ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
This is a simple state of the firewall where I have allowed incoming SSH connections from anywhere (meaning any IP that can reach the host).
ufw status numbered
You can see the status in two mode verbose and numbered. The numbered mode is especially helpful when you have to delete a few rules here and there.
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 22/tcp (v6) ALLOW IN Anywhere (v6)
This can later be used to select individual rules while making changes to the firewall. For example, ufw delete 1 would delete the rule number one, disallowing SSH connections.
ufw status verbose
The verbose option shows us some extra information. Like the firewall’s default behaviour when it encounters an incoming connection or when an application from the host tries to establish connection with the outside world.
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
The first it indicates is…well, the status which shows the firewall is active. Then it shows the logging intensity. If set to high, the act of logging all network monitoring itself can hamper the performance of your server. By default logging is set to low.
The next field is probably the most important one. The line:
Default: deny (incoming), allow (outgoing), deny (routed)
Shows the default behaviour of the firewall when it encounters a traffic which matches none of the numbered rules explicitly stated by us. Let’s discuss the implications from the above default behavior.
Any incoming connection is denied. This means if you were to run an HTTP webserver, no client will be able to connect or see your website. The firewall will simply deny any incoming connection, despite your web server eagerly listening for request on port 80 (for HTTP) and 443 (for HTTPS). Any application from within the server, trying to reach the outside world would, however, be allowed to do so. For example, you can enable your firewall and apt will still be able to fetch updates for your system. Or your NTP client will be able to sync time from an NTP server.
We added explicit rules for SSH, but if it were not so, all incoming requests for SSH connections would have be denied as well. This is why we need to be allow ssh (ufw allow ssh) before enabling UFW. Otherwise, we might lock ourselves out of the server. Especially, if it is a remote server. If you have a console attached to the server, or if it is your desktop, then there is not much need for SSH.
You will notice, that the rules themselves are also more verbose, telling you whether the connection allowed or denied is for incoming (IN) or for the out-bound(OUT).
So now you know how to get a decent overview of the firewall rules and status using ufw status and its subcommands.