Hi,

I'm a long-time Linux user (two and a half decades since Slackware 7.1).
I've been using RHEL clones mainly for the last ten years or so, on
desktops as well as servers (local and Internet-facing). For firewalling
I simply chose the default Firewalld.

I understand under Debian there are different possibilities to handle firewalls. As far as I understand, ufw (Uncomplicated firewall) seems to
be the default, though Firewalld seems to be an option.

Any recommendations ?

Niki

--
Microlinux - Solutions informatiques durables
7, place de l'‚glise - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://www.microlinux.fr/blog
Mail : info@microlinux.fr
T‚l. : 04 66 63 10 32
Mob. : 06 51 80 12 12

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi,

UFW work fine and it's very simple to use.

Thierry
________________________________
From: Nicolas Kovacs <info@microlinux.fr>
Sent: Monday, January 19, 2026 10:49:57 AM
To: debian-user@lists.debian.org
Subject: Migrating to Debian - which firewall ?
Hi,
I'm a long-time Linux user (two and a half decades since Slackware 7.1).
I've been using RHEL clones mainly for the last ten years or so, on
desktops as well as servers (local and Internet-facing). For firewalling
I simply chose the default Firewalld.
I understand under Debian there are different possibilities to handle firewalls. As far as I understand, ufw (Uncomplicated firewall) seems to
be the default, though Firewalld seems to be an option.
Any recommendations ?
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'‚glise - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://www.microlinux.fr/blog
Mail : info@microlinux.fr
T‚l. : 04 66 63 10 32
Mob. : 06 51 80 12 12


--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 1/19/26 14:49, Nicolas Kovacs wrote:

Hi,

I'm a long-time Linux user (two and a half decades since Slackware
7.1). I've been using RHEL clones mainly for the last ten years or so,
on desktops as well as servers (local and Internet-facing). For
firewalling I simply chose the default Firewalld.

I understand under Debian there are different possibilities to handle firewalls. As far as I understand, ufw (Uncomplicated firewall) seems
to be the default, though Firewalld seems to be an option.

Any recommendations ?

You can use pure "iptables" and "iptables-persistent" as a third option.
It will be more efficient to learn iptables syntax and use it on any
distro than learning syntax of a different wrappers for iptables like
ufw and the others.
Develop a simple ruleset and manage it with command line utils or
directly edit the rules files with text editor.
There is also a new kid around called "nft" which should replace
iptables, but its syntax is super weird and non-intuitive for me, so I consider it a downgrade.
Luckily iptables` syntax still supported via iptables-to-nft rules
translation with support for the most of iptables extensions, so for the
time being iptables syntax will stay available for use.

--
With kindest regards, Alexander.
Debian - The universal operating system
https://www.debian.org


--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Le 19/01/2026 … 10:49, Nicolas Kovacs a ‚critÿ:

Hi,

I'm a long-time Linux user (two and a half decades since Slackware 7.1). I've been using RHEL clones mainly for the last ten years or so, on
desktops as well as servers (local and Internet-facing). For firewalling
I simply chose the default Firewalld.

I understand under Debian there are different possibilities to handle firewalls. As far as I understand, ufw (Uncomplicated firewall) seems to
be the default, though Firewalld seems to be an option.

Any recommendations ?

Niki

Hello Nicolas,

I am almost ignorant about network in general and firewalling makes no exception

But I think the Debian policy is to have no default firewall precisely
to let the administrator think about what they need and how to implement
this. So by default, no firewall.

I would say that if you were satisfied by firewalld on RHEL, keep on
using it on Debian.
I use it (very basically) on my laptop with the GUI applet and config tool.

I don't know if it has evolved, but in the past Firewalld was one of the
few frontends able to manage NFT native syntax

Here are Firewalld related packages in Debian 13:

containernetworking-plugins/stable 1.1.1+ds1-3+b17 amd64
standard networking plugins - binaries

firewall-applet/stable,now 2.3.1-1 all [installed]
panel applet providing status information of firewalld

firewall-config/stable,now 2.3.1-1 all [installed,automatic]
graphical configuration tool to change the firewall settings

firewalld/stable,now 2.3.1-1 all [installed,automatic]
dynamically managed firewall with support for network zones

firewalld-tests/stable 2.3.1-1 all
installed tests for firewalld

foomuuri/stable-security 0.27-2+deb13u1 all
multizone bidirectional nftables firewall

foomuuri-firewalld/stable-security 0.27-2+deb13u1 all
multizone bidirectional nftables firewall - firewalld emulation

golang-github-containernetworking-plugins-dev/stable 1.1.1+ds1-3 all
standard networking plugins - sources

plasma-firewall/stable 6.3.4-2 amd64
Plasma configuration module for firewalls

python3-firewall/stable,now 2.3.1-1 all [installed,automatic]
Python3 bindings for firewalld

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Mon, 19 Jan 2026 10:49:57 +0100
Nicolas Kovacs <info@microlinux.fr> wrote:

I understand under Debian there are different possibilities to handle firewalls. As far as I understand, ufw (Uncomplicated firewall) seems
to be the default, though Firewalld seems to be an option.

Any recommendations ?

Firewalld is an option on Debian. If that's what you're familiar with,
stick with it. firewall-config is the GUI interface to firewalld, and a separate package.

ufw strikes me as misnamed.


--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

"Alexander V. Makartsev" <avbetev@gmail.com> writes:

[...]

