How to verify firewall rules

Topic: Networking basics

Confirm that the firewall is active and that rules match your intent: list rules (ufw status, nft list ruleset, iptables -L), test connectivity from a client (nc, curl, telnet), and compare with what should be allowed or denied. Use this after changing rules or before go-live so you do not ship with wrong or missing rules.

Intent: How-to

Quick answer

  • List rules: ufw status verbose (UFW), nft list ruleset (nftables), iptables -L -n -v (iptables). Check that allow rules for required ports are present and that default policy is as intended (e.g. drop for input).
  • Test from a client: nc -zv SERVER PORT for TCP; allow ports should connect, deny ports should timeout or refuse. Test SSH in a second session before closing the first after any change.
  • Document the intended policy (e.g. allow 22, 80, 443; deny rest) and compare the listed rules to it; fix any missing allow or unintended allow; ensure order is correct (allow before deny for same traffic).

Prerequisites

Steps

  1. List current rules

    UFW: ufw status verbose (or numbered). nftables: nft list ruleset. iptables: iptables -L INPUT -n -v. Note default policy and each allow/deny; check that the rule order matches intent (e.g. allow SSH before default drop).

  2. Test allowed ports

    From a client: nc -zv SERVER 22; nc -zv SERVER 80; etc. Allowed ports should connect (or get a response from the service). If they timeout, the firewall may be blocking or the service not listening.

  3. Test denied ports

    From a client: nc -zv SERVER 23 (or another port you intend to block). Should timeout or be refused. If it connects, a rule is allowing it; remove or reorder so the deny or default applies.

  4. Compare to policy

    Write the intended policy (e.g. allow 22, 80, 443; default deny). Compare listed rules to it; add missing allows, remove unintended allows, fix order; re-test and document.

Summary

Verify the firewall by listing rules, testing allowed and denied ports from a client, and comparing the result to your intended policy. Use this after any rule change or before putting a server in production.

Prerequisites

Steps

Step 1: List current rules

sudo ufw status verbose
# or
sudo nft list ruleset
# or
sudo iptables -L INPUT -n -v

Note default policy and each rule. Ensure allow rules for required ports exist and appear before a default drop or broad deny.

Step 2: Test allowed ports

From another host or your workstation:

nc -zv SERVER_IP 22
nc -zv SERVER_IP 80

Allowed ports should connect (or the service responds). If they timeout, the firewall or path is blocking, or the service is not listening.

Step 3: Test denied ports

Test a port you intend to block (e.g. 23). It should timeout or be refused. If it connects, an allow rule is matching; fix the rule set.

Step 4: Compare to policy

Document the intended policy (e.g. allow 22, 80, 443; default deny). Compare the listed rules; add missing allows, remove unintended allows, fix order; re-test and document the final state.

Verification

  • Listed rules match the intended policy; allowed ports are reachable; denied ports are not; SSH remains working.

Troubleshooting

Allowed port not reachable — Rule may be after a deny or default drop; move the allow earlier. Or the service is not listening; check with ss -tlnp.

Denied port still reachable — An allow rule is matching (e.g. broad allow); add a deny before it or narrow the allow; check rule order.

Next steps

Continue to