What does the Firewall Auditor check?

It analyses your ufw status verbose output for Docker UFW bypass risk, missing default-deny rules, high-risk open ports (Redis, PostgreSQL, Docker socket, VNC, Jupyter), IPv4 and IPv6 rule mismatches, and missing localhost bindings on container ports.

Does this tool send my firewall rules anywhere?

No. All analysis happens in your browser. Your ufw status output is parsed locally using JavaScript and never transmitted to any server.

What is the Docker UFW bypass problem?

Docker inserts rules into the iptables FORWARD chain which is evaluated before UFW's INPUT chain. This means container ports published with ports: PORT:PORT in docker-compose.yml are accessible from the internet even when UFW has a deny rule for that port. The fix is to bind container ports to 127.0.0.1.

What are high-risk open ports?

High-risk ports are service ports that should never be publicly accessible — Redis (6379), PostgreSQL (5432), MongoDB (27017), MySQL (3306), Docker socket (2375), Elasticsearch (9200), and others. These services are commonly exposed accidentally via Docker and are frequent targets for automated scanners.

UFW Firewall Auditor — Port & Rule Checker

🕐 Cron Builder & Visualiser Visualize job overlaps 🔒 SSL Checker Check cert expiry 🐳 Docker Auditor Audit compose files 🛡️ Firewall Auditor Audit UFW rules 🔀 Reverse Proxy Mapper Map routing & audit 🤖 robots.txt Audit crawl & AI bots

Paste your ufw status verbose output and click Audit.

How It Works

1. Run

Run sudo ufw status verbose on your server and copy the full output.

2. Paste

Paste it into the tool and click Audit. The traffic funnel and audit findings appear instantly.

3. Harden

Review findings for high-risk open ports, missing default-deny, and IPv4/IPv6 mismatches. Nothing leaves your browser.

Frequently Asked Questions

How do I get my UFW status output?

Run sudo ufw status verbose in your terminal and paste the full output into the tool.

What is a high-risk port?

High-risk ports are commonly targeted by automated scanners and attackers. This tool flags ports 22 (SSH), 23 (Telnet), 3389 (RDP), 5432 (PostgreSQL), 3306 (MySQL), 6379 (Redis), and 27017 (MongoDB) when open to Anywhere.

What does missing default-deny mean?

UFW should block all incoming traffic by default unless explicitly allowed. If your default policy is allow, any port not covered by a rule is open to the internet.

What is an IPv4/IPv6 mismatch?

If you allow a port for IPv4 but not IPv6 (or vice versa), traffic on the uncovered protocol can bypass your rules. This tool flags ports where one protocol is covered and the other is not.

Does this tool store my firewall rules?

No. All processing happens in your browser. Your UFW output is never sent to or stored on any ConfigClarity server.

Does this tool support nftables?

Yes. Paste the output of sudo nft list ruleset and the tool will auto-detect nftables format. It checks for missing default drop policy on the input chain, high-risk ports open to Anywhere, missing loopback and ct state established rules, and rules without comments. UFW and nftables formats are both supported — the tool detects which one you pasted.

UFW Firewall Auditor — free online tool. Paste ufw status verbose output and instantly check firewall rules for security issues. Detect high-risk open ports like SSH, MySQL, Redis and MongoDB exposed to Anywhere. Check for missing default-deny incoming policy. Find conflicting ALLOW and DENY rules. Identify IPv4 and IPv6 mismatches. Linux UFW rule checker and validator. Also supports nftables ruleset audit via sudo nft list ruleset. Free firewall audit tool with no signup required. All processing is client-side.

Firewall Auditor — UFW & nftables

Traffic Funnel

Audit findings

How It Works

Frequently Asked Questions