Skip to main content

How to Set Up a Firewall with UFW on Debian?

Debian, commonly known as Debian GNU/Linux, is one of the oldest Linux-based operating systems. It is developed by the community-supported Debian Project, which was founded by Ian Murdock in 1993. Many other distributions, including Ubuntu, are based on Debian. Debian releases a new stable branch every two years. It will be supported for around three years, including updates for major security and usability issues. A total of 5 years of security support is available for each Debian release.

For access control, Debian includes a built-in L4 packet filtering system called Netfilter, as well as an interface called iptables for configuring the Netfilter. When a packet arrives at the server, it is routed to the Netfilter subsystem, which accepts, manipulates, or rejects it based on the rules provided by userspace through iptables.

'iptables' is a firewall solution that is highly configurable and adaptable. Learning iptables principles and becoming an iptables guru, on the other hand, maybe cumbersome. Because iptables firewall configuration for an average user is difficult, many iptables frontend applications have been developed.

The Uncomplicated Firewall (ufw) is an iptables frontend application that includes a framework for managing netfilter and a command-line interface (CLI) for interacting with the firewall. It is particularly useful for host-based firewalls. ufw not only provides an easy-to-use interface for those unfamiliar with firewall concepts, but it also simplifies complex iptables instructions to assist an experienced system administrator.

To defend Debian servers from cyber threats, it is common to configure 'ufw' as a host-based firewall. The Debian server can also be configured as a firewalling and routing platform for networks, especially small business (SMB) and home networks, with the help of 'ufw'.

In this article, we'll explain how to install The Uncomplicated Firewall (ufw) on a Debian 10/11 server and use the 'Zenarmor' to enable next-generation firewall features like content and application filtering.

What are the Requirements to Install a Firewall on Debian 10/11 with UFW?

To follow the Uncomplicated Firewall (ufw) configuration tutorial you will need:

  • A Debian 10 Buster or Debian 11 Bullseye Server and
  • Privileged access to your Debian system as root or via the sudo command. The best practice is to run administrative commands as a sudo user.
danger

All given commands are to be executed with root privileges either directly as a root user or by use of the sudo command.

What are the Steps to Install a Firewall with UFW on Debian 10/11?

You can easily set up a host-based firewall by configuring the UFW on your Debian server. UFW installation and configuration steps are given below:

1. UFW Installation

On Debian server distributions, UFW is pre-installed software. As a result, you should not have to install the ufw package on your server. If ufw is not already installed on your system, you can install it manually by following the instructions below:

  1. Update your local package index by running the next command:
sudo apt update && sudo apt upgrade -y
  1. Install ufw package by running the following command:
sudo apt-get install ufw -y

The output should look something like this:

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following NEW packages will be installed:

ufw

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 0 B/164 kB of archives.

After this operation, 852 kB of additional disk space will be used.

Preconfiguring packages ...

Selecting previously unselected package ufw.

(Reading database ... 158348 files and directories currently installed.)

Preparing to unpack .../archives/ufw_0.36-1_all.deb ...

Unpacking ufw (0.36-1) ...

Setting up ufw (0.36-1) ...
Creating config file /etc/ufw/before.rules with new version
Creating config file /etc/ufw/before6.rules with new version
Creating config file /etc/ufw/after.rules with new version
Creating config file /etc/ufw/after6.rules with new version
Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service ? /lib/systemd/system/ufw.service.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for rsyslog (8.1901.0-1) ...
Processing triggers for systemd (241-7~deb10u8) ...

2. UFW Uninstallation

You can uninstall the ufw package from your Debian server by running the following command:

sudo apt autoremove ufw --purge -y

The output should look something like this:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:

ufw*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 852 kB disk space will be freed.
(Reading database ... 158456 files and directories currently installed.)
Removing ufw (0.36-1) ...
Skip stopping firewall: ufw (not enabled)
Processing triggers for man-db (2.8.5-2) ...
(Reading database ... 158363 files and directories currently installed.)
Purging configuration files for ufw (0.36-1) ...
Processing triggers for systemd (241-7~deb10u8) ...
Processing triggers for rsyslog (8.1901.0-1) ...
caution

It is not recommended to remove the UFW from a server that is accessible from the Internet if you don't know how to use iptables or have a reasonable alternative.

