ubuntu UFW简述

ubuntu UFW简述

这又是一篇翻译文档：https://help.ubuntu.com/community/UFW

文章目录

ubuntu UFW简述

Introduction 介绍

UFW - Uncomplicated Firewall 简单的防火墙——UFW

Basic Syntax and Examples 基本语法和示例

Default rules are fine for the average home user 适合普通家庭用户的默认规则

Enable and Disable 启用和禁用

Enable UFW 启用UFW

Disable UFW 禁用UFW

Allow and Deny (specific rules) 允许和禁止规则

Allow 允许端口

Deny 禁止

Delete Existing Rule 删除存在的规则

Services 服务

Allow by Service Name 按服务名允许

Deny by Service Name 按服务名拒绝

Status 状态

Logging 日志

Advanced Syntax 高级语法

Allow Access 允许访问

Allow by Specific IP 通过IP允许

Allow by Subnet 通过子网允许

Allow by specific port and IP address 使用IP端口和地址允许

Allow by specific port, IP address and protocol 通过特定的端口，IP地址和协议允许

Enable PING 启用PING

Deny Access 拒绝访问

Deny by specific IP 通过特定IP拒绝

Deny by specific port and IP address 通过特定的端口和IP地址拒绝

Working with numbered rules 使用编号规则

Listing rules with a reference number 带有参考编号的上市规则

Editing numbered rules 编辑编号规则

Delete numbered rule 删除编号规则

Insert numbered rule 插入编号规则

Advanced Example 进阶范例

Introduction 介绍

For an introduction to firewalls, please see Firewall.

关于防火墙的介绍，可以参考 Firewall.

那个页面我就不翻译了==

UFW - Uncomplicated Firewall 简单的防火墙——UFW

The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.

ufw是ubuntu默认的防火墙配置工具，旨在简化iptables防火墙的配置。它提供了一种较为友好的方式来创建基于IPv4或IPv6主机的防火墙。UFW在默认情况下被禁用。

Gufw is a GUI that is available as a frontend.

Gufw是带UI的ufw程序。

Basic Syntax and Examples 基本语法和示例

Default rules are fine for the average home user 适合普通家庭用户的默认规则

When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That’s at least the goal of the Ubuntu developers. In short, all ‘incoming’ is being denied, with some exceptions to make things easier for home users.

当打开UFW时，它将使用一组默认规则（配置文件），该规则对普通家庭用户而言是有效的。而这正是Ubuntu开发人员的目标。简而言之，除了少数例外外，所有外来访问都会被拒绝，这能够让这些用户更容易使用。

Enable and Disable 启用和禁用

To turn UFW on with the default set of rules:

使用默认的规则打开ufw

sudo ufw enable

To check the status of UFW:

检查ufw的状态

sudo ufw status verbose

The output should be like this:

输出的样子大概是这样的

youruser@yourcomputer:~$ sudo ufw status verbose [sudo] password for youruser: Status: active Logging: on (low) Default: deny (incoming), allow (outgoing) New profiles: skip youruser@yourcomputer:~$

Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:

注意，在一般情况下，所有的外来访问都会被拒绝。当然会有一些意外，这可以用以下命令的输出中找到

sudo ufw show raw

You can also read the rules files in /etc/ufw (the files whose names end with .rules).

当然也可以通过阅读规则文件找到。地址是/etc/ufw/rules

To disable ufw use:

禁用UFW规则

sudo ufw disable

Allow and Deny (specific rules) 允许和禁止规则

sudo ufw allow /

example: To allow incoming tcp and udp packet on port 53

示例：允许在端口53使用tcp或udp

sudo ufw allow 53

example: To allow incoming tcp packets on port 53

示例：允许在端口53使用tcp

sudo ufw allow 53/tcp

example: To allow incoming udp packets on port 53

示例：允许在端口53使用udp

sudo ufw allow 53/udp

sudo ufw deny /

example: To deny tcp and udp packets on port 53

示例：禁止在端口53使用tcp或udp

sudo ufw deny 53

example: To deny incoming tcp packets on port 53

示例：禁止在端口53使用tcp

sudo ufw deny 53/tcp

example: To deny incoming udp packets on port 53

示例：禁止在端口53使用udp

sudo ufw deny 53/udp

Delete Existing Rule 删除存在的规则

To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:

要删除规则，只需在原始规则前面加上delete。例如，如果原始规则是：

ufw deny 80/tcp

Use this to delete it:

那么这样删除

sudo ufw delete deny 80/tcp

Services 服务

You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services:

也可以按服务名称允许或拒绝，因为ufw从/etc/services读取

要查看获取服务列表可以这样：

less /etc/services

sudo ufw allow

example: to allow ssh by name

你可以按名称允许ssh

sudo ufw allow ssh

sudo ufw deny

example: to deny ssh by name

你可以按名称拒绝ssh

sudo ufw deny ssh

Status 状态

Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables.

