UFW Status

The ufw status option helps us see the current state of UFW, the application. If UFW is active, the UFW status shows a list of rules. Of course, you get to run the command only as the root user or by prefixing your command with sudo, if you have sufficient privileges. After the first ufw I will drop sudo in the subsequent commands for cleanliness’ sake.

$ sudo ufw status
ufw status
Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

This is a simple state of the firewall where I have allowed incoming SSH connections from anywhere (meaning any IP that can reach the host).

ufw status numbered

You can see the status in two mode verbose and numbered. The numbered mode is especially helpful when you have to delete a few rules here and there.

$ ufw status numbered
Status: active
To                         Action      From
--                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

This can later be used to select individual rules while making changes to the firewall. For example, ufw delete 1 would delete the rule number one, disallowing SSH connections.

ufw status verbose

The verbose option shows us some extra information. Like the firewall’s default behaviour when it encounters an incoming connection or when an application from the host tries to establish connection with the outside world.

$ ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)

The first it indicates is…well, the status which shows the firewall is active. Then it shows the logging intensity. If set to high, the act of logging all network monitoring itself can hamper the performance of your server. By default logging is set to low.

The next field is probably the most important one. The line:

Default: deny (incoming), allow (outgoing), deny (routed)

Shows the default behaviour of the firewall when it encounters a traffic which matches none of the numbered rules explicitly stated by us. Let’s discuss the implications from the above default behavior.

Any incoming connection is denied. This means if you were to run an HTTP webserver, no client will be able to connect or see your website. The firewall will simply deny any incoming connection, despite your web server eagerly listening for request on port 80 (for HTTP) and 443 (for HTTPS). Any application from within the server, trying to reach the outside world would, however, be allowed to do so. For example, you can enable your firewall and apt will still be able to fetch updates for your system. Or your NTP client will be able to sync time from an NTP server.

We added explicit rules for SSH, but if it were not so, all incoming requests for SSH connections would have be denied as well. This is why we need to be allow ssh (ufw allow ssh) before enabling UFW. Otherwise, we might lock ourselves out of the server. Especially, if it is a remote server. If you have a console attached to the server, or if it is your desktop, then there is not much need for SSH.

You will notice, that the rules themselves are also more verbose, telling you whether the connection allowed or denied is for incoming (IN) or for the out-bound(OUT).

So now you know how to get a decent overview of the firewall rules and status using ufw status and its subcommands.

The UFW Guide — A 5-Part Series Understanding Firewalls