$ Linux One Liners
Back to commands

Cybersecurity Triage

Changes system state

List Numbered UFW Rules

You need a compact, ordered UFW rule list that can be discussed or reviewed without editing anything.

Command

ufw status numbered

Before you run this

System impact: Changes system or application state. Needs inspection, scoping, and rollback notes before production use.

When not to use it: Do not delete rules by number from stale output; rule numbers can change after edits.

Expected output

Numbered UFW rules with destination, action, and source.

System impact

Changes system state. Nothing changes. This UFW command prints the ordered rule list, but rule numbers are only a review aid.

Recovery / rollback: no state is changed.

When to use it

Use when reviewing which inbound rules exist before considering a rule delete, insert, or policy change.

When not to use it

Do not delete rules by number from stale output; rule numbers can change after edits.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ ufw status numbered

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    203.0.113.0/24
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 443/tcp                    ALLOW IN    Anywhere
[ 4] 25/tcp                     ALLOW IN    Anywhere
[ 5] 5432/tcp                   DENY IN     Anywhere

$ ufw status numbered | awk '/ALLOW|DENY/ {print}'

[ 1] 22/tcp                     ALLOW IN    203.0.113.0/24
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 443/tcp                    ALLOW IN    Anywhere
[ 4] 25/tcp                     ALLOW IN    Anywhere
[ 5] 5432/tcp                   DENY IN     Anywhere
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. ufw status numbered
  2. ufw status numbered | awk '/ALLOW|DENY/ {print}'

next steps

Related commands

Cybersecurity Triage State change

Find Allowed Ports with No Listener

An open firewall rule can outlive the service it was created for.

comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)
Cybersecurity Triage State change

Find Public Listeners Not Allowed by UFW

The process was public, but the firewall did not mention it.

comm -13 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '$4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/ {n=split($4,a,":"); print a[n]}' | sort -u)
Cybersecurity Triage State change

Read UFW Policy Verbosely

The firewall was active, but the defaults mattered more than the rule list.

ufw status verbose
Cybersecurity Triage Read-only

List Accounts with Login Shells

Login shells are the first account inventory to review.

awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
Cybersecurity Triage Sensitive output

List Privileged Group Members

Group membership can grant more access than the username suggests.

awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:provisional
  • linuxplus:security
  • linuxplus:troubleshooting
  • risk:production-state-change
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.