Yes indeed, after checking things I can confirm that firewalld as installed by virtualmin does not work properly on debian.
I tried it on meanwhile over 5 installations of Virtualmin 6.07 on fresh setups of latest Debian 9.
And yes, nobody seems to care, because most people think it is working without checkin their logs at all.
If they would, the would recognize tons of such lines in /var/log/firewalld
2019-08-06 11:23:30 ERROR ALREADY_ENABLED ‘ssh’ already in ‘public’
2019-08-06 11:23:30 ERROR ALREADY_ENABLED ssh
2019-08-06 11:23:46 ERROR ZONE_ALREADY_SET public
2019-08-06 11:24:37 WARNING ‘/sbin/iptables-restore -n’ failed
2019-08-06 11:24:37 ERROR COMMAND_FAILED
2019-08-06 11:44:06 ERROR NOT_ENABLED rule ‘(’-p’, ‘tcp’, ‘-m’, ‘multiport’, ‘–dports’, ‘smtp,465,submission,imap3,imaps,pop3,pop3s’, ‘-m’, ‘set’, ‘–match-set’, ‘fail2ban-postfix-sasl’, ‘src’, ‘-j’, ‘REJECT’, ‘–reject-with’, ‘icmp-port-unreachable’)’ is not in ‘ipv4:filter:INPUT’
And sure enough such errors in var/log/fail2ban.log
2019-08-06 11:49:58,705 fail2ban.action [1273] ERROR ipset create fail2ban-postfix-sasl hash:ip timeout 3600
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set fail2ban-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable – stdout: b’’
2019-08-06 11:49:58,705 fail2ban.action [1273] ERROR ipset create fail2ban-postfix-sasl hash:ip timeout 3600
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set fail2ban-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable – stderr: b’\x1b[91mError: COMMAND_FAILED\x1b[00m\n’
2019-08-06 11:49:58,705 fail2ban.action [1273] ERROR ipset create fail2ban-postfix-sasl hash:ip timeout 3600
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set fail2ban-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable – returned 13
2019-08-06 11:49:58,705 fail2ban.actions [1273] ERROR Failed to start jail ‘postfix-sasl’ action ‘firewallcmd-ipset’ Error starting action
My solution?
Give up on debian and migrate all servers to centos, where firewalld and fail2ban work out of the box.