ubuntu UFW简述
ubuntu UFW简述
这又是一篇翻译文档:https://help.ubuntu.com/community/UFW
文章目录
- ubuntu UFW简述
-
- Introduction 介绍
- Basic Syntax and Examples 基本语法和示例
- Advanced Syntax 高级语法
Introduction 介绍
For an introduction to firewalls, please see Firewall.
关于防火墙的介绍,可以参考 Firewall.
那个页面我就不翻译了==
UFW - Uncomplicated Firewall 简单的防火墙——UFW
The default firewall configuration tool for Ubuntu is
ufw
. Developed to easeiptables
firewall configuration,ufw
provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
ufw
是ubuntu
默认的防火墙配置工具,旨在简化iptables
防火墙的配置。它提供了一种较为友好的方式来创建基于IPv4或IPv6主机的防火墙。UFW在默认情况下被禁用。
Gufw is a GUI that is available as a frontend.
Gufw是带UI的ufw程序。
Basic Syntax and Examples 基本语法和示例
Default rules are fine for the average home user 适合普通家庭用户的默认规则
When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That’s at least the goal of the Ubuntu developers. In short, all ‘incoming’ is being denied, with some exceptions to make things easier for home users.
当打开UFW时,它将使用一组默认规则(配置文件),该规则对普通家庭用户而言是有效的。而这正是Ubuntu开发人员的目标。简而言之,除了少数例外外,所有外来访问都会被拒绝,这能够让这些用户更容易使用。
Enable and Disable 启用和禁用
Enable UFW 启用UFW
To turn UFW on with the default set of rules:
使用默认的规则打开ufw
sudo ufw enable
To check the status of UFW:
检查ufw
的状态
sudo ufw status verbose
The output should be like this:
输出的样子大概是这样的
youruser@yourcomputer:~$ sudo ufw status verbose
[sudo] password for youruser:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
youruser@yourcomputer:~$
Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:
注意,在一般情况下,所有的外来访问都会被拒绝。当然会有一些意外,这可以用以下命令的输出中找到
sudo ufw show raw
You can also read the rules files in /etc/ufw (the files whose names end with .rules).
当然也可以通过阅读规则文件找到。地址是/etc/ufw/rules
Disable UFW 禁用UFW
To disable ufw use:
禁用UFW规则
sudo ufw disable
Allow and Deny (specific rules) 允许和禁止规则
Allow 允许端口
sudo ufw allow <port>/<optional: protocol>
example: To allow incoming tcp and udp packet on port 53
示例:允许在端口53使用tcp或udp
sudo ufw allow 53
example: To allow incoming tcp packets on port 53
示例:允许在端口53使用tcp
sudo ufw allow 53/tcp
example: To allow incoming udp packets on port 53
示例:允许在端口53使用udp
sudo ufw allow 53/udp
Deny 禁止
sudo ufw deny <port>/<optional: protocol>
example: To deny tcp and udp packets on port 53
示例:禁止在端口53使用tcp或udp
sudo ufw deny 53
example: To deny incoming tcp packets on port 53
示例:禁止在端口53使用tcp
sudo ufw deny 53/tcp
example: To deny incoming udp packets on port 53
示例:禁止在端口53使用udp
sudo ufw deny 53/udp
Delete Existing Rule 删除存在的规则
To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:
要删除规则,只需在原始规则前面加上delete。例如,如果原始规则是:
ufw deny 80/tcp
Use this to delete it:
那么这样删除
sudo ufw delete deny 80/tcp
Services 服务
You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services:
也可以按服务名称允许或拒绝,因为ufw从/etc/services
读取
要查看获取服务列表可以这样:
less /etc/services
Allow by Service Name 按服务名允许
sudo ufw allow <service name>
example: to allow ssh by name
你可以按名称允许ssh
sudo ufw allow ssh
Deny by Service Name 按服务名拒绝
sudo ufw deny <service name>
example: to deny ssh by name
你可以按名称拒绝ssh
sudo ufw deny ssh
Status 状态
Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables.
检查ufw的状态将显示ufw是启用还是禁用,同样会列出适用于iptables的当前ufw规则。
To check the status of ufw:
检查UFW
的状态
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp ALLOW 192.168.0.0/24
22:udp ALLOW 192.168.0.0/24
if ufw was not enabled the output would be:
如果没有启用UFW,那么输出将会是:
sudo ufw status
Status: inactive
Logging 日志
To enable logging use:
启用日志
sudo ufw logging on
To disable logging use
关闭日志
sudo ufw logging off
Advanced Syntax 高级语法
You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.
可以使用更完整的语法,指定源和目标地址,端口和协议。
Allow Access 允许访问
This section shows how to allow specific access.
