UFW (Uncomplicated Firewall) is the go-to firewall frontend on Ubuntu and many Debian-based systems, and knowing how to list and delete UFW firewall rules safely is essential for any Linux administrator. This guide shows practical, production-ready commands to view rules in human and numbered formats, delete rules by number or by specification, reset UFW, and avoid locking yourself out of remote servers. The main keyword for this article is “List and Delete UFW Firewall Rules”, and throughout this guide you'll find clear examples, explanations of outputs, and troubleshooting tips so you can manage UFW rules confidently on servers running Ubuntu, Debian, RHEL derivatives with UFW installed, and other Linux distributions.
Why you should use numbered and verbose outputs before deleting rules
Before removing a firewall rule, always inspect the current configuration with verbose and numbered displays. The numbered output shows each rule's index, which you can use for reliable deletion. Verbose output reveals logging settings, default policies, and additional context that helps you avoid accidental service interruptions (for example, removing SSH access). Below are the most common commands to list rules, with realistic sample outputs and explanations.
sudo ufw status Status: inactive
This command shows the basic UFW status. If UFW is inactive, you'll see “Status: inactive”. When active, the simple status lists allowed and denied rules in a compact table. Use this quick check to confirm whether UFW is running.
Show detailed UFW status (verbose)
Use the verbose status to reveal default policies, logging level, and any custom profiles. This is useful to verify how UFW will handle traffic when rules are removed or added.
sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 443/tcp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6)
The “Logging” line shows the logging level. “Default” lists incoming/outgoing defaults. The rule table shows the port/protocol, action and source. Use this output to ensure essential services (like SSH) remain allowed before making changes.
Show numbered rules for precise deletion
Numbered output assigns an index to each rule. Indexes are dynamic and re-number after each deletion, so always re-run the command before deleting subsequent rules.
sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere [ 3] 443/tcp ALLOW IN Anywhere [ 4] 8069/tcp ALLOW IN Anywhere
Use the bracketed numbers (e.g., [ 4]) when deleting rules by index. The numbering is shown on the left and will change after each deletion, so do not assume numbers remain static across UFW operations.
Delete a UFW rule by number (interactive and non-interactive)
Deleting by number is fast and helpful when a rule's textual representation is lengthy. The interactive deletion asks for confirmation. For automated scripts or configuration management, use the non-interactive form with the –force flag.
sudo ufw delete 4 Deleting: allow 8069/tcp Proceed with operation (y|n)? y Rule deleted
Running sudo ufw delete 4 deletes the rule at index 4. UFW prompts for confirmation to prevent accidental removals. After deletion, remaining rules are renumbered. Always re-run sudo ufw status numbered before the next delete.
sudo ufw --force delete 4 Deleting: allow 8069/tcp Rule deleted
The –force flag performs deletion without prompting. This is useful in automation or scripts where interactive confirmation can't be provided. Use with care — accidental deletions can lead to service outages or lockouts.
Delete a UFW rule by specification
Deleting by specification repeats the original rule text. This method is precise and works without listing numbered rules first. It’s ideal when you know the exact rule syntax or want to remove all identical rules across IPv4 and IPv6.
sudo ufw delete allow 2222 Deleting: allow 2222 Proceed with operation (y|n)? y Rule deleted
Repeat the rule exactly as it was added. UFW matches the rule text and removes all matching entries (IPv4/IPv6 pairs). If no match is found, UFW returns an error indicating the specification doesn't match any rule.
sudo ufw delete allow from 192.168.1.0/24 to any port 80 proto tcp Deleting: allow from 192.168.1.0/24 to any port 80 proto tcp Proceed with operation (y|n)? y Rule deleted
This example removes a rule that allowed TCP port 80 from a specific subnet. Include protocol (proto tcp), port, and source subnet exactly to ensure the correct rule is matched and deleted.
Insert rules and avoid order-related issues
Rule order matters in UFW: the first matching rule is applied. If you need a new rule to take precedence, use the insert command to place it at a specific position in the ruleset.
sudo ufw insert 1 allow from 10.0.0.0/8 Rule added Rule added (v6)
sudo ufw insert 1 places the rule at position 1, so it is evaluated before existing rules. The response confirms both IPv4 and IPv6 variants when applicable. Insert rules carefully to avoid unintended precedence.
Reset UFW — wipe all rules and start fresh
If you want to remove all rules and return UFW to its default state, use reset. UFW will back up the current ruleset before clearing it. Resetting is a blunt tool useful when a ruleset is badly misconfigured and remediation would take longer than rebuilding from scratch.
sudo ufw reset Resetting all rules to installed state Backing up to /var/backups/ufw/2026-02-18_12:05:23.rules Firewall stopped and disabled on system startup All rules have been removed
The reset output displays the backup file location and confirms UFW has been stopped and disabled. After reset, re-enable UFW and reapply required rules (for example, ensure SSH access is restored before enabling on remote servers).
Best practices to avoid locking yourself out
When managing remote servers, always ensure a persistent rule allows your administrative access (usually SSH on port 22 or a custom port). Test new rules in a secondary session before closing your active connection. If you're scripting changes, include safety checks and consider using the –force flag only when running in a controlled automation environment that can recover automatically.
sudo ufw allow 22/tcp Rule added Rule added (v6)
Always explicitly allow SSH before enabling or modifying the firewall on remote systems. The command above permits incoming TCP connections on port 22 for both IPv4 and IPv6, and confirms the rule was added.
Troubleshooting common UFW errors
Typical issues include “Could not find a profile matching” (rule text mismatch), renumbering confusion after deletions, and accidentally removing SSH access. Use the numbered status to verify rules and the verbose status to inspect defaults and logging. If ufw is not found, install it using your distribution's package manager (for Debian/Ubuntu use sudo apt install ufw). When locked out, use console or out-of-band access to restore SSH rules.
sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere
Always re-run the numbered status before deleting additional rules. If you see fewer entries than expected, remember that deleting a rule causes UFW to re-index the remaining rules.
Advanced considerations: IPv4 vs IPv6 and scripting
UFW manages IPv4 and IPv6 rules separately but often reports both when a rule applies to both address families. To filter outputs, pipe the status to grep for (v6) or exclude it. For automation, combine ufw status numbered with text-processing tools (awk, sed) to identify and delete matching rule numbers programmatically, but take care with re-indexing — perform deletions from highest to lowest index to avoid shifting issues during scripted loops.
sudo ufw status | grep -v '(v6)' Status: active To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere
Using grep -v ‘(v6)’ filters out IPv6 lines, showing only IPv4 rules. This approach is useful when auditing or scripting operations that should target one IP version.
Conclusion
Managing UFW safely requires a small set of repeated habits: always check sudo ufw status verbose and sudo ufw status numbered before making changes, keep an explicit rule for SSH on remote systems, and use deletion by specification or by number depending on the context. Use –force only in automated scenarios and remember that UFW renumbers rules after deletions, so re-list before each change. With these practices you'll be able to list and delete UFW firewall rules confidently and avoid accidental outages.
Great, clear guide on listing and deleting UFW rules — it'd be even more helpful to add a quick note about backing up /etc/ufw/user.rules before removing entries.