system-config-firewall is a python based Red Hat tool.
The best way to manage your firewall is by configuring iptables by hand. It gives you minimal rule sets which are clear and easy to read.
If you absolutely need a GUI, then try included debian tools such as gufw, firestarter etc. but note that they can only configure a small subset of what iptables are capable of. They also often given rule sets that can be difficult to read.
If you are coming to debian from rhel/fedora+clones and are missing some of the redhat tools, note that you are probably better of adapting the recommended work flow of the distro you are using.
Having said that, e.g. system-config-samba works fine on debian so far (but again, configuring samba by hand is not that difficult).
The real work was done by the person who did the patching (can't find a specific name -- just Ubuntu Contributions)
This was done on Debian Jessie. I may have missed some of the pre-requisite dependencies. Post comments and I shall add.
Anyway, look at this as an exercise, nothing more.
sudo apt-get install checkinstall python-slip-dbus python-tksnack build-essential gfortran debhelper python-newt selinux-utils intltool python-support mkdir ~/tmp cd ~/tmp mkdir sysfirewall cd sysfirewall/ wget https://launchpad.net/~ubuntu-contribs/+archive/contrib/+files/system-config-firewall_1.2.29.orig.tar.gz wget https://launchpad.net/~ubuntu-contribs/+archive/contrib/+files/system-config-firewall_1.2.29-2.diff.gz tar xvf system-config-firewall_1.2.29.orig.tar.gz gunzip system-config-firewall_1.2.29-2.diff.gz sed -i 's/python2.6/python2.7/g' system-config-firewall_1.2.29-2.diff patch -p0 < system-config-firewall_1.2.29-2.diff cd system-config-firewall-1.2.29/ dpkg-buildpackage -uc -us sudo dpkg -i ../*.deb sudo apt-get -f install system-config-firewall
You can see what your rules are and if they have taken effect by doing
sudo iptables -LChain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
You can also use your pre- and hand-configured rule set and put it in /etc/default/iptables and /etc/default/ip6tables, then edit with system-config-firewall (for whatever reason).