这部分内容展现怎么允许某些特定的访问
Allow by Specific IP 通过IP允许
sudo ufw allow from <ip address>
**example:**To allow packets from 207.46.232.182:
示例:允许来自IP
207.46.232.182的数据包
sudo ufw allow from 207.46.232.182
Allow by Subnet 通过子网允许
You may use a net mask :
可以使用子网掩码
sudo ufw allow from 192.168.1.0/24
Allow by specific port and IP address 使用IP端口和地址允许
sudo ufw allow from <target> to <destination> port <port number>
example: allow IP address 192.168.0.4 access to port 22 for all protocols
示例:允许所有协议的IP地址192.168.0.4访问端口22
sudo ufw allow from 192.168.0.4 to any port 22
Allow by specific port, IP address and protocol 通过特定的端口,IP地址和协议允许
sudo ufw allow from <target> to <destination> port <port number> proto <protocol name>
example: allow IP address 192.168.0.4 access to port 22 using TCP
示例:允许IP地址192.168.0.4使用TCP访问端口22
sudo ufw allow from 192.168.0.4 to any port 22 proto tcp
Enable PING 启用PING
Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.
注意:使用隐秘的安全性对于现代解密器脚本可能几乎没有实际好处。默认情况下,UFW允许ping请求。您可能会发现希望保留(icmp)ping请求以诊断网络问题。
In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:
为了禁用ping(icmp)请求,需要编辑/etc/ufw/before.rules
并删除以下几行:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
or change the “ACCEPT” to “DROP”
或将ACCEPT更改为DROP
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Deny Access 拒绝访问
Deny by specific IP 通过特定IP拒绝
sudo ufw deny from <ip address>
**example:**To block packets from 207.46.232.182:
示例:要阻止来自207.46.232.182的数据包:
sudo ufw deny from 207.46.232.182
Deny by specific port and IP address 通过特定的端口和IP地址拒绝
sudo ufw deny from <ip address> to <protocol> port <port number>
example: deny ip address 192.168.0.1 access to port 22 for all protocols
示例:对于所有协议,拒绝IP地址192.168.0.1访问端口22
sudo ufw deny from 192.168.0.1 to any port 22
Working with numbered rules 使用编号规则
Listing rules with a reference number 带有参考编号的上市规则
You may use status numbered to show the order and id number of rules:
您可以使用编号的状态来显示规则的顺序和ID号
sudo ufw status numbered
Editing numbered rules 编辑编号规则
Delete numbered rule 删除编号规则
You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.
可以使用数字删除规则。这将删除第一个规则,并且规则将向上移动以填充列表。
sudo ufw delete 1
Insert numbered rule 插入编号规则
sudo ufw insert 1 allow from <ip address>
Advanced Example 进阶范例
Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp
阻止从192.168.0.1和192.168.0.7访问端口22,但允许所有其他192.168.0.x IP使用tcp访问端口22
sudo ufw deny from 192.168.0.1 to any port 22
sudo ufw deny from 192.168.0.7 to any port 22
sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp
This puts the specific rules first and the generic second. Once a rule is matched the others will not be evaluated (see manual below) so you must put the specific rules first. As rules change you may need to delete old rules to ensure that new rules are put in the proper order.
这将特定规则放在首位,将通用规则放在第二位。一旦匹配了一条规则,其他规则将不会被评估(请参阅下面的手册),因此您必须将特定规则放在第一位。
随着规则的更改,您可能需要删除旧规则以确保新规则以正确的顺序放置。
要检查您的规则订单,您可以检查状态;对于该场景,以下输出是规则正常运行所需的输出
To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly
要检查您的规则顺序,可以检查状态;
对于该场景,以下输出是规则正常运行所需的输出
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp ALLOW 192.168.0.0/24
Scenario change: You want to block access to port 22 to 192.168.0.3 as well as 192.168.0.1 and 192.168.0.7.
阻止访问端口22到192.168.0.3以及192.168.0.1和192.168.0.7。
sudo ufw delete allow from 192.168.0.0/24 to any port 22
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
sudo ufw deny 192.168.0.3 to any port 22
sudo ufw allow 192.168.0.0/24 to any port 22 proto tcp
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp DENY 192.168.0.3
22:udp DENY 192.168.0.3
22:tcp ALLOW 192.168.0.0/24
If you simply add the deny rule the allow would have been above it and been applied instead of the deny
如果仅添加拒绝规则,应该允许将在其之上并被应用,而不是应用拒绝
文章来源: blog.csdn.net,作者:沧夜2021,版权归原作者所有,如需转载,请联系作者。
原文链接:blog.csdn.net/CANGYE0504/article/details/105934094
- 点赞
- 收藏
- 关注作者
评论(0)