Debian Buster
firewallD will not work as there is still some bugs on ip6tables on buster. See end of post for updating iptables to legacy version

If you are felt left behind on packages of Debian 9, it might be time for you to upgrade to Debian 10 and benefit from the upgraded patches.

In my case, I noticed that Debian 9 was stuck on old Apache version that included a number of security issues. Being tied up to a distro release (and not willing to do the compilation myself), I decided to go for a full distro upgrade.

Doing a distro upgrade on Debian is quite easy, nevertheless, depending on independent apt sources you might have used, some issues might arise. Below a compact upgrade guideline.

Backup

First rule of any system change is “backup”. I used the build features of Virtualmin to go with a full backup of virtual servers and backup of all the mysql databases. If you want to be paranoid, may also make a backup of all the configurations under /etc.

Update Debian 9

First step is to be sure that you have the latest updates for Debian 9.

apt-get update && apt-get upgrade
dpkg --audit

The dpkg audit will check if you have any packages in uncomplete stage.

I do not run any dovecot on this server, so those packages have been removed already.

Edit /etc/apt/sources.list and change all the references of ‘stretch’ to ‘buster’. Disable any non default packages in this file.

Update the package metadata:

apt-get update

Update the distro by

apt-get dist-upgrade

This will take a while and will require some input from you depending on different package configurations. Make sure to read the requirements.

Once done, do a final reboot and wait for the system to come back online fresh on the new distro.

On Virtualmin you may need to Update the new operation system, you will be prompted for this on the virtualmin welcoming screen.

FirewallD / iptables issue

Seems there are multiple issues that might persist depending on the ip6tables you have ported by the distro. If you run into issues, try to switch to the legacy version of iptables

update-alternatives --config ip6tables
or
update-alternatives --set ip6tables /usr/sbin/iptables-legacy

Posted by xpo6

Software developer in the realm of AI, NLP and black magic.