Verifying your firewall status in Linux confirms whether your security rules are actively protecting the system. Knowing how to check the firewall status in Linux is a fundamental skill for any system administrator or security-conscious user. Without this knowledge, you might leave your machine exposed to unwanted network traffic. This guide walks you through every major method, from simple commands to graphical tools, so you can quickly confirm your firewall is working as intended.
Firewalls are your first line of defense against unauthorized access. They filter incoming and outgoing traffic based on predefined rules. But a firewall is only useful if it’s actually running. That’s why checking its status should be part of your regular system maintenance routine. Let’s get started with the most common firewall tools and how to check them.
Why Checking Firewall Status Matters
Before diving into commands, it helps to understand why this matters. A disabled firewall can leave your system vulnerable to attacks, especially if you’re running services like SSH, web servers, or databases. On the flip side, an overly restrictive firewall can block legitimate traffic, breaking applications. Regular checks ensure your security posture is correct.
Different Linux distributions use different firewall systems. The most common ones are iptables, nftables, UFW (Uncomplicated Firewall), and firewalld. Each has its own way of showing status. We’ll cover all of them so you’re prepared no matter what distro you use.
How To Check The Firewall Status In Linux
This section covers the exact commands you need. Depending on your Linux distribution, you’ll use one or more of these methods. Let’s break them down by firewall tool.
Checking UFW Status
UFW is popular on Ubuntu and Debian-based systems. It’s designed to be simple. To check its status, open a terminal and run:
sudo ufw statusThis command shows you if UFW is active or inactive. If it’s active, you’ll see a list of rules. For more detail, use:
sudo ufw status verboseThe verbose output includes default policies (allow or deny) and logging settings. Here’s what a typical response looks like:
- Status: active – Firewall is running.
- Status: inactive – Firewall is not running.
- Logging: on (low) – Basic logging is enabled.
- Default: deny (incoming), allow (outgoing) – Default policies.
If you see “inactive,” you can enable UFW with sudo ufw enable. But be careful – enabling it without rules might lock you out if you’re connected remotely.
Checking Firewalld Status
Firewalld is the default on RHEL, CentOS, Fedora, and other Red Hat-based systems. It uses zones and services. To check its status, use:
sudo systemctl status firewalldThis shows the service status, including whether it’s active (running) or inactive (dead). For a more firewall-specific view, run:
sudo firewall-cmd --stateThis command simply returns “running” or “not running.” To see active zones and rules, use:
sudo firewall-cmd --list-allThat output includes the default zone, interfaces, services, ports, and masquerade settings. It’s a comprehensive snapshot of your current configuration.
Checking Iptables Status
Iptables is the classic Linux firewall tool. Even if you use UFW or firewalld, they often rely on iptables underneath. To check if iptables rules are loaded, run:
sudo iptables -L -n -vThis lists all rules with numeric IP addresses and packet counts. If you see rules, the firewall is active. If the output is empty (only default chains with no rules), it might still be running but with no custom rules. To check if the iptables service itself is running, use:
sudo systemctl status iptablesOn some systems, iptables is not managed as a service. Instead, rules are loaded at boot via scripts. In that case, the -L command is your best bet.
Checking Nftables Status
Nftables is the modern replacement for iptables. It’s used by default on newer distributions like Debian 10+ and Fedora. To check its status, run:
sudo nft list rulesetThis shows all rules in the current nftables configuration. If the output is empty, no rules are loaded. To check if the nftables service is active, use:
sudo systemctl status nftablesNftables can coexist with iptables, but they are separate systems. Make sure you know which one your distro uses.
Using Systemd To Check Firewall Services
Most modern Linux distributions use systemd to manage services. You can check any firewall service’s status with the same command pattern. For example:
sudo systemctl status ufw
sudo systemctl status firewalld
sudo systemctl status iptables
sudo systemctl status nftablesThis shows you the service’s current state (active/inactive), whether it’s enabled to start at boot, and recent log entries. This is often the quickest way to see if a firewall is running.
If the service is “inactive (dead),” it means the firewall is not running. If it’s “active (running),” it’s working. The “enabled” or “disabled” status tells you if it will start automatically after a reboot.
Checking Firewall Status Without Sudo
Some commands require root privileges. But there are ways to check status without sudo, depending on your setup. For UFW, you can sometimes use:
ufw statusBut this usually requires sudo. For firewalld, you can check the service status without sudo if you have the right permissions:
systemctl --user status firewalldHowever, this only works if firewalld is running as a user service, which is rare. In practice, most firewall checks require sudo. If you’re on a shared system, ask your administrator for access.
