ufw——linux下一個簡單的防火牆
ufw屬於管理員工具。
ufw的man文檔中已經有豐富的示例,例如:
01
Users can specify rules using either a simple syntax or a full syntax.
02
The simple syntax only specifies the port and optionally the protocol to
03
be allowed or denied on the host. For example:
04
05
ufw allow 53
06
07
This rule will allow tcp and udp port 53 to any address on this host. To
08
specify a protocol, append '/protocol' to the port. For example:
09
10
ufw allow 25/tcp
11
12
This will allow tcp port 25 to any address on this host. ufw will also
13
check /etc/services for the port and protocol if specifying a service by
14
name. Eg:
15
16
ufw allow smtp
17
18
ufw supports both ingress and egress filtering and users may optionally
19
specify a direction of either in or out for either incoming or outgoing
20
traffic. If no direction is supplied, the rule applies to incoming traf‐
21
fic. Eg:
22
23
ufw allow in http
24
ufw reject out smtp
25
26
Users can also use a fuller syntax, specifying the source and destina‐
27
tion addresses and ports. This syntax is based on OpenBSD's PF syntax.
28
For example:
29
30
ufw deny proto tcp to any port 80
31
32
This will deny all traffic to tcp port 80 on this host. Another example:
33
34
ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
35
36
This will deny all traffic from the RFC1918 Class A network to tcp port
37
25 with the address 192.168.0.1.
38
39
ufw deny proto tcp from 2001:db8::/32 to any port 25
40
41
This will deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on
42
this host. Note that IPv6 must be enabled in /etc/default/ufw for IPv6
43
firewalling to work.
44
45
ufw allow proto tcp from any to any port 80,443,8080:8090
46
47
The above will allow all traffic to tcp ports 80, 443 and 8080-8090
48
inclusive. Note that when specifying multiple ports, the ports list
49
must be numeric, cannot contain spaces and must be modified as a whole.
50
Eg, in the above example you cannot later try to delete just the '443'
51
port. You cannot specify more than 15 ports (ranges count as 2 ports, so
52
the port count in the above example is 4).
使用示例:
01
$ ufw status
02
ERROR: You need to be root to run this script
03
04
$ ufw deny 80/tcp
05
ERROR: You need to be root to run this script
06
07
$ sudo ufw deny 80/tcp
08
[sudo] password for sunlt:
09
Rules updated
10
Rules updated (v6)
11
12
$ sudo ufw status
13
Status: inactive
14
15
$ sudo ufw enable
16
Firewall is active and enabled on system startup
17
18
$ sudo ufw status
19
Status: active
20
21
To Action From
22
-- ------ ----
23
80/tcp DENY Anywhere
24
80/tcp DENY Anywhere (v6)
25
26
27
$ sudo ufw status numbered
28
Status: active
29
30
To Action From
31
-- ------ ----
32
[ 1] 80/tcp DENY IN Anywhere
33
[ 2] 80/tcp DENY IN Anywhere (v6)
34
35
36
$ sudo ufw delete 1
37
Deleting:
38
deny 80/tcp
39
Proceed with operation (y|n)? y
40
Rule deleted
41
42
$ sudo ufw delete 2
43
ERROR: Could not find rule '2'
44
45
$ sudo ufw status numbered
46
Status: active
47
48
To Action From
49
-- ------ ----
50
[ 1] 80/tcp DENY IN Anywhere (v6)
51
52
53
$ sudo ufw delete 1
54
Deleting:
55
deny 80/tcp
56
Proceed with operation (y|n)? y
57
Rule deleted (v6)
58
59
$ sudo ufw status numbered
60
Status: active
61
62
$ sudo ufw disable
63
Firewall stopped and disabled on system startup