is that someone didn’t set the rule to be permanent. A non-permanent rule works only for the current session. Once someone reboots the system, the rule disappears. To ensure the rule stays, include the --permanent flag when you create the rule.

Issue: Zone Configuration Not Working as Expected

Understanding zones and how they interact with interfaces and services is crucial when working with Firewalld. Here are a few scenarios that might occur and how to address them.

Scenario: You Didn’t Assign the Interface to the Correct Zone

Imagine you create a new zone called ‘internal’ for your internal network and set up specific rules and services for it. But the system isn’t applying these rules. A likely reason might be that you didn’t assign the intended interface to the ‘internal’ zone.

To see which interfaces are associated with a zone, use this command:

sudo firewall-cmd --zone=internal --list-interfaces

If the output doesn’t include your intended interface, you can assign it using the command:

sudo firewall-cmd --zone=internal --add-interface=eth1

This command adds the ‘eth1’ interface to the ‘internal’ zone.

Scenario: The Zone Doesn’t Enable the Service

Imagine you have a ‘dmz’ zone and want to permit HTTP traffic. But, the traffic isn’t passing. This might happen if you haven’t enabled the HTTP service in the ‘dmz’ zone.

To see if a zone has a service enabled, enter:

sudo firewall-cmd --zone=dmz --query-service=http

If the service isn’t active, activate it with:

sudo firewall-cmd --zone=dmz --add-service=http

This command turns on the HTTP service in the ‘dmz’ zone.

Include the –permanent flag in the commands to make these modifications last after restarting. Always link your interfaces with the proper zones and activate the necessary services.


In this comprehensive guide, we’ve walked you through the installation of Firewalld on Debian, including versions 12, 11, and 10. We’ve explored the fundamentals of Firewalld, its zone and service configurations, and provided you with basic and advanced command examples. Moreover, we’ve addressed some common troubleshooting scenarios you might encounter while working with Firewalld. Following this guide, you should be well-equipped to utilize Firewalld to manage and secure your server’s firewall settings effectively. We encourage you to continually experiment and refine your knowledge, as mastering Firewalld will provide you with a robust set of tools to maintain a secure and well-organized network environment.

Useful Links

Here are some valuable links related to using Firewalld on a Debian system:

  • Firewalld Official Website: Visit the official Firewalld website for information about the dynamic firewall manager, its features, and download options.
  • Firewalld Documentation: Access comprehensive documentation for detailed guides on installing, configuring, and using Firewalld.
  • Firewalld Community: Join the Firewalld community to connect with other users, participate in discussions, and get support.
  • Firewalld GitHub Repository: Explore the Firewalld GitHub repository to view the source code, report issues, and contribute to the development.

These links provide additional information and resources to help you effectively use Firewalld on your Debian system.

Share This Post:

FacebookXRedditLinkedInTumblrEmailTelegramWhatsAppPinterestHacker NewsMastodonPocketVKFlipboardCopy

You may also like:

  1. How to Install Memcached on Debian 12, 11 or 10
  2. How to Install Redis on Debian 12, 11 or 10
  3. How to Install Jellyfin Media Server on Debian 12, 11 or 10
  4. How to Install Fail2ban on Debian 12, 11 or 10
  5. How to Install WordPress with LAMP on Debian 12, 11 or 10
  6. How to Install Docker CE on Debian 12, 11, or 10
  7. How to Install PostgreSQL 15 on Debian 12, 11 or 10
  8. How to Install MySQL 8.0 on Debian
  9. How to Install Apache on Debian 12, 11 or 10
  10. How to Set Timezone on Debian 12, 11 or 10
How to Install Firewalld on Debian 12, 11 or 10 - LinuxCapable (2024)


How to install firewalld in Debian 11? ›

Install and Configure Firewalld on Debian 10/11
  1. Install Firewalld on Debian 11 / Debian 10. ...
  2. 1 — List all firewall rules configured. ...
  3. 2 — List services that can be enabled/disabled. ...
  4. 3 — Enable service / List of services. ...
  5. 4 — Enable TCP port. ...
  6. 5 — Create a new zone. ...
  7. 6 — Enable service/port on a specific zone.
Nov 10, 2022

How to install firewall on Debian 12? ›

You can install it by running the following command:
  1. sudo apt update sudo apt install ufw. Enabling UFW. ...
  2. sudo ufw default deny incoming sudo ufw default allow outgoing. Allowing Specific Ports. ...
  3. sudo ufw allow 80/tcp. Denying and Deleting Rules. ...
  4. sudo ufw delete allow [port_number] Advanced Configuration.
Jan 16, 2024

What is the default firewall in Debian 12? ›

nftables is the default and recommended firewalling framework in Debian, and it replaces the old iptables (and related) tools. What is nftables?

