Verify UFW is Active
sudo ufw status
# Should show "Status: active"Check Rule Order
UFW evaluates rules sequentially:
sudo ufw status numberedExample problem:
[1] 22/tcp ALLOW IN
[2] 22/tcp DENY IN # This never runs because rule 1 matches first!Fix: Reorder or delete the conflicting allow rule.
Application Profile Overrides
# Check app profiles
sudo ufw app list
sudo ufw app info "OpenSSH"
# Some profiles may auto-allow ports
sudo ufw show addedCheck for iptables Bypass
UFW is a frontend for iptables. Some tools manipulate iptables directly:
# View raw iptables
sudo iptables -L -n -v
sudo iptables -L -n -t nat
# Check for Docker (bypasses UFW)
sudo iptables -L DOCKER -nDocker adds its own rules. Solution:
# Disable Docker iptables management
# In /etc/docker/daemon.json
{ "iptables": false }Reset UFW
sudo ufw disable
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enableCheck for Kernel Parameters
# Ensure IP forwarding doesn't bypass rules
sysctl net.ipv4.ip_forward
# Should be 0 unless you need routingTest with Specific IP
Creating a rule that is too specific:
# Wrong: only blocks specific source
sudo ufw deny from 0.0.0.0/0 to any port 22 # Correct: blocks all
sudo ufw deny 22/tcp # Also correctIf UFW still fails, consider using raw iptables or moving to a different firewall tool.