Home / ubuntu / Questions / 30781
Accepted
Bryan
Asked: 2011-03-18 06:48:28 +0800 CST

See configured rules even when inactive

  • 772

I'm wondering if it's possible to get UFW to list the configured firewall rules even when it's not enabled. I only have ssh access to the server at this time, and I don't want to enable UFW if there's not a rule configured allowing ssh. However, since UFW is currently not enabled, I just get an "inactive" message when I run "ufw status".

Is there a special flag I can use or even some config file I can look at to see what rules are configured even when the firewall is disabled?

firewall

5 Answers

  1. There is now a ufw show added command that will list the configured rules for you, even when the firewall is inactive. It was added as a fix for this bug report and added in v0.33

    So now you can do:

    # ufw status
Status: inactive
# ufw allow ssh
Rules updated
Rules updated (v6)
# ufw show added
Added user rules (see 'ufw status' for running firewall):
ufw allow 22
# ufw enable
Firewall is active and enabled on system startup
# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)

    The format of the output from ufw show added makes it much easier to write the delete command for each rule too.

    • 153
  2. Best Answer

    There is currently not a way to show the rules you have entered before enabling the firewall via the CLI command. You can inspect the rules files directly however. /lib/ufw/user*.rules contain the rules controlled via the 'ufw' CLI command. Eg:

     $ sudo grep '^### tuple' /lib/ufw/user*.rules

    This will show output like the following (for the rule added with 'sudo ufw allow OpenSSH):

     /lib/ufw/user.rules:### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 OpenSSH - in

    The 'tuple' is the shorthand used internally by ufw to keep track of rules, and can be interpreted as one of these:

     ### tuple ### <action> <proto> <dst port> <dst> <src port> <src> <direction>
 ### tuple ### <action> <proto> <dst port> <dst> <src port> <src> <dst app name> <src app name> <direction>

    It might be useful to be able to add another status command to support this. Please consider filing a bug.

    • 34

  3. General rules are in /etc/ufw. User defined rules are in /lib/ufw/user*.

    • 19

  4. In Ubuntu 16.04, user defined rules are stored in /etc/ufw/user.rules. Therefore, you can see the rules with:

    sudo cat /etc/ufw/user.rules
    • 12

  5. From the command line, there doesn't seem to be a way. However, if you're SSH'ing from an Ubuntu box (to an Ubuntu box), you might want to try this, slightly convoluted method :

    Basically, install gufw on the remote box, then connect with X forwarding and run the GUI.

    On the remote device, after connecting with -X as an option :

    sudo apt-get install gufw
sudo gufw

    That will show you the ruleset without having to activate it.

    Be warned that if the remote device is a true "headless" server, then installing GUFW might pull down an unpleasant number of dependencies. But unless someone here know a trick to make UFW show you the output you need without activating it first, then this might be your only option.

    I did try sudo ufw show raw, but that shows the iptables output, which I can't make head nor tail of.

    • 4