The Problem: UFW Status Shows Nothing When Inactive
UFW (Uncomplicated Firewall) is the default firewall management tool on Ubuntu and Debian systems. When UFW is disabled or inactive, running the standard status command gives you no useful information:
$ sudo ufw status
Status: inactiveThis is frustrating when you need to review existing rules before re-enabling the firewall, or when you are auditing a server's configuration. The rules still exist — they are stored on disk — but ufw status refuses to display them when the firewall is not running.
This guide covers several methods to view your UFW rules regardless of whether the firewall is currently active.
Method 1: ufw show added
The most straightforward way to list rules when UFW is inactive is the show added command:
$ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw deny from 203.0.113.50This command displays all rules that have been added to UFW, formatted as the exact ufw commands that created them. This makes it easy to understand what each rule does and to recreate them if needed.
Note that ufw show added works regardless of whether UFW is active or inactive, making it a reliable way to audit rules at any time.
Method 2: Reading the Rules Files Directly
UFW stores its rules in plain-text configuration files under /etc/ufw/. You can read these files directly to see all configured rules:
User Rules (IPv4)
sudo cat /etc/ufw/user.rulesThis file contains all the IPv4 rules you have added via the ufw command. The format is iptables syntax:
### RULES ###
### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT
### END RULES ###User Rules (IPv6)
sudo cat /etc/ufw/user6.rulesThis file contains the IPv6 equivalents. If IPv6 is enabled in UFW (the default), every rule you add creates entries in both files.
Before and After Rules
UFW also supports custom rules that are applied before or after the standard rules:
sudo cat /etc/ufw/before.rules
sudo cat /etc/ufw/after.rulesThese files contain rules for ICMP handling, loopback traffic, and other system-level configurations. If you have added custom iptables rules through these files, they will only be visible here.
Method 3: Parsing Rules with grep
If you want a quick summary of rules without the surrounding iptables syntax, you can filter the rules file:
sudo grep '^### tuple' /etc/ufw/user.rulesThis outputs the human-readable comment lines that UFW adds above each iptables rule:
### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 inYou can also extract just the port numbers and actions:
sudo grep '^### tuple' /etc/ufw/user.rules | awk '{print $4, $5, $6}'allow tcp 22
allow tcp 80
allow tcp 443Understanding Numbered Rules
When UFW is active, you can view numbered rules with:
sudo ufw status numberedWhen inactive, the numbering corresponds to the order of rules in the user.rules file. Rules are processed in order, and the first matching rule wins. This order matters when you have both allow and deny rules:
$ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp # Rule 1
ufw deny from 10.0.0.0/8 # Rule 2
ufw allow from 10.0.0.5 # Rule 3 - This will never match because Rule 2 already denied the subnetUnderstanding rule order is critical for security. If a deny rule appears before an allow rule for the same traffic, the deny takes precedence.
Re-Enabling UFW After Review
Once you have reviewed your rules and confirmed they are correct, re-enable UFW:
sudo ufw enableUFW will warn you that enabling the firewall may disrupt existing SSH connections. If you have confirmed that port 22 (or your custom SSH port) is allowed, proceed:
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startupAfter enabling, verify that rules are active:
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN AnywhereWhy Check Rules When the Firewall Is Disabled?
There are several scenarios where you need to inspect UFW rules while the firewall is not running:
- Server audit: You are auditing a server and discover UFW is disabled. You need to know what rules were configured before deciding whether to enable it.
- Troubleshooting connectivity: You disabled UFW to diagnose a connectivity issue and want to review the rules before turning it back on.
- Migration: You are migrating to a new server and need to export the firewall rules from the old server, which may already be powered down to a rescue mode.
- Configuration management: You want to verify that configuration management tools (Ansible, Puppet, Chef) have applied the correct rules before enabling the firewall.
- Backup and documentation: You are documenting the server configuration and need a record of all firewall rules regardless of current state.
Exporting and Importing Rules
You can back up your UFW rules by copying the rules files:
# Export rules
sudo cp /etc/ufw/user.rules /tmp/ufw-backup-user.rules
sudo cp /etc/ufw/user6.rules /tmp/ufw-backup-user6.rules
# Import rules on a new server
sudo cp /tmp/ufw-backup-user.rules /etc/ufw/user.rules
sudo cp /tmp/ufw-backup-user6.rules /etc/ufw/user6.rules
sudo ufw reloadAlternatively, use ufw show added to generate a script of ufw commands that can be run on a new server:
sudo ufw show added | grep '^ufw ' > ufw-restore.sh
chmod +x ufw-restore.sh
# On the new server:
sudo bash ufw-restore.sh
sudo ufw enableSummary
When UFW is inactive, ufw status provides no information, but your rules are still stored on disk and accessible through multiple methods. Use sudo ufw show added for a clean list of rules formatted as UFW commands, or read /etc/ufw/user.rules directly for the underlying iptables representation. Always review your rules before re-enabling the firewall to avoid locking yourself out or leaving unexpected ports open. For a broader approach to securing your Linux servers, see our Linux security checklist.
Get
Started