How to install firewalld in Linux? ›

Getting Started
  1. Enable Firewalld to start upon boot: sudo systemctl enable firewalld.
  2. Ensure Firewalld is running: sudo firewall-cmd --state.
  3. If UFW is installed, disable it to make Firewalld your primary firewall: ...
  4. Open the https service: ...
  5. Reload Firewalld to apply your changes: ...
  6. Ensure your changes were applied:
Mar 21, 2024

How to enable firewall in Debian 11? ›

This tutorial will show you how to set up a firewall with UFW on Debian 11.
  1. Prerequisites.
  2. Step 1 – Installing UFW.
  3. Step 2 — Using IPv6 with UFW (Optional)
  4. Step 3 — Setting Up Default Policies.
  5. Step 4 — Allowing SSH Connections.
  6. Step 5 — Enabling UFW.
  7. Step 6 — Allowing Other Connections.
  8. Step 7 — Denying Connections.
Sep 30, 2022

How to configure firewall in Linux step by step? ›

Configuration Steps (Web-based Interface)
  1. Navigate to Firewall → Rules → LAN (or whichever interface you wish to set a rule for).
  2. Click the + sign to add a new rule.
  3. Fill out the details, such as source, destination, ports, and action (Allow/Deny).
  4. Click Save and then Apply Changes.
Jun 24, 2024

Does Debian 12 come with firewalls? ›

The Debian installation comes with a default firewall, iptables, configured to allow all traffic.

Does Debian 10 have a firewall? ›

WARNING: nftables is the default firewall framework since Debian 10 Buster.

How do I know if my firewall is enabled in Debian? ›

At any time, you can check the status of UFW with this command: sudo ufw status verbose.

Which is better, firewalld or ufw? ›

For simple rules, I prefer UFW since it's much simpler but it's true that it quickly becomes hard to read and write, at least for me. Firewalld is also much better documented so it's easy to figure it out in case you don't use it often or need something specific.

Why is Linux firewall disabled by default? ›

There is generally no reason to enable a firewall on a default Linux install. Unlike Windows which has many running services listening for incoming connections that cannot be stopped, Linux has very few - I can think of one: avahi-daemon which is a network discovery name service.

What is the default shell in Debian 11? ›

Debian uses Bash as the default interactive shell for normal user accounts (those with a UID ⩾ 1000).

Which command is used to configure firewalld? ›

Firewalld is the daemon's name that maintains the firewall policies. Use the firewall-cmd command to interact with the firewalld configuration.

How to check firewalld in Linux? ›

This operates separately from stop / inactive status above.
  1. Check Firewalld status: systemctl status firewalld. ...
  2. Disable Firewalld from starting at boot: systemctl disable firewalld.
  3. Confirm Firewalld is disabled: systemctl status firewalld.
  4. Enable Firewalld once desired: systemctl enable firewalld.
Dec 1, 2023

Which is better, firewalld or iptables? ›

Iptables is a little more complicate to use, but UFW simplifies it. Firewalld is easy to use for basic rules but can be complicated if we need to manage some advanced rules. The major difference between then is the notion of zone, firewalld work with zone. By default, All rules are applied in the default zone.

How to install programs in Debian 11? ›

The recommended way to install new software on Debian, is to use Package Management tools to install packages from the official repositories. These repositories should contain most of the software you will want to install, allowing you not to rely on external sources.

How to install Apache in Debian 11? ›

Steps to Install Apache Web Server in Linux
  1. Step 1: Update Your System. sudo apt update && sudo apt upgrade. ...
  2. Step 2: Install Apache Web Server. sudo apt install apache2 -y. ...
  3. Step 3: Enable the Services. sudo systemctl enable apache2. ...
  4. Step 4: Test the Server by Hosting Simple Website. ...
  5. Step 5: Enable the site.
Jun 12, 2024

How to install on Debian 11? ›

How to Install Debian 11
  1. Step 1: Download Debian 11 ISO file.
  2. Step 2: Create a bootable USB.
  3. Step 3: Boot settings.
  4. Step 4: Install Debian 11.
  5. Step 5: Start the installation.
  6. Step 6: After installation is complete, login and desktop screen.
Oct 8, 2022

How to install Eclipse on Debian 11? ›

Method 1: Install Eclipse IDE using the Installer Package.
  1. Step 1: Downloading installer package. Go to Eclipse's official website and download the installer package for Linux.
  2. Step 2: Extract installer package. After download finishes. ...
  3. Step 3: Install Eclipse using installer. ...
  4. Step 4: Launching Eclipse.
Jun 5, 2024

Top Articles
Latest Posts
Article information

Author: Neely Ledner

Last Updated:

Views: 5640

Rating: 4.1 / 5 (62 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Neely Ledner

Birthday: 1998-06-09

Address: 443 Barrows Terrace, New Jodyberg, CO 57462-5329

Phone: +2433516856029

Job: Central Legal Facilitator

Hobby: Backpacking, Jogging, Magic, Driving, Macrame, Embroidery, Foraging

Introduction: My name is Neely Ledner, I am a bright, determined, beautiful, adventurous, adventurous, spotless, calm person who loves writing and wants to share my knowledge and understanding with you.