3. Enable UFW

By default, ufw is disabled on Debian 10/11 server.

tip

ufw allows you to add rules before enabling the firewall. Therefore, if you are remotely connected to your server using ssh, you should run the following:

sudo ufw allow proto tcp from any to any port 22

The output should look something like this:

Rule added
Rule added (v6)

The ssh port will be open after the firewall is enabled.

To enable the ufw, run the following command below:

sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

After running the above command, the firewall is activated and enabled when the system boots up. By default, all incoming traffic is automatically blocked and all outgoing traffic is permitted once the firewall is operational. The firewall immediately protects your system by preventing anyone from remotely connecting to it.

caution

Please beware that to be able to log in to your server you must explicitly allow incoming SSH connections before enabling the UFW firewall.

You may verify the status of UFW to make sure it is active without any error by running the next command:

sudo ufw status

This will display the output similar to given below:

Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)

4. Checking the Status and Rules of the UFW

To check the firewall status and ufw rules, you may run the following command:

sudo ufw status verbose

To view the ufw rules with their sequence numbers, you may run the next command:

sudo ufw status numbered

The output should look something like this::

Status: active

To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 22/tcp (v6) ALLOW IN Anywhere (v6)

5. Configuring UFW Default Policies

By default, UFW blocks all incoming network packets while allowing all outgoing packets. As a result, unless you explicitly open a service port, no one can connect to your server, whereas all applications running on your server will be able to communicate with the outside world.

the /etc/default/ufw file is used to store the UFW default policies. You may change the default policies by running the next command:

sudo ufw default allow|deny|reject [incoming|outgoing|routed]

All outgoing connections should be blocked as a best practice, and only approved outbound connections should be allowed. You can accomplish this by issuing the following command:

sudo ufw default deny outgoing
danger

In such cases, you need to maintain all permitted outgoing connections by defining the related allow rules.

6. Managing UFW Application Profiles

The application profile, which includes the service description and UFW settings, is created in the /etc/ufw/applications.d directory during the installation of an application package using the 'apt' command.

The syntax for application profiles is simple, using the .INI file format:

[`<name>`]
title=`<title>`
description=`<description>`
ports=`<ports>`

The ports field can be used to specify a |, separated list of ports/protocols, with the protocol being optional. Multiple ports can also be specified using a comma-separated list or a range (specified with start:end), in which case the protocol is required.

To list all application profiles available on your server run the following command:

sudo ufw app list

Depending on the applications installed on your system, the output will look something like this:

Available applications:
AIM
Bonjour
CIFS
DNS
Deluge
IMAP
IMAPS
IPP
KTorrent
Kerberos Admin
Kerberos Full
Kerberos KDC
Kerberos Password
LDAP
LDAPS
LPD
MSN
MSN SSL
Mail submission
NFS
OpenSSH
POP3
POP3S
PeopleNearby
SMTP
SSH
Socks
Telnet
Transmission
Transparent Proxy
VNC
WWW
WWW Cache
WWW Full
WWW Secure
XMPP
Yahoo
qBittorrent
svnserve

To view details of the firewall profile for a specific application, run the following command:

sudo ufw app info '<name>'

where <name> is one of the apps listed by the app list command.

For example, you may view the details on the firewall profile for WWW Full by running the following command:

sudo ufw app info 'WWW Full'

And, the output may be similar to this:

Profile: WWW Full
Title: Web Server (HTTP,HTTPS)
Description: Web Server (HTTP,HTTPS)

Ports:
80,443/tcp

You may also see profiles for all known applications with the following command:

sudo ufw app info all

This is a useful feature when you're looking into open ports on your server and aren't sure what applications they belong to or what the application does.

When the default port of an application is changed, you may edit the application profile file. after editing an application profile, you must run the following command to update the firewall with the most recent profile information:

sudo ufw app update '<name>'

If you enter 'all' for the name, all profiles will be updated.