Using Graphical Tools
If you prefer a GUI, Linux has options. On Ubuntu, you can install gufw (graphical UFW):
sudo apt install gufwThen launch it from the applications menu. It shows the firewall status with a simple on/off toggle. On Fedora or RHEL, you can use firewall-config:
sudo dnf install firewall-configThis graphical tool shows zones, services, and current status. It’s a good alternative if you’re not comfortable with the command line.
Common Issues And Troubleshooting
Sometimes the firewall status isn’t what you expect. Here are a few common problems and how to fix them.
Firewall Shows Inactive But Should Be Active
If you see “inactive” but you know you configured rules, the service might not be started. Try:
sudo systemctl start ufw
sudo systemctl enable ufwReplace “ufw” with your firewall tool. Then check the status again.
Firewall Shows Active But No Rules
This can happen if the service is running but no rules are loaded. For iptables, this is normal if you haven’t added any rules. For firewalld, it might mean the default zone has no services. Add a rule like:
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reloadCommand Not Found
If you get “command not found,” the firewall tool isn’t installed. Install it with your package manager. For example:
sudo apt install ufw
sudo dnf install firewalld
sudo apt install iptablesAutomating Firewall Status Checks
You can automate checks with scripts or cron jobs. For example, create a script that checks UFW status and emails you if it’s inactive:
#!/bin/bash
if ! sudo ufw status | grep -q "Status: active"; then
echo "UFW is inactive!" | mail -s "Firewall Alert" you@example.com
fiSave this as a script and run it via cron every hour. This ensures you’re always aware of changes.
Understanding Firewall Logs
Checking status is one thing, but logs tell you what the firewall is actually doing. For UFW, logs are in /var/log/ufw.log. For firewalld, check /var/log/firewalld. For iptables, logs go to /var/log/kern.log or /var/log/messages. Use tail -f to watch logs in real time:
sudo tail -f /var/log/ufw.logLogs show blocked and allowed traffic, which helps you debug connectivity issues.
Firewall Status On Different Distros
Here’s a quick reference for popular distributions:
- Ubuntu/Debian: Use
sudo ufw statusorsudo systemctl status ufw. - Fedora/RHEL/CentOS: Use
sudo systemctl status firewalldorsudo firewall-cmd --state. - Arch Linux: Use
sudo systemctl status iptablesorsudo systemctl status nftables. - OpenSUSE: Use
sudo systemctl status firewalld.
Some distros use multiple firewalls. For example, Ubuntu might have both UFW and iptables. Check both to be sure.
Best Practices For Firewall Management
Checking status is just the beginning. Here are a few tips to keep your firewall effective:
- Check status after every reboot to ensure services start automatically.
- Use verbose mode to review rules regularly.
- Enable logging for critical services.
- Test rules with tools like
nmapto confirm they work. - Keep your firewall software updated.
Regular checks prevent surprises. Make it a habit to verify firewall status after configuration changes.
Frequently Asked Questions
How Do I Check If My Firewall Is Blocking A Port?
Use sudo ufw status numbered for UFW, or sudo firewall-cmd --list-ports for firewalld. For iptables, run sudo iptables -L -n and look for the port number.
Can I Check Firewall Status Without Root?
Most commands require sudo. However, you can check service status with systemctl status if you have the right permissions. On some systems, ufw status works without sudo if the policy allows it.
What Is The Difference Between UFW And Firewalld?
UFW is simpler and designed for desktop users. Firewalld is more feature-rich and uses zones. Both serve the same purpose but have different syntax.
How Do I Restart The Firewall After Changing Rules?
For UFW, use sudo ufw reload. For firewalld, use sudo firewall-cmd --reload. For iptables, you need to reload rules from a file or restart the service.
Why Does My Firewall Show Inactive Even After Enabling It?
Check if the service is enabled to start at boot. Use sudo systemctl enable ufw (or your firewall) and then start it with sudo systemctl start ufw. Also verify that no other firewall is conflicting.
Conclusion
Knowing how to check the firewall status in Linux is a simple but crucial skill. Whether you use UFW, firewalld, iptables, or nftables, the commands are straightforward. Regular checks ensure your system stays secure and your services run smoothly. Start by running the appropriate command for your distribution, then make it a habit to verify status after any network changes. With the steps in this guide, you’re now equipped to monitor and manage your Linux firewall effectivly.