Firewall config - Deb12 host-virtmgr-kvm

Hi - new here - 1st post. I setup a virt-manager kvm system. Debian 12 host with 3 VM’s so far (deb12, fedora39,win11). Works great. I 'm really loving Debian 12. I’ve been researching firewalls lately and I haven’t found a (comprehensive) beginner’s tutorial on how I should be setting one up on my system.
Optimally, I’d love to just configure nftables directly. But, it just feels like a massive learning curve at this point. I like firewalld as a good compromise between the simplicity of UFW and the complexity and control of nftables direct conf. So my question is twofold:

  1. How do I install/configure firewalld on the debian 12 host. I’d like it to deny all incoming and allow all outgoing - like a typical workstation firewall default config. However - obviously it needs to be able to communicate with the guests.
  2. How would I configure firewalld on the debian 12 guest. Again - basic deny all incoming and accept all outbound. But again - needs to be able to communicate with the host.

I’m sure I could eventually figure out how to use firewalld on a standalone install. But, the virtual machine setup adds complexity and was hoping to get some guidance before I just started trying things.

Thanks in advance for your help.

This topic was just covered in a previous post, did you read that?

I haven’t messed with firewalld, I just use nftables. I like configuring my stuff in a text file. But to each his own.

For the VMs you just need to configure an allow rule for the bridge (br0) you are using. You’ll want an inbound, forward, and outbound rule for the br0 just as you would any other interface. You can get fancier, but that will work.

As for guests, you can install a firewall or skip it. In most cases I just skip it on guest systems.

Hey pacman,
I looked for posts covering this topic before I started a thread but didn’t see the one you mentioned. Do you know the title of that post?
Thanks and thanks for the info.

This one right here, packed with useful information:

Thanks for the post link. I did read that one before I posted. I am a total beginner with linux firewalling. So, that had some good info in there for me.
But, I was more interested in what extra firewall configs are necessary specifically for the Debian 12 host and vm’s in a workstation that’s using virt-manager with KVM.
I may be mistaken. But, I don’t think Debian comes with any firewall configs in place.
So, I was looking to have nftables in the Debian host set to drop all incoming and allow all outgoing. However, the debian host would also have to allow the vm’s to get through. So, I assume extra firewall configs are necessary for that.
So yea - I was looking for specific firewall guidance for a Debian virt-manager kvm virtual setup.

Given your host is probably tucked away behind your gateway firewall, and is probably on a relatively private vlan/lan, I would say not a whole lot needs to be done. Unless your vlan/lan is not a particularly trustworthy neighborhood.

But for fun and education, learning this stuff is great if you enjoy the process of learning. Free education is largely a self taught learning process. Which in my mind is the best way to learn.

Check out how your vm’s are getting IPs. If you are using a bridge on your host to get IPs from your router, then your rules will have to interact with that bridge.

Hey pacman,
Yea. I really would like to learn this stuff. And, I’d love to use nftables directly instead of using a wrapper. But, it seems very unintuative - to me at least. I haven’t come across any good tutorial for absolute beginners. But, I’ll keep searching and working at it.
Thanks again fir your tips.