UFW List Rules

UFW is designed to be an easy to use firewall solution. It uses iptables and the underlying technology is pretty robust. Despite being the Uncomplicated FireWall, UFW, it still has a few misnomers and naming conventions might seem not so obvious to the first time user.

Probably the most obvious example of this is when you try to list all the rules. UFW has no dedicated command to list rules but uses its primary command ufw status to give you an overview of the firewall along with the list of rules. Moreover, you can’t list the rules when the firewall is inactive. The status shows the rules being enforced as of that moment. This makes it all the more difficult to edit the rules first and then enable the firewall, safely.

However, if the firewall is active and is running a few rules, you will get an output like this:

$ ufw status
Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

Of course, this list is not exhaustive. There are default rules too, which are applied to packets that don’t fall under any of the specified rules in the list above. This default behaviour can be listed by adding a verbose subcommand.

$ ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

You can see the default in this case is to deny any incoming traffic (ingress), like listening for http traffic on port 8000. On the other hand, it allows outgoing traffic (egress) required, for example, to query the software repositories and update the packages as well as installing new packages.

Also the listed rules themselves are now much more explicit. Stating whether rule is for ingress (ALLOW IN or DENY IN) or egress (ALLOW OUT or DENY OUT).

Editing the Rules

If you wish to delete the rules, you can do so by referring to rule’s corresponding number. The rules can be listed with their numbers, as shown below

$  ufw status numbered
Status: active
To                         Action      From
--                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 443/tcp                    ALLOW IN    Anywhere
[ 4] 25/tcp                     DENY IN     Anywhere
[ 5] 25/tcp                     DENY OUT    Anywhere
[ 6] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 7] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 8] 443/tcp (v6)               ALLOW IN    Anywhere (v6)
[ 9] 25/tcp (v6)                DENY IN     Anywhere (v6)
[10] 25/tcp (v6)                DENY OUT    Anywhere (v6)

You can then delete rules using the command:

$ ufw delete NUM

Where NUM is the rule numbered. For example, ufw delete 5,would remove the fifth rule blocking port 25 outgoing connections. Now the default behaviour would kick in for port 25, allowing outgoing connections on port 25. Deleting rule number 4 would do nothing since default behaviour of the firewall would still block incoming connections on port 25.