How to Check UFW Default Firewall Policy (Deny/Allow) in Linux


1 views

UFW (Uncomplicated Firewall) uses default policies to handle incoming and outgoing traffic when no specific rules match. These policies are crucial for system security as they define the baseline behavior of your firewall.

To check the current default policies in UFW, run:

sudo ufw status verbose

Sample output showing default policies:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

For script-friendly output, use:

sudo ufw show raw | grep '^default'

This will display lines like:

default deny (incoming)
default allow (outgoing)

You can also check the configuration directly in:

cat /etc/default/ufw

Look for these key parameters:

DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"

Here's a bash script to programmatically check default policies:

#!/bin/bash

get_ufw_policy() {
    policy_type=$1
    sudo ufw status verbose | grep "^Default" | grep "$policy_type" | awk '{print $2}'
}

echo "Incoming policy: $(get_ufw_policy incoming)"
echo "Outgoing policy: $(get_ufw_policy outgoing)"

The default incoming deny policy means:

  • All incoming connections are blocked unless explicitly allowed
  • This follows the principle of least privilege for security
  • Outgoing traffic is typically allowed by default

When working with Uncomplicated Firewall (UFW) on Linux systems, the default policy determines how the firewall handles incoming/outgoing connections that don't match any specific rules. While setting these defaults is straightforward (ufw default deny or ufw default allow), checking the current configuration requires a different approach than the standard ufw status command.

UFW stores its default policies in a configuration file located at:

/etc/default/ufw

This file contains all the fundamental settings for your firewall, including the default policies for incoming and outgoing traffic.

To view the current default policies, you have several options:

# Method 1: Directly cat the config file
cat /etc/default/ufw | grep DEFAULT_

# Method 2: Use grep for cleaner output
grep ^DEFAULT_ /etc/default/ufw

# Expected output:
# DEFAULT_INPUT_POLICY="DROP"
# DEFAULT_OUTPUT_POLICY="ACCEPT"
# DEFAULT_FORWARD_POLICY="DROP"
# DEFAULT_APPLICATION_POLICY="SKIP"

While not as straightforward, you can infer the default policy by examining the rule numbering:

ufw status numbered

# Look for rules with 'Anywhere' and no specific ports
# Default deny will show as:
# [ 1] Anywhere DENY IN

Here's how to check and interpret the default policies in a real-world scenario:

# Check current defaults
$ grep ^DEFAULT_ /etc/default/ufw
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"

# This means:
# - All incoming connections are blocked by default
# - All outgoing connections are allowed by default
# - Packet forwarding is disabled by default

Remember these key points about UFW default policies:

  • Changes to defaults don't take effect until you reload UFW (ufw reload)
  • The default forward policy is particularly important for systems acting as routers
  • Application profiles may override default policies for specific services

If you're having connectivity issues, always verify the default policies first. A common pitfall is setting DEFAULT_INPUT_POLICY="DROP" without allowing SSH connections, which can lock you out of remote servers.