# How do I debug a firewall causing connection problems with my Droplet? If a host-based firewall on your Droplet is misconfigured, it can prevent connections to or from your computer. Misconfigured [DigitalOcean cloud firewalls](https://docs.digitalocean.com/products/networking/firewalls/index.html.md) can also cause network problems. If your setup uses both firewalls, they may have conflicting rule sets. ## Debug your Droplet Firewall You can check to see if any firewall rules are active on your Droplet before troubleshooting them further using IPTables. IPTables is a utility program that manages firewalls and is native to all Linux operating systems. To see if you have any firewall rules in place on your Droplet, run: ```shell iptables -L ``` If the command returns the following output, the Droplet does not have any active filtering rules, and you do not need to debug them further. Instead, [check your cloud firewall settings](#cloud-firewall) Firewall is not active ```text Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ``` If the command returns longer output with policies set to `DROP`, the Droplet’s firewall is active. In the sample output below, IPTables returned firewall policies that are set to only accept TCP traffic on port `2222` and were configured using UFW. Firewall is filtering traffic ```text Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere ... Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:2222 ``` If the Droplet has active firewall policies, use one of the following tools to review the firewall rules on the Droplet. We recommend using [UFW to manage your firewall rules](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04) as it is the most user-friendly firewall interface. ## UFW UFW is an interface for managing netfilter firewall rules and all Ubuntu Droplets have UFW installed by default. You can view the current filtering rules by running: ```shell sudo ufw status verbose ``` Adding the `verbose` argument returns a more detailed status of the firewall. If you receive the message `Status: inactive`, UFW is not currently configured to manage your firewall and you can try reviewing your Droplet’s firewall settings with `iptables`. If UFW is currently active, it returns output similar to the following: ```text Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp (OpenSSH) ALLOW IN Anywhere 22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6) ``` The output displays a few things: - `Status`: Indicates that the firewall is actively enforcing traffic rules. - `Default`: Indicates the current incoming and outgoing traffic policies. The provided example shows that the incoming policy is to deny connections to the Droplet from outside sources, and the outgoing policy allows traffic from the Droplet to connect to the public internet. - The rule set at the bottom indicates the types of traffic that are allowed to connect to and egress from the Droplet. In the example, the rule set allows incoming connections to port 22 from both IPv4 and IPv6 addresses. Because all outbound traffic is allowed to egress from the Droplet, no outbound rules are displayed in the rule set. If you have a DigitalOcean Cloud Firewall set up with conflicting rules, you can disable your UFW firewall by typing: ```shell sudo ufw disable ``` If you want to keep your Droplet’s firewall in place to filter types of traffic not covered by DigitalOcean’s Cloud Firewall service, such as SFTP traffic, you should modify its rules to match the cloud firewall settings to ensure there are no conflicting rules between the two firewalls. You can learn how to modify the UFW rules by following the [UFW Essentials: Common Firewall Rules and Commands](https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands) guide. ## FirewallD FirewallD is an interface for managing a netfilter firewall designed to be user friendly. It is available for most Linux operating systems. If your Droplet runs FirewallD, you can view the current traffic rules with a sequence of checks. First, check whether FirewallD is active using the `--state` flag: ```shell sudo firewall-cmd --state ``` If you receive the message `running`, check the active zones using the `--get-active-zones` flag: ```shell sudo firewall-cmd --get-active-zones ``` The command returns any network interfaces FirewallD actively controlled by FirewallD rules. ``` public interfaces: eth0 ``` If FirewallD has active zones, it means that it is evaluating traffic against a set of rules. In the example output, FirewallD is currently managing traffic for the Droplet’s `eth0` network interface. You can display the ports and services associated with each of the active zones with the `--info-zone` option: ```shell sudo firewall-cmd --info-zone=public ``` ```text public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: ``` Check whether any ports are open by looking at: - The `target` value. If this is set to `DROP` or `%%REJECT%%`, the Droplet denies all traffic regardless of the other settings. - The `ports` value. This lists ports explicitly allowed through the firewall. - The `services` value. This lists services that are allowed through the firewall. In the example output above, the `dhcpv6-client` and `ssh` services are allowed through the firewall. You can also check the ports associated with these services by typing: ```shell