7. Enabling IPv6

UFW supports both IPv4 and IPv6 addresses. By default, IPv4/v6 addresses are enabled. If you have an IPv6 enabled Debian system, to verify that IPv6 address support is enabled on your UFW, you may follow the next steps given below:

  1. Edit the /etc/default/ufw file with your favorite program such as vi or nano.
  2. Find and set the related line to IPv6=yes.
  3. Save and close the file.
  4. To enable IPv6 by activating the changes on the /etc/default/ufw file run the following command:
sudo ufw reload

8. Allow SSH Connections

To configure your UFW firewall to allow incoming SSH connections, you may run one of the following commands:

sudo ufw allow ssh

or

sudo ufw allow 22

If you have configured a custom listening port for SSH connections other than the default port 22, you need to run the following command to allow SSH:

sudo ufw allow <port-number>

For instance, if your SSH service runs on port 2222, then you can run the following command to allow connections on that port:

sudo ufw allow 2222

Now, your firewall is configured to allow incoming SSH connections, you can enable it by running:

sudo ufw enable

You will be warned that enabling the firewall may disrupt existing ssh connections, just type y and press Enter

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Limiting SSH connections

Connection rate limiting is supported by ufw, which is useful for preventing brute-force login attacks. When you enable the limit feature for SSH, ufw normally allows the SSH connections but denies it if an IP address tries to initiate 6 or more connections within 30 seconds. To limit the SSH connections for preventing brute-force attacks, type the following command:

sudo ufw limit ssh/tcp

9. Allowing Additional Connections

UFW can be configured to open specific ports, allowing specific services on your server to be accessed from the outside. UFW Rules can be specified using either

  • a simple syntax or
  • a full syntax.

The simple syntax only specifies the host's port and, optionally, the protocol to be allowed or denied. The following is the general simple syntax for an allow rule:

sudo ufw allow <port-number>

The full syntax that is more complete specifies the source and destination addresses as well as ports. The general full syntax for an allow rule is given below:

sudo ufw allow <port-number>/<protocol>

or

ufw allow [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME ]] [to ADDRESS [port PORT | app APPNAME ]] [comment COMMENT]

You can also add comments to your firewall rules using the 'comment' parameter to help explain your entry.

In this section, we will begin with simple syntax examples for connecting to the most common services, such as HTTP(S) and FTP. Then, for experienced administrators, we will go over the UFW full syntax usage.

Open FTP Service Port (20:21/TCP)

To allow incoming FTP connections, you must allow port 20 and port 21 by entering the following commands:

sudo ufw allow 21/tcp
sudo ufw allow 20/tcp

Open MySQL Service Port (3306/TCP)

To allow incoming MySQL connections, run one of the following commands.

  1. To allow by service name, run the following command:
sudo ufw allow mysql
  1. To allow by port number, run the following command (full syntax):
sudo ufw allow 3306/tcp

Open HTTPS Service Port (443)

HTTPS connections can be allowed with one of the following commands.

  1. To allow by service name, run the following command:
sudo ufw allow https
  1. To allow by port number, run the following command (full syntax):
sudo ufw allow 443/tcp
  1. To allow by application profile, you may run the following command for NGINX:
sudo ufw allow 'WWW Secure'

Open HTTP Service Port (80)

HTTP connections can be allowed with one of the following commands.

  1. To allow by port number, run the following command (full syntax):
sudo ufw allow 80/tcp
  1. To allow by service name, run the following command:
sudo ufw allow http
  1. To allow by application profile, you may run the following command for NGINX:
sudo ufw allow 'WWW'
tip

You can also enable both HTTP and HTTPS services by running the following command:

sudo ufw allow 'WWW Full'

Open DNS Service Port (53)

If you are running a DNS server on your Debian server, to allow your clients to send DNS queries to your server you must allow incoming DNS connections by running one of the following commands:

sudo ufw allow 53 comment 'DNS server'

or

sudo ufw allow dns comment 'DNS server'

These commands will allow TCP and UDP port 53 to any address on the server.

