Debian 13 firewall and sshguard

I’m upgrading my Hetzner Debian 11 to Debian 13. As I am a lazy bastard I go with the flow and use whatever webmin is proposing. As mentioned Debian 13 on a cloud does not work with firewalld as it conflicts with cloud.init.

The virtualmin install script predictably says firewalld and fail2ban installation failed. Reading other posts Virtualmin is dropping firewalld and moving to nftables. And possible sshguard.

As I need a firewall and some brute force protection I am tending to switch to nftables and sshguard from the command line.

My cunning plan is to:

• Install Debian 13 and Virtualmin
• Remove failed2ban (firewalld was never installed) from Debian
• Removed firewalld and fail2ban modules from webmin
• Enable nftables which is installed but not enabled
• Install sshguard
• Configure them both from the command line
• Wait for a webmin sshguard to arrive eventually

Asking the experienced guys: Is this a reasonble move?

If you need Webmin administration of the brute force protection firewall tool, you should use fail2ban. sshguard won’t come all that soon, and we haven’t even determined that’s the direction we’ll go (though it seems likely, as I use it own my own servers and like it).

nftables is a done deal. We’re definitely going to nftables. But, it works fine with fail2ban.

On Debian 13 Trixie using fail2ban means manually reconfiguring it to use nftables instead of firewalld as the latter is not installed?

Not for long. Ilia is updating the installer to use nftables, instead of firewalld.

But, also, I think it’s a one line change.