There is also a new kid around called "nft" which should replace
iptables, but its syntax is super weird and non-intuitive for me, so I consider it a downgrade.

I disagree. I was happy iptables user and some time ago I migrated my
rules to nftables. Indeed this is no 1-1 migration, you have to rethink
your rules, but IMO this is more comfortable.
The main difference (IMO) is that most your dynamic logic shoud go to
sets not to the rules itself.
KJ


--
http://wolnelektury.pl/wesprzyj/teraz/
Who goeth a-borrowing goeth a-sorrowing.
-- Thomas Tusser

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

"Alexander V. Makartsev" <avbetev@gmail.com> wrote:

On 1/19/26 14:49, Nicolas Kovacs wrote:

Hi,

I'm a long-time Linux user (two and a half decades since Slackware
7.1). I've been using RHEL clones mainly for the last ten years or
so, on desktops as well as servers (local and Internet-facing). For firewalling I simply chose the default Firewalld.

I understand under Debian there are different possibilities to
handle firewalls. As far as I understand, ufw (Uncomplicated
firewall) seems to be the default, though Firewalld seems to be an
option.

Any recommendations ?

You can use pure "iptables" and "iptables-persistent" as a third
option. It will be more efficient to learn iptables syntax and use it
on any distro than learning syntax of a different wrappers for
iptables like ufw and the others.
Develop a simple ruleset and manage it with command line utils or
directly edit the rules files with text editor.

As you point out below, iptables is being replaced by nftables so
choosing now to learn iptables seems a silly idea. So it seems wiser to
use a frontend like ufw or firewalld that both support either backend.

I suppose ufw is simpler but firewalld may be more familiar to Nicolas.

There is also a new kid around called "nft" which should replace
iptables, but its syntax is super weird and non-intuitive for me, so
I consider it a downgrade.
Luckily iptables` syntax still supported via iptables-to-nft rules translation with support for the most of iptables extensions, so for
the time being iptables syntax will stay available for use.

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi,

On Mon, Jan 19, 2026 at 10:49:57AM +0100, Nicolas Kovacs wrote:

I understand under Debian there are different possibilities to handle firewalls. As far as I understand, ufw (Uncomplicated firewall) seems to be the default, though Firewalld seems to be an option.

Were you the person who liked ansible? If so you may be interested in a
role like this, which I use for managing nftables rules.

https://galaxy.ansible.com/ui/standalone/roles/ipr-cnrs/nftables/documentation/

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Le 19/01/2026 … 20:05, Andy Smith a ‚critÿ:

Were you the person who liked ansible? If so you may be interested in a
role like this, which I use for managing nftables rules.

https://galaxy.ansible.com/ui/standalone/roles/ipr-cnrs/nftables/ documentation/

Thanks,
Andy

Yeah, that would be me.

From the various replies, I gather I can still use Firewalld on Debian.
Which would suit me well, because that's what I've been using almost exclusively on Red Hat based systems for the last ten years or so.

Cheers,

Niki

--
Microlinux - Solutions informatiques durables
7, place de l'‚glise - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://www.microlinux.fr/blog
Mail : info@microlinux.fr
T‚l. : 04 66 63 10 32
Mob. : 06 51 80 12 12

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

I'm very happy with ufw and happily recommend it.

--
Please do not CC me for listmail.

?? Jonathan Dowland
? jmtd@debian.org
? https://jmtd.net

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Kamil Jo?ca wrote:

"Alexander V. Makartsev" <avbetev@gmail.com> writes:

[...]

There is also a new kid around called "nft" which should replace
iptables, but its syntax is super weird and non-intuitive for me, so I consider it a downgrade.

I disagree. I was happy iptables user and some time ago I migrated my
rules to nftables. Indeed this is no 1-1 migration, you have to rethink
your rules, but IMO this is more comfortable.
The main difference (IMO) is that most your dynamic logic shoud go to
sets not to the rules itself.

It is also true that iptables was re-implemented as a front-end
to nft in a previous Debian Stable release, so if you don't want
any of the new nft features, you can continue using iptables
as-is.

-dsr-

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-01-19, Dan Ritter wrote:

It is also true that iptables was re-implemented as a front-end
to nft in a previous Debian Stable release, so if you don't want
any of the new nft features, you can continue using iptables
as-is.

iptables-nft can be used to generate nftables rules. But it is intend to
ease a migration from iptables to nftables. And it is dangerous to mix
the use of iptables and nftables. So, as you said, if someone want to
stay on iptables he should use plain iptables (the binary behind is now iptables-legacy).

https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi

As you point out below, iptables is being replaced by nftables so
choosing now to learn iptables seems a silly idea. So it seems wiser to
use a frontend like ufw or firewalld that both support either backend.

I suppose ufw is simpler but firewalld may be more familiar to Nicolas.

There is also a new kid around called "nft" which should replace
iptables, but its syntax is super weird and non-intuitive for me, so
I consider it a downgrade.
Luckily iptables` syntax still supported via iptables-to-nft rules translation with support for the most of iptables extensions, so for
the time being iptables syntax will stay available for use.

After some effort I switched to nftables. I enabled nftables systemd servic
e
and filled /etc/nftables.conf with my conf. I have simple needs, but one th
ing
that I like is the ability to have the same rule for ipv4 and ipv6 ports.

There are some interesting examples online:

https://wiki.archlinux.org/title/Nftables#Examples https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_serv
er

Thanks,

Alex

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)