Open WireGuard Service Port(51820/UDP)

To allow VPN client connections to your OpenVPN server, run the following command:

sudo ufw allow 51820/udp comment 'WireGuard VPN server'

Open OpenVPN Service Port (1194/UDP)

To allow VPN client connections to your OpenVPN server, run the following command:

sudo ufw allow 1194/udp comment 'OpenVPN server'

Open Email Service Ports

The ports used for mail delivery by each of the TCP/IP protocols are listed in the table below.

ServerPort
SMTP25 or 587 (for TLS) or 465 (for SSL)
POP110
POPS995
IMAP143
IMAP3993

When you provide an email service on your Debian server, you must run the following commands to allow email connections:

sudo ufw allow 25 comment 'allow smtp connections'
sudo ufw allow 587 comment 'allow smtp tls connections'
sudo ufw allow 465 comment 'allow smtp ssl connections'
sudo ufw allow 995 comment 'allow pops connections'
sudo ufw allow 110 comment 'allow pop3 connections'
sudo ufw allow 143 comment 'allow imap connections'
sudo ufw allow 993 comment 'allow imap3 connections'

10. Allowing Port Ranges

You can allow incoming connections for a range of ports using : between the port numbers. However, you must specify the protocol, either tcp or udp. For example,

sudo ufw allow 55100:55200/tcp

Also, you may allow multiple ports by using a comma , between the port numbers. For example,

sudo ufw allow 22,80,443/tcp

11. Allow Connections From an Only Trusted IP Address

You may need to allow the administrator to access the server without any restrictions. To allow access to all ports from an IP address, such as 10.10.10.100, specify from followed by the IP address you need to whitelist:

sudo ufw allow from 10.10.10.100

12. Allow Connections From a Trusted IP Address on Specific port

You may need to restrict connections from a specific IP address to a single port. For example, on your server, the MySQL service(3306) can only be accessed by the Application Server with the IP address 10.10.10.10. To accomplish this, run the following command:

sudo ufw allow from 10.10.10.10 to any port 3306

13. Allow Connections From Trusted Subnets

To grant access to all ports from a Subnet address, such as 10.10.0.0/24, enter from followed by the network address to whitelist. For example, you could grant users on the subnet 10.10.0.0/24 access to the FTP service by running the following command:

sudo ufw allow from 10.10.0.0/24 to any port 20:21 proto tcp

14. Allow Connections From a Specific Interface

ufw applies rules to all available interfaces by default. You can limit this, by specifying the DIRECTION on a specific interface. The DIRECTION can be either:

  • in for incoming connections or
  • out for outgoing connections.

If you want to create a firewall rule that only applies to a specific network interface, enter allow in on followed by the network interface name.

To allow all new incoming HTTP connections on ens18, for example, use:

sudo ufw allow in on ens18 to any port 80 proto tcp

15. Denying Connections

If you haven't changed the default policy for all incoming connections, UFW will block all incoming connections unless you explicitly allow them. If you want to deny access to a specific port, use the deny command and, optionally, the protocol command.

sudo ufw deny <port>/<protocol>

For example, suppose you have an HTTP(S) web server that is publicly accessible from anywhere in the world. Furthermore, you may need to block connections coming from an untrustworthy IP address, such as 122.133.144.155, which is used to carry out cyber attacks on your web server. You can use one of the following commands to deny all connections from a specific IP address:

sudo ufw deny from 122.133.144.155

or

sudo ufw deny from 122.133.144.155 to any port 80,443 proto tcp

In addition, if you want to change your default incoming policy to accept connections, you'll need to define deny rules for any services or IP addresses that you don't want to accept connections from. It is strongly advised, for example, that you restrict access to your SSH port (22) to only your trusted IP addresses. You can use the following command to prevent any incoming connections to the SSH port:

sudo ufw deny ssh/tcp

16. Denying ICMP/Ping Request

Ping requests are allowed by default in UFW. However, you may need to block the icmp request for security reasons. To deny ping packets, take the following steps:

  1. Edit the /etc/ufw/before.rules with your favorite editor, such as nano. The rules in this file are evaluated before any rules are added via the ufw command.
  2. Remove or comment the lines given below
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
  1. Save and close the file.
  2. To activate the changes, you can reload the ufw by running the next command
sudo ufw reload

17. Deleting Rules

You may delete the UFW rules from your Debian server in two different ways:

1. Rule Number

It's easier to delete UFW rules by rule number, especially if you're a novice user. To delete a rule by number, follow the next steps:

  • You must first find the number of the rule you wish to delete by typing the following command:
sudo ufw status numbered

You should see the output similar to the following:

Status: active
To Action From
-- ------ ----
[ 1] 22/tcp LIMIT IN Anywhere
[ 2] 2222 ALLOW IN Anywhere
[ 3] 21/tcp ALLOW IN Anywhere
[ 4] 20/tcp ALLOW IN Anywhere
[ 5] 3306 ALLOW IN Anywhere
[ 6] 3306/tcp ALLOW IN Anywhere
[ 7] 443/tcp ALLOW IN Anywhere
[ 8] WWW ALLOW IN Anywhere
[ 9] WWW Secure ALLOW IN Anywhere
[10] WWW Full ALLOW IN Anywhere
[11] 80/tcp ALLOW IN Anywhere
[12] 51820/udp ALLOW IN Anywhere # WireGuard VPN server
[13] 1194/udp ALLOW IN Anywhere # OpenVPN server
[14] 53 ALLOW IN Anywhere # DNS server
[15] DNS ALLOW IN Anywhere # DNS server
[16] 25 ALLOW IN Anywhere # allow smtp connections
[17] 587 ALLOW IN Anywhere # allow smtp tls connections
[18] 465 ALLOW IN Anywhere # allow smtp ssl connections
[19] 995 ALLOW IN Anywhere # allow pops connections
[20] 110 ALLOW IN Anywhere # allow pop3 connections
[21] 143 ALLOW IN Anywhere # allow imap connections
[22] 993 ALLOW IN Anywhere # allow imap3 connections
[23] 55100:55200/tcp ALLOW IN Anywhere
[24] 22,80,443/tcp ALLOW IN Anywhere
[25] Anywhere ALLOW IN 10.10.10.100
[26] 3306 ALLOW IN 10.10.10.10
[27] 20:21/tcp ALLOW IN 10.10.0.0/24
[28] Anywhere DENY IN 122.133.144.155
[29] 80,443/tcp DENY IN 122.133.144.155
[30] 22/tcp (v6) LIMIT IN Anywhere (v6)
[31] 2222 (v6) ALLOW IN Anywhere (v6)
[32] 21/tcp (v6) ALLOW IN Anywhere (v6)
[33] 20/tcp (v6) ALLOW IN Anywhere (v6)
[34] 3306 (v6) ALLOW IN Anywhere (v6)
[35] 3306/tcp (v6) ALLOW IN Anywhere (v6)
[36] 443/tcp (v6) ALLOW IN Anywhere (v6)
[37] WWW (v6) ALLOW IN Anywhere (v6)
[38] WWW Secure (v6) ALLOW IN Anywhere (v6)
[39] WWW Full (v6) ALLOW IN Anywhere (v6)
[40] 80/tcp (v6) ALLOW IN Anywhere (v6)
[41] 51820/udp (v6) ALLOW IN Anywhere (v6) # WireGuard VPN server
[42] 1194/udp (v6) ALLOW IN Anywhere (v6) # OpenVPN server
[43] 53 (v6) ALLOW IN Anywhere (v6) # DNS server
[44] DNS (v6) ALLOW IN Anywhere (v6) # DNS server
[45] 25 (v6) ALLOW IN Anywhere (v6) # allow smtp connections
[46] 587 (v6) ALLOW IN Anywhere (v6) # allow smtp tls connections
[47] 465 (v6) ALLOW IN Anywhere (v6) # allow smtp ssl connections
[48] 995 (v6) ALLOW IN Anywhere (v6) # allow pops connections
[49] 110 (v6) ALLOW IN Anywhere (v6) # allow pop3 connections
[50] 143 (v6) ALLOW IN Anywhere (v6) # allow imap connections
[51] 993 (v6) ALLOW IN Anywhere (v6) # allow imap3 connections
[52] 55100:55200/tcp (v6) ALLOW IN Anywhere (v6)
[53] 22,80,443/tcp (v6) ALLOW IN Anywhere (v6)
  • After viewing the numbered rule list, to delete the rule, such as with number 24, run the following command:
sudo ufw delete 24