检查ufw的状态将显示ufw是启用还是禁用，同样会列出适用于iptables的当前ufw规则。

To check the status of ufw:

检查UFW的状态

sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW 192.168.0.0/24

if ufw was not enabled the output would be:

如果没有启用UFW，那么输出将会是：

sudo ufw status Status: inactive

Logging 日志

To enable logging use:

启用日志

sudo ufw logging on

To disable logging use

关闭日志

sudo ufw logging off

Advanced Syntax 高级语法

You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.

可以使用更完整的语法，指定源和目标地址，端口和协议。

Allow Access 允许访问

This section shows how to allow specific access.

这部分内容展现怎么允许某些特定的访问

sudo ufw allow from

**example:**To allow packets from 207.46.232.182:

示例：允许来自IP 207.46.232.182的数据包

sudo ufw allow from 207.46.232.182

You may use a net mask :

可以使用子网掩码

sudo ufw allow from 192.168.1.0/24

sudo ufw allow from to port

example: allow IP address 192.168.0.4 access to port 22 for all protocols

示例：允许所有协议的IP地址192.168.0.4访问端口22

sudo ufw allow from 192.168.0.4 to any port 22

sudo ufw allow from to port proto

example: allow IP address 192.168.0.4 access to port 22 using TCP

示例：允许IP地址192.168.0.4使用TCP访问端口22

sudo ufw allow from 192.168.0.4 to any port 22 proto tcp

Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.

注意：使用隐秘的安全性对于现代解密器脚本可能几乎没有实际好处。默认情况下，UFW允许ping请求。您可能会发现希望保留（icmp）ping请求以诊断网络问题。

In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:

为了禁用ping（icmp）请求，需要编辑/etc/ufw/before.rules并删除以下几行：

# ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

or change the “ACCEPT” to “DROP”

或将ACCEPT更改为DROP

# ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP -A ufw-before-input -p icmp --icmp-type source-quench -j DROP -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Deny Access 拒绝访问

sudo ufw deny from

**example:**To block packets from 207.46.232.182:

示例：要阻止来自207.46.232.182的数据包：

sudo ufw deny from 207.46.232.182

sudo ufw deny from to port

example: deny ip address 192.168.0.1 access to port 22 for all protocols

示例：对于所有协议，拒绝IP地址192.168.0.1访问端口22

sudo ufw deny from 192.168.0.1 to any port 22

Working with numbered rules 使用编号规则

You may use status numbered to show the order and id number of rules:

您可以使用编号的状态来显示规则的顺序和ID号

sudo ufw status numbered

Editing numbered rules 编辑编号规则

You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.

可以使用数字删除规则。这将删除第一个规则，并且规则将向上移动以填充列表。

sudo ufw delete 1

sudo ufw insert 1 allow from

Advanced Example 进阶范例

Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp

阻止从192.168.0.1和192.168.0.7访问端口22，但允许所有其他192.168.0.x IP使用tcp访问端口22

sudo ufw deny from 192.168.0.1 to any port 22 sudo ufw deny from 192.168.0.7 to any port 22 sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp

This puts the specific rules first and the generic second. Once a rule is matched the others will not be evaluated (see manual below) so you must put the specific rules first. As rules change you may need to delete old rules to ensure that new rules are put in the proper order.

这将特定规则放在首位，将通用规则放在第二位。一旦匹配了一条规则，其他规则将不会被评估（请参阅下面的手册），因此您必须将特定规则放在第一位。

随着规则的更改，您可能需要删除旧规则以确保新规则以正确的顺序放置。

要检查您的规则订单，您可以检查状态；对于该场景，以下输出是规则正常运行所需的输出

To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly

要检查您的规则顺序，可以检查状态；

对于该场景，以下输出是规则正常运行所需的输出

sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 22:tcp ALLOW 192.168.0.0/24

Scenario change: You want to block access to port 22 to 192.168.0.3 as well as 192.168.0.1 and 192.168.0.7.

阻止访问端口22到192.168.0.3以及192.168.0.1和192.168.0.7。

sudo ufw delete allow from 192.168.0.0/24 to any port 22 sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 sudo ufw deny 192.168.0.3 to any port 22 sudo ufw allow 192.168.0.0/24 to any port 22 proto tcp sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 22:tcp DENY 192.168.0.3 22:udp DENY 192.168.0.3 22:tcp ALLOW 192.168.0.0/24

If you simply add the deny rule the allow would have been above it and been applied instead of the deny

如果仅添加拒绝规则，应该允许将在其之上并被应用，而不是应用拒绝

Linux TCP/IP Ubuntu

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。