ufw——linux下一個簡單的防火牆

ufw——linux下一個簡單的防火牆 ufw屬於管理員工具。 ufw的man文檔中已經有豐富的示例，例如： 01 Users can specify rules using either a simple syntax or a full syntax. 02 The simple syntax only specifies the port and optionally the protocol to 03 be allowed or denied on the host. For example: 04 05 ufw allow 53 06 07 This rule will allow tcp and udp port 53 to any address on this host. To 08 specify a protocol, append '/protocol' to the port. For example: 09 10 ufw allow 25/tcp 11 12 This will allow tcp port 25 to any address on this host. ufw will also 13 check /etc/services for the port and protocol if specifying a service by 14 name. Eg: 15 16 ufw allow smtp 17 18 ufw supports both ingress and egress filtering and users may optionally 19 specify a direction of either in or out for either incoming or outgoing 20 traffic. If no direction is supplied, the rule applies to incoming traf‐ 21 fic. Eg: 22 23 ufw allow in http 24 ufw reject out smtp 25 26 Users can also use a fuller syntax, specifying the source and destina‐ 27 tion addresses and ports. This syntax is based on OpenBSD's PF syntax. 28 For example: 29 30 ufw deny proto tcp to any port 80 31 32 This will deny all traffic to tcp port 80 on this host. Another example: 33 34 ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25 35 36 This will deny all traffic from the RFC1918 Class A network to tcp port 37 25 with the address 192.168.0.1. 38 39 ufw deny proto tcp from 2001:db8::/32 to any port 25 40 41 This will deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on 42 this host. Note that IPv6 must be enabled in /etc/default/ufw for IPv6 43 firewalling to work. 44 45 ufw allow proto tcp from any to any port 80,443,8080:8090 46 47 The above will allow all traffic to tcp ports 80, 443 and 8080-8090 48 inclusive. Note that when specifying multiple ports, the ports list 49 must be numeric, cannot contain spaces and must be modified as a whole. 50 Eg, in the above example you cannot later try to delete just the '443' 51 port. You cannot specify more than 15 ports (ranges count as 2 ports, so 52 the port count in the above example is 4). 使用示例： 01 $ ufw status 02 ERROR: You need to be root to run this script 03 04 $ ufw deny 80/tcp 05 ERROR: You need to be root to run this script 06 07 $ sudo ufw deny 80/tcp 08 [sudo] password for sunlt: 09 Rules updated 10 Rules updated (v6) 11 12 $ sudo ufw status 13 Status: inactive 14 15 $ sudo ufw enable 16 Firewall is active and enabled on system startup 17 18 $ sudo ufw status 19 Status: active 20 21 To Action From 22 -- ------ ---- 23 80/tcp DENY Anywhere 24 80/tcp DENY Anywhere (v6) 25 26 27 $ sudo ufw status numbered 28 Status: active 29 30 To Action From 31 -- ------ ---- 32 [ 1] 80/tcp DENY IN Anywhere 33 [ 2] 80/tcp DENY IN Anywhere (v6) 34 35 36 $ sudo ufw delete 1 37 Deleting: 38 deny 80/tcp 39 Proceed with operation (y|n)? y 40 Rule deleted 41 42 $ sudo ufw delete 2 43 ERROR: Could not find rule '2' 44 45 $ sudo ufw status numbered 46 Status: active 47 48 To Action From 49 -- ------ ---- 50 [ 1] 80/tcp DENY IN Anywhere (v6) 51 52 53 $ sudo ufw delete 1 54 Deleting: 55 deny 80/tcp 56 Proceed with operation (y|n)? y 57 Rule deleted (v6) 58 59 $ sudo ufw status numbered 60 Status: active 61 62 $ sudo ufw disable 63 Firewall stopped and disabled on system startup