The output should look something like this:

Deleting:
allow 22,80,443/tcp
Proceed with operation (y|n)? y
Rule deleted

Before it is deleted, you will be asked for confirmation. Type "y" and then "Enter" if you're sure. Type "n" to cancel the procedure if you make a mistake.

2. Specifying the Actual Rule

You can also delete a rule by specifying the actual rule, for example, if you added a rule to open port 8080 you can delete it with the next command:

sudo ufw delete allow 8080

18. UFW Disabling or Resetting

If you need to stop UFW and deactivate all the rules for any reason, use the following command:

sudo ufw disable

The output should look something like this:

Firewall stopped and disabled on system startup

If you need to re-enable UFW and activate all rules later, execute the following command:

sudo ufw enable

When you reset UFW, all active rules are deleted and the firewall is reset to its default settings. This is a good option if you want to undo all of your changes and start over.

Type the following command to reset UFW:

sudo ufw reset

19. UFW Logging

By default, all UFW entries are logged with the 'low' log level into the /var/log/ufw.log file. A higher level of logging may be required. There are numerous logging levels to choose from, and you can select your preferred option based on which firewall logs you want to save.

  • off: ufw logging is turned off.
  • Low: logs blocked packets that don't match the rules you've specified and packets that match the rules you've logged.
  • Medium: Logs low-level, authorized packets that don't meet the rules, invalid packets, and all new connections to your server.
  • High: Logs medium without attempts/rate-limiting, and all packets with attempt limiting
  • Full: All firewall packets are fully logged, with no rate/access attempts limitations.

To set your UFW logging level, use the command below.

sudo ufw logging LEVEL

For example:

sudo ufw logging full

To enable logging for a specific firewall rule, such as SSH, use the command.

sudo ufw allow log 22/tcp

To disable the UFW logging feature, you may run the following command:

sudo ufw logging off
caution

Above medium log levels, a large amount of logging output is generated, quickly filling up your disk. The log level medium may generate a large amount of logging output on a busy system.

20. Testing UFW Rules

To test your UFW rules, use the '--dry-run' option. It is a useful alternative when tinkering with firewall settings. If you run the following command, you will see an example of the modifications that would have occurred if they had not been processed:

sudo ufw --dry-run enable

Is Debian Secure by Default?

Yes. The Debian project manages security by making information available to the public. Also, the Debian security team supports the stable branch.

Debian security advisories are compliant with the Common Vulnerabilities and Exposures vocabulary and are published on the same day that a vulnerability is publicly disclosed.

The Debian project provides guidance and tools for hardening a Debian system. You may harden your Debian system using a variety of tools either automatically or manually. By default AppArmor, a Linux kernel security module that allows the administrator to limit programs' capabilities using per-program profiles, is supported and enabled. Debian also includes an optional hardening wrapper. While it does not harden all of its software by default, it aims to include hardening choices in as many applications as possible.

As mentioned above, Debian comes with Uncomplicated Firewall installed. When you enable UFW, it blocks all incoming connections by default to protect the server against cyber attacks.

Does Debian Need Firewall?

Yes. In fact, not only a Debian server but also all components of an IT system which are publicly accessible via the Internet, such as routers, switches, servers, PCs, mobile devices and IoT devices, need a firewall protection against cyber threats. With cyber attacks on the IT world on the rising trend and costing millions of dollars each year, there has never been a better time to implement an effective firewall in your network.The main reasons for implementing a firewall to protect your Debian system are outlined below:

  1. A strong firewall can provide secure remote access to your system via a VPN service, such as OpenVPN or WireGuard.
info

You may find more information about secure remote access on the How to Keep Remote Employees Safe from Potential Cyber Threats? article written by Sunny Valley Networks.

