diff --git a/.includes/firewall.sh b/.includes/firewall.sh
index c8b1c4a..fecee63 100644
--- a/.includes/firewall.sh
+++ b/.includes/firewall.sh
@@ -12,6 +12,27 @@ ufw_status_output() {
     sudo "${sudoFlags[@]}" ufw status 2>&1
 }
 
+sudo_ready_noninteractive() {
+    # `sudoFlags` is initialized by the main launcher before sourcing this file.
+    # shellcheck disable=SC2154
+    sudo "${sudoFlags[@]}" -n true &> /dev/null
+}
+
+ufw_status_output_noninteractive() {
+    # `sudoFlags` is initialized by the main launcher before sourcing this file.
+    # shellcheck disable=SC2154
+    sudo "${sudoFlags[@]}" -n ufw status 2>&1
+}
+
+warn_sudo_authentication() {
+    if sudo_ready_noninteractive; then
+        return 0
+    fi
+
+    msgbox "This firewall action may require sudo authentication. If you hear the password prompt sound, enter your password and press Enter."
+    return 0
+}
+
 firewall_reboot_required() {
     [[ ! -d "/lib/modules/$(uname -r)" ]]
 }
@@ -36,8 +57,12 @@ firewall_enabled() {
         return 1
     fi
 
-    statusText="$(ufw_status_output)"
-    [[ "$statusText" =~ ^Status:[[:space:]]+active$ ]]
+    if ! sudo_ready_noninteractive; then
+        return 1
+    fi
+
+    statusText="$(ufw_status_output_noninteractive)"
+    grep -q '^Status: active$' <<< "$statusText"
 }
 
 ensure_ufw() {
@@ -50,6 +75,7 @@ ensure_ufw() {
         return 1
     fi
 
+    warn_sudo_authentication
     if ! install_package ufw; then
         msgbox "Failed to install ufw."
         return 1
@@ -152,6 +178,7 @@ allow_ssh_port() {
         return 1
     }
 
+    warn_sudo_authentication
     allow_rule "${sshPort}/tcp" "SSH port ${sshPort}/tcp"
 }