Ubuntu – Check existing ufw firewall rules without enabling it

firewallufw

I'm using Vagrant to run an Ubuntu 12.04 LTS box.

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Obviously, I don't want to disrupt my SSH connection as that's how I access the box. Apparently, the command to check the existing rules is sudo ufw status verbose but this returns inactive.

Is there no way to check the rules without enabling the rules? It could get inconvenient quickly.

Best Answer

There is currently not a way to show the rules you have entered before enabling the firewall via the CLI command. You can inspect the rules files directly however. /lib/ufw/user*.rules contain the rules controlled via the 'ufw' CLI command. Eg

sudo grep '^### tuple' /lib/ufw/user*.rules

This will show output like the following

sudo grep '^### tuple' /lib/ufw/user*.rules
/lib/ufw/user6.rules:### tuple ### allow any 22 ::/0 any ::/0 in
/lib/ufw/user.rules:### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in

The 'tuple' is the shorthand used internally by ufw to keep track of rules

Or more detailed with

  sudo cat /lib/ufw/user.rules

*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###

### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -j ACCEPT

### END RULES ###

### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

Like I say "tuple" is rules witch you are set via cli, rest are the default rules, chains ...