  1. A firewall can limit internet bandwidth usage for efficiency. It can allow network administrators to restrict network bandwidth for non-business traffic by reserving bandwidth for higher-important business traffic.
  2. An effective firewall can safeguard your network from malicious traffic, such as malware and phishing attacks.
  3. A firewall is the first line of defense against hackers and other unauthorized access attempts. Without having a firewall placed in the network perimeter, your data and valuable assets are at huge risk.
  4. A firewall can prevent your users to access the illegal and harmful websites, such as phishing sites,

What Firewalls can be Installed on Debian?

As mentioned above, Debian has a built-in Linux firewall application, called iptables. Generally, it is implemented as a host-based firewall to prevent the Debian server against cyber attacks. It can also be configured as a network firewall between the LAN and untrusted external network to protect the assets in the internal network. You may install and configure the following firewall solutions on your Debian server easily:

1. Uncomplicated Firewall(UFW)

Uncomplicated Firewall (UFW) is a simple-to-use application for managing a netfilter firewall. It has a command-line interface with a few simple commands and utilizes iptables for configuration.

2. Graphical Uncomplicated Firewall (GUFW)

Gufw is a Graphical User Interface (GUI) enhancement that makes it easier to configure UFW to your specific requirements. Gufw Firewall can be downloaded as a standalone tool regardless of your Linux distribution (Debian, Mint, etc.).

3. FirewalID

Firewalld is a dynamically managed firewall that supports security zones, which define the level of trust for network interfaces. It supports IPv4/v6 firewall settings, as well as IP sets and ethernet bridges. It also provides an interface through which services can directly add firewall rules.

4. Shorewall

Shorewall is an open-source security utility that runs on top of Netfilter. Shorewall provides an interface for configuring your current security capabilities. It includes six packages, including the core functionality, "lite" and full-feature administration, IPv4 and IPv6 firewall packages, and an event-response package.

5. Vuurmuur

Vuurmuur is a firewall configuration utility and manager for Linux that is based on iptables. It provides a graphical user interface that allows for both simple and complex settings.

How to Enable NGFW Capabilities on Debian Firewall?

iptables and its frontend program UFW provide a powerful L4 packet filtering solution that is simple to use. As a result, they're commonly used as a host-based firewall. If you set up your Debian firewall as a network firewall between your internal and external networks, however, it won't be able to protect your precious assets from advanced cyber attacks. Furthermore, hackers are now targeting not only large corporations, but also small businesses (SMBs) and even individual consumers. Traditional L4 packet filtering firewalls were not up to the task of dealing with the new cyber threats. As a result, next-generation firewalls are critical for every enterprise, including home users.

According to Gartner, an NGF, is:

a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks.

Please refer to NGFW article written by Sunny Valley Networks for more information.

Thankfully, you can simply implement next-generation firewall capabilities, such as web content and application filtering, by installing and configuring Zenarmor on your Debian server. Zenarmor provides cutting-edge, next-generation firewall features that are not currently available in open-source firewalls. Zenarmor is based on a very lightweight and powerful application layer/L7 packet inspection technology. It provides free access to a wide range of enterprise-grade network security functions.

The primary capabilities of the Zenarmor are listed below:

  • Web Filtering

  • Application Control

  • User-friendly web and application categorization system with a massive and up-to-date database.

  • Real-time auto-blocking of recent malware/phishing outbreaks.

  • Time scheduled policies is an extremely useful feature, particularly for managing internet bandwidth.

  • Cloud Threat Intelligence

  • User-based and device-based filtering, which is very useful for managing schools and campus networks.

  • Rich reporting and analytics which provides network visibility.

  • Centralized Cloud management is a very useful and appealing feature for security administrators who have a large number of firewalls to manage.

To start to defend your network behind Zenarmor, you may run the following command on your Debian server:

curl https://updates.sunnyvalley.io/getzenarmor | sh