UFW List Rules
UFW is designed to be an easy to use firewall solution. It uses iptables and the underlying technology is pretty robust. Despite being the Uncomplicated FireWall, UFW, it still has a few misnomers and naming conventions might seem not so obvious to the first time user.
Probably the most obvious example of this is when you try to list all the rules. UFW has no dedicated command to list rules but uses its primary command ufw status to give you an overview of the firewall along with the list of rules. Moreover, you can’t list the rules when the firewall is inactive. The status shows the rules being enforced as of that moment. This makes it all the more difficult to edit the rules first and then enable the firewall, safely.
However, if the firewall is active and is running a few rules, you will get an output like this:
user@computer$ ufw status
Status: active
To Action From
— —— —–
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Of course, this list is not exhaustive. There are default rules too, which are applied to packets that don’t fall under any of the specified rules in the list above. This default behavior can be listed by adding a verbose subcommand.
user@computer$ ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
— —— —–
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
You can see the default in this case is to deny any incoming traffic (ingress), like listening for http traffic on port 8000. On the other hand, it allows outgoing traffic (egress) required, for example, to query the software repositories and update the packages as well as installing new packages.
Also the listed rules themselves are now much more explicit. Stating whether rule is for ingress (ALLOW IN or DENY IN) or egress (ALLOW OUT or DENY OUT).
Editing the Rules
If you wish to delete the rules, you can do so by referring to rule’s corresponding number. The rules can be listed with their numbers, as shown below:
user@computer$ ufw status numbered
Status: active
To Action From
— —— —–
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
[ 4] 25/tcp DENY IN Anywhere
[ 5] 25/tcp DENY OUT Anywhere
[ 6] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 7] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] 443/tcp (v6) ALLOW IN Anywhere (v6)
[ 9] 25/tcp (v6) DENY IN Anywhere (v6)
[10] 25/tcp (v6) DENY OUT Anywhere (v6)
You can then delete rules using the command:
user@computer$ ufw delete NUM
Where NUM is the rule numbered. For example, ufw delete 5,would remove the fifth rule blocking port 25 outgoing connections. Now the default behavior would kick in for port 25, allowing outgoing connections on port 25. Deleting rule number 4 would do nothing since default behavior of the firewall would still block incoming connections on port 25.