I installed firewalld on my Debian 10 laptop. Now Transmission cannot upload properly. If I go in to Edit->Preferences->Network and click [Test Port], it says the port is closed. If I systemctl stop firewalld and restart Transmission, then it says the port is open.
How can I use Transmission with a firewall?
Firstly, in the same Network tab of the Preferences window, make sure that "Pick a random port every time Transmission is started" is unchecked. Also check what the Listening Port is set to. The default port number is 51413.
In your firewall, allow the TCP port number set above. Since you are using firewalld, you can allow port 51413 by allowing the named service "transmission-client".
If your router supports NAT-PMP, or if you configured your router with a manual port forward, this is all you need! Transmission will now work with your firewall.
NAT-PMP is available on Apple routers. It is also available on any sensibly written router with a recent version of the open source MiniUPnPd. This works great on OpenWRT routers :-).
Or if you need support for IPv6 (the current version of IP :-), just pretend I said NAT-PCP instead of NAT-PMP.
Otherwise, you probably relied on uPnP port forwarding. This is a problem, sorry. If you do not wish to configure a manual port forward on your router, there are some possible techniques on this page: Fedora firewall with UPnP?
firewalld has a named service "upnp-client". Allowing this service might let Transmission work. But allowing this service means an attacker can bypass the firewall for any UDP port, if they transmit from UDP port 1900.
The firewalld service for "upnp-client" is defined using <source-port ... />. This is different from <port ... />, which is used in most firewalld service definitions. There is a parenthetical disclaimer about this, but the firewalld interface fails to show it.
$ cat /usr/lib/firewalld/services/upnp-client.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>UPnP Client</short>
<description>Universal Plug and Play client for auto-configuration of network routers (use only in trusted zones).</description>
<source-port port="1900" protocol="udp"/>
</service>
In the previous version of Debian, installing Transmission would automatically install minissdpd. Transmission can use minissdpd to receive uPnP responses, and this appears to work better with a firewall. If you allow UDP port 1900 in the firewall, then Transmission will be able to set up uPnP port forwards.
The problem is that minissdpd is a big security risk.
minissdpd needs to be configured with a list of network interface names that it should run on. Debian will suggest a default list. Make sure to check this carefully if you have multiple possible network interfaces, e.g. both Wi-Fi and wired Ethernet.
Once minissdpd is running, remember to allow UDP port 1900 in your firewall, and then restart Transmission.
I note this approach does not work on Fedora Linux. minissdpd is not available in Fedora, and Fedora does not build Transmission with support for libminiupnp.