created: 2026-04-14
I recently upgraded a router to debian trixie.
On this machine I self manage nftables.
Once apt-get dist-upgrade was complete, post reboot, the machine
stopped accepting and forwarding traffic. Only incoming 22/tcp was
allowed.
My self managed nftables ruleset was in place and tcpdump was
showing packets being received but traffic stopped short of reaching
services running on the machine or forwarding across interfaces.
I was stumped.
Then I found this:
# systemctl list-units | grep firewall
firewalld.service loaded active running firewalld - dynamic firewall daemon
# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
I’m unsure how but upgrading to trixie installed firewalld.
This caught me off guard.
Both firewalld and nftables services were enabled and active at the
same time with firewalld managing network traffic.
The fix for me was to remove firewalld:
# apt-get remove firewalld