The ferm debian package ======================= More information about ferm can be obtained from the github ferm page, https://github.com/MaxKellermann/ferm, or on the project page, http://ferm.foo-projects.org/. Please note that ferm.foo-projects.org does not support https and the https version of that URL currently (2026-01) ends up in an "under construction" page. Many modern browsers use https without explicitly being told to, moving you to the "under construction" page. By default, ferm's configuration file is /etc/ferm/ferm.conf. The directory /etc/ferm/ferm.d is reserved for includes you might want to write. This package invokes ferm by means of a systemd unit and a wrapper, /usr/libexec/ferm/ferm-systemd, that handles caching and fast/slow mode as the init script did. The wrapper can either be configured via the /etc/default/ferm file or by overriding the Environment lines of the unit with a /etc/systemd/system/ferm.service.d/override.conf file. What is set in /etc/default/ferm takes precedence. If you want it simpler, you might copy /usr/share/doc/ferm/ferm-simple.service to /etc/systemd/system/ferm.service, overriding the more complex systemd unit. Please let ferm@packages.debian.org know whether you are using SLOW and/or CACHE. I might make the simple systemd unit the default and move the more complex code to an examples directory in a future version if no one speaks up. The cache ("CACHE=yes", disabled by default) speeds things up, too, because ferm will only be run when you modify its configuration, but this also means that ferm's rollback-on-error isn't assisting you. Also note that the wrapper doesn't notice when you change an include file. To work around that, touch /etc/ferm/ferm.conf. When developing firewall rules on remote machines, interactive mode (ferm --interactive) is recommended. In this mode, ferm applies the new firewall rules and asks for confirmation. If you don't confirm within 30 seconds, ferm automatically reverts to the previous rule set. -- Max Kellermann 2013 -- Marc Haber 2026