How To Check Firewall Status In Linux – Verify Firewall Is Running

by

System administrators rely on knowing how to check firewall status in Linux to ensure services remain accessible. This guide walks you through every major method, from simple commands to GUI tools, so you can verify your firewall is working as intended.

Firewalls are your first line of defense. If you don’t check them regularly, you might leave ports open or block critical traffic without realizing it. Let’s fix that.

Understanding Linux Firewalls

Linux uses different firewall systems depending on your distribution. The most common ones are iptables, nftables, and ufw (Uncomplicated Firewall). Some distros also use firewalld.

Each tool manages netfilter rules in the kernel. But they have different commands and interfaces. Knowing which one you have is the first step.

Checking Your Firewall System

Run this command to see what’s active:

sudo systemctl status ufw or sudo systemctl status firewalld

If you see “active (running)”, that’s your firewall. If not, try the other command. You can also check for iptables directly:

sudo iptables -L -n

This lists current rules. If it returns nothing, you might not have a firewall running, or you’re using nftables.

How To Check Firewall Status In Linux

Now let’s get into the core methods. We’ll cover UFW, firewalld, iptables, and nftables. Each section includes step-by-step instructions.

Checking UFW Status

UFW is popular on Ubuntu and Debian. It’s simple to use.

  1. Open a terminal.
  2. Type: sudo ufw status
  3. Press Enter.

You’ll see one of these outputs:

  • Status: active – Firewall is running.
  • Status: inactive – Firewall is off.

For more detail, add verbose:

sudo ufw status verbose

This shows default policies and logging settings. You can also check numbered rules:

sudo ufw status numbered

This is useful when you need to delete or modify specific rules.

UFW Status Example Output

Here’s what a typical output looks like:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

This tells you SSH, HTTP, and HTTPS are allowed. If you don’t see expected rules, something is wrong.

Checking Firewalld Status

Firewalld is the default on RHEL, CentOS, Fedora, and similar distros. It uses zones and services.

  1. Check if firewalld is running: sudo systemctl status firewalld
  2. If active, check its status: sudo firewall-cmd --state
  3. This returns either running or not running.

To see detailed information:

sudo firewall-cmd --list-all

This shows the default zone, allowed services, ports, and more. You can also check specific zones:

sudo firewall-cmd --zone=public --list-all

Firewalld also supports rich rules. Use --list-rich-rules to see them.

Firewalld Status Example

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports: 8080/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Here, SSH and a custom port 8080 are allowed. If you need to add or remove services, use firewall-cmd --add-service or --remove-service.

Checking Iptables Status

Iptables is older but still widely used. It’s the underlying engine for many firewalls.

  1. List all rules: sudo iptables -L -n -v
  2. Check specific chains: sudo iptables -L INPUT -n -v
  3. View NAT rules: sudo iptables -t nat -L -n -v

The -n flag shows IP addresses instead of hostnames. -v adds packet and byte counts.

If iptables is not installed, you’ll get a “command not found” error. Install it with sudo apt install iptables or sudo yum install iptables.

Iptables Status Example

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

This shows a default ACCEPT policy on INPUT, with a rule dropping all traffic. If you see no rules, the firewall might be wide open.

Checking Nftables Status

Nftables is the modern replacement for iptables. It’s used by default in newer distributions.

  1. List rulesets: sudo nft list ruleset
  2. Check specific tables: sudo nft list table inet filter
  3. View counters: sudo nft list ruleset -a

If nftables is not active, the command returns nothing. You can also check if the service is running:

sudo systemctl status nftables

Nftables Status Example

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state established,related accept
        iif "lo" accept
        tcp dport 22 accept
    }
}

This allows SSH and established connections, dropping everything else. If you see no output, nftables is not loaded.

Using Systemd To Check Firewall Services

Systemd manages most Linux services. You can check if your firewall daemon is running.

  1. For UFW: sudo systemctl status ufw
  2. For firewalld: sudo systemctl status firewalld
  3. For nftables: sudo systemctl status nftables

Look for “active (running)” in the output. If it says “inactive (dead)”, the service is stopped. You can start it with sudo systemctl start <service>.

To enable it on boot: sudo systemctl enable <service>.

Checking Firewall Status With GUI Tools

Some users prefer graphical interfaces. Here are a few options:

  • GUFW – GUI for UFW. Install with sudo apt install gufw. It shows status and allows rule management.
  • firewall-config – GUI for firewalld. Install with sudo yum install firewall-config. It displays zones and rules.
  • system-config-firewall – Older tool for iptables. Not recommended for new systems.

To open GUFW, run gufw from terminal. The main window shows whether the firewall is enabled or disabled. You can toggle it with a slider.

Common Issues And Troubleshooting

Sometimes the firewall status doesn’t match expectations. Here are common problems:

Firewall Shows Inactive But Rules Exist

This can happen if you manually added iptables rules without using a service. Check with sudo iptables -L -n. If rules exist, the firewall is technically active, but not managed by a daemon.

Service Is Running But No Rules

This means the firewall daemon is active but has no rules loaded. For firewalld, run sudo firewall-cmd --reload. For UFW, sudo ufw enable and then sudo ufw reload.

Permission Denied Errors

You need root privileges to check firewall status. Always use sudo unless you’re logged in as root.

Automating Firewall Status Checks

You can write a simple script to check firewall status periodically. Here’s an example for UFW:

#!/bin/bash
if sudo ufw status | grep -q "Status: active"; then
    echo "UFW is active"
else
    echo "UFW is inactive"
fi

Save it as check_firewall.sh, make it executable with chmod +x check_firewall.sh, and run it. You can add this to cron for regular checks.

For firewalld:

#!/bin/bash
if sudo firewall-cmd --state | grep -q "running"; then
    echo "Firewalld is running"
else
    echo "Firewalld is not running"
fi

Best Practices For Firewall Management

  • Check firewall status after every system update. Updates can reset rules.
  • Log firewall events. Use sudo ufw logging on or sudo firewall-cmd --set-log-denied=all.
  • Test rules with tools like nmap from another machine.
  • Document your rules. This helps when troubleshooting.
  • Use version control for firewall scripts.

Frequently Asked Questions

How Do I Check If My Firewall Is Blocking A Port?

Use sudo ufw status for UFW, or sudo firewall-cmd --list-ports for firewalld. For iptables, run sudo iptables -L -n and look for DROP or REJECT rules.

What Is The Difference Between UFW And Firewalld?

UFW is simpler and common on Ubuntu. Firewalld is more advanced, uses zones, and is default on RHEL-based systems. Both manage netfilter underneath.

Can I Check Firewall Status Without Sudo?

No, most firewall commands require root privileges. You can use sudo or log in as root. Some systems allow non-root users to view status with specific group permissions.

Why Does My Firewall Show Inactive After Reboot?

The service might not be enabled. Run sudo systemctl enable ufw or sudo systemctl enable firewalld to start it on boot.

How Often Should I Check Firewall Status?

At least once a week, or after any configuration change. Automated monitoring is recommended for production systems.

Conclusion

Knowing how to check firewall status in Linux is essential for any system administrator. Whether you use UFW, firewalld, iptables, or nftables, the process is straightforward. Regular checks prevent security gaps and ensure your services stay accessible.

Start with sudo ufw status or sudo firewall-cmd --state. If you see unexpected results, dig deeper with the commands in this guide. Automate your checks to save time and catch issues early.

Your firewall is your network’s gatekeeper. Make sure it’s always on duty.