sudo firewall-cmd --permanent --get-ports --service=dhcpv6-client sudo firewall-cmd --permanent --get-ports --service=ssh ``` The example commands return the ports and network protocols associated with the services. ```shell 546/udp 22/tcp ``` If you have a [DigitalOcean Cloud Firewall](https://docs.digitalocean.com/support/how-do-i-debug-a-firewall-causing-connection-problems-with-my-droplet/index.html.md) set up with conflicting rules, you can disable your firewall via FirewallD by typing: ```shell sudo systemctl stop firewalld sudo systemctl disable firewalld ``` If you want to keep your Droplet’s firewall in place to filter types of traffic not covered by DigitalOcean’s Cloud Firewall service, such as SFTP traffic, you should modify its rules to match the cloud firewall settings to ensure there are no conflicting rules between the two firewalls. You can learn how to modify the FirewallD rules by following the [How To Set Up a Firewall Using FirewallD on CentOS 7](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) guide. ## IPTables IPTables is a utility program that manages firewalls on Linux systems. It’s native to all Linux operating systems. If you are using IPTables to manage the Droplet’s firewall, you can view the current IPv4 filtering rules by typing: ```shell sudo iptables --line-numbers -vL ``` The `--line-numbers` flag prepends a `num` column to the output to make the returned chart more human-readable. The `-vl` flag returns verbose output. ```text Chain INPUT (policy DROP 1 packets, 40 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2 764 56512 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 3 9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 374 packets, 97673 bytes) num pkts bytes target prot opt in out source destination ``` The output indicates: - The default `policy` for incoming and outgoing traffic (`DROP` for incoming, and `ACCEPT` for outgoing). - The exceptions to the default policies. In the example output above, the policy contains exemptions for incoming TCP traffic to ports `22` and `80`. The `iptables` command only displays the rules for filtering IPv4 traffic. To show the IPv6 filtering rules, rerun the command using the `ip6tables` command instead of `iptables`. If your [cloud firewall](#cloud-firewall) has rules that conflict with your `iptables` firewall, you can disable your `iptables` firewall by running: ```shell sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT sudo iptables -F sudo ip6tables -P INPUT ACCEPT sudo ip6tables -P OUTPUT ACCEPT sudo ip6tables -P FORWARD ACCEPT sudo ip6tables -F ``` If you are using a service like `iptables-persistent` or have a script loading `iptables` rules at boot, you may have to disable them to disable the firewall. If you want to keep your Droplet’s firewall in place to filter types of traffic not covered by DigitalOcean’s Cloud Firewall service, such as SFTP traffic, you should modify its rules to match the cloud firewall settings to ensure there are no conflicting rules between the two firewalls. You can learn how to modify the `iptables` rules by following the [Iptables Essentials: Common Firewall Rules and Commands](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) guide. ## Debug your Cloud Firewall To check your firewall settings from the [control panel](https://cloud.digitalocean.com), click **Networking**, then click the **Firewalls** tab. The page lists the firewalls set up in your account. Click the firewall protecting your Droplet and review your firewall’s rules. ![Combined firewall ruleset showing inbound and outbound rules.](https://docs.digitalocean.com/screenshots/firewalls/combined-ruleset.d0097b3e49f0f66faac9b636761582acafd4b44ab75a38feb2c21543a26b5610.png) The **Inbound Rules** section displays the types of traffic that are allowed to reach your Droplet. The firewall blocks any traffic from sources *not* explicitly listed in the inbound rules. For example, if your Droplet is linked to a firewall in your account and the firewall’s inbound rules do not list an SSH rule, the firewall blocks any attempts to connect via SSH. The same concept applies to the firewall’s **Outbound Rules**, the firewall blocks any traffic from the Droplet *not* explicitly listed in the outbound rules. If you can’t reach your Droplet via a specific connection type or you can’t reach the internet from your Droplet via specific connection type, [configure a firewall rule](https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/index.html.md) allowing that type of traffic to reach or exit the Droplet. ## Related Topics [How do I debug my Droplet's network configuration?](https://docs.digitalocean.com/support/how-do-i-debug-my-droplets-network-configuration/index.html.md): To debug your network configuration, verify the Droplet’s network interfaces and check its network configuration file. [How to Troubleshoot SSH Authentication Issues](https://docs.digitalocean.com/support/how-to-troubleshoot-ssh-authentication-issues/index.html.md): Problems with SSH authentication includes permission denied with SSH keys and passwords. [How to Troubleshoot SSH Connectivity Issues](https://docs.digitalocean.com/support/how-to-troubleshoot-ssh-connectivity-issues/index.html.md): Problems with SSH connectivity include hostname resolution errors and connections being refused or timing out.