ubuntu UFW簡(jiǎn)述

ubuntu UFW簡(jiǎn)述

這又是一篇翻譯文檔：https://help.ubuntu.com/community/UFW

文章目錄

ubuntu UFW簡(jiǎn)述

Introduction 介紹

UFW - Uncomplicated Firewall 簡(jiǎn)單的防火墻——UFW

Basic Syntax and Examples 基本語法和示例

Default rules are fine for the average home user 適合普通家庭用戶的默認(rèn)規(guī)則

Enable and Disable 啟用和禁用

Enable UFW 啟用UFW

Disable UFW 禁用UFW

Allow and Deny (specific rules) 允許和禁止規(guī)則

Allow 允許端口

Deny 禁止

Delete Existing Rule 刪除存在的規(guī)則

Services 服務(wù)

Allow by Service Name 按服務(wù)名允許

Deny by Service Name 按服務(wù)名拒絕

Status 狀態(tài)

Logging 日志

Advanced Syntax 高級(jí)語法

Allow Access 允許訪問

Allow by Specific IP 通過IP允許

Allow by Subnet 通過子網(wǎng)允許

Allow by specific port and IP address 使用IP端口和地址允許

Allow by specific port, IP address and protocol 通過特定的端口，IP地址和協(xié)議允許

Enable PING 啟用PING

Deny Access 拒絕訪問

Deny by specific IP 通過特定IP拒絕

Deny by specific port and IP address 通過特定的端口和IP地址拒絕

Working with numbered rules 使用編號(hào)規(guī)則

Listing rules with a reference number 帶有參考編號(hào)的上市規(guī)則

Editing numbered rules 編輯編號(hào)規(guī)則

Delete numbered rule 刪除編號(hào)規(guī)則

Insert numbered rule 插入編號(hào)規(guī)則

Advanced Example 進(jìn)階范例

Introduction 介紹

For an introduction to firewalls, please see Firewall.

關(guān)于防火墻的介紹，可以參考 Firewall.

那個(gè)頁面我就不翻譯了==

UFW - Uncomplicated Firewall 簡(jiǎn)單的防火墻——UFW

The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.

ufw是ubuntu默認(rèn)的防火墻配置工具，旨在簡(jiǎn)化iptables防火墻的配置。它提供了一種較為友好的方式來創(chuàng)建基于IPv4或IPv6主機(jī)的防火墻。UFW在默認(rèn)情況下被禁用。

Gufw is a GUI that is available as a frontend.

Gufw是帶UI的ufw程序。

Basic Syntax and Examples 基本語法和示例

Default rules are fine for the average home user 適合普通家庭用戶的默認(rèn)規(guī)則

When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That’s at least the goal of the Ubuntu developers. In short, all ‘incoming’ is being denied, with some exceptions to make things easier for home users.

當(dāng)打開UFW時(shí)，它將使用一組默認(rèn)規(guī)則（配置文件），該規(guī)則對(duì)普通家庭用戶而言是有效的。而這正是Ubuntu開發(fā)人員的目標(biāo)。簡(jiǎn)而言之，除了少數(shù)例外外，所有外來訪問都會(huì)被拒絕，這能夠讓這些用戶更容易使用。

Enable and Disable 啟用和禁用

To turn UFW on with the default set of rules:

使用默認(rèn)的規(guī)則打開ufw

sudo ufw enable

To check the status of UFW:

檢查ufw的狀態(tài)

sudo ufw status verbose

The output should be like this:

輸出的樣子大概是這樣的

youruser@yourcomputer:~$ sudo ufw status verbose [sudo] password for youruser: Status: active Logging: on (low) Default: deny (incoming), allow (outgoing) New profiles: skip youruser@yourcomputer:~$

Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:

注意，在一般情況下，所有的外來訪問都會(huì)被拒絕。當(dāng)然會(huì)有一些意外，這可以用以下命令的輸出中找到

sudo ufw show raw

You can also read the rules files in /etc/ufw (the files whose names end with .rules).

當(dāng)然也可以通過閱讀規(guī)則文件找到。地址是/etc/ufw/rules

To disable ufw use:

禁用UFW規(guī)則

sudo ufw disable

Allow and Deny (specific rules) 允許和禁止規(guī)則

sudo ufw allow /

example: To allow incoming tcp and udp packet on port 53

示例：允許在端口53使用tcp或udp

sudo ufw allow 53

example: To allow incoming tcp packets on port 53

示例：允許在端口53使用tcp

sudo ufw allow 53/tcp

example: To allow incoming udp packets on port 53

示例：允許在端口53使用udp

sudo ufw allow 53/udp

sudo ufw deny /

example: To deny tcp and udp packets on port 53

示例：禁止在端口53使用tcp或udp

sudo ufw deny 53

example: To deny incoming tcp packets on port 53

示例：禁止在端口53使用tcp

sudo ufw deny 53/tcp

example: To deny incoming udp packets on port 53

示例：禁止在端口53使用udp

sudo ufw deny 53/udp

Delete Existing Rule 刪除存在的規(guī)則

To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:

要?jiǎng)h除規(guī)則，只需在原始規(guī)則前面加上delete。例如，如果原始規(guī)則是：

ufw deny 80/tcp

Use this to delete it:

那么這樣刪除

sudo ufw delete deny 80/tcp

Services 服務(wù)

You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services:

也可以按服務(wù)名稱允許或拒絕，因?yàn)閡fw從/etc/services讀取

要查看獲取服務(wù)列表可以這樣：

less /etc/services

sudo ufw allow

example: to allow ssh by name

你可以按名稱允許ssh

sudo ufw allow ssh

sudo ufw deny

example: to deny ssh by name

你可以按名稱拒絕ssh

sudo ufw deny ssh

Status 狀態(tài)

Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables.

檢查ufw的狀態(tài)將顯示ufw是啟用還是禁用，同樣會(huì)列出適用于iptables的當(dāng)前ufw規(guī)則。

To check the status of ufw:

檢查UFW的狀態(tài)

sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW 192.168.0.0/24

if ufw was not enabled the output would be:

如果沒有啟用UFW，那么輸出將會(huì)是：

sudo ufw status Status: inactive

Logging 日志

To enable logging use:

啟用日志

sudo ufw logging on

To disable logging use

關(guān)閉日志

sudo ufw logging off

Advanced Syntax 高級(jí)語法

You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.

可以使用更完整的語法，指定源和目標(biāo)地址，端口和協(xié)議。

Allow Access 允許訪問

This section shows how to allow specific access.

這部分內(nèi)容展現(xiàn)怎么允許某些特定的訪問

sudo ufw allow from

**example:**To allow packets from 207.46.232.182:

示例：允許來自IP 207.46.232.182的數(shù)據(jù)包

sudo ufw allow from 207.46.232.182

You may use a net mask :

可以使用子網(wǎng)掩碼

sudo ufw allow from 192.168.1.0/24

sudo ufw allow from to port

example: allow IP address 192.168.0.4 access to port 22 for all protocols

示例：允許所有協(xié)議的IP地址192.168.0.4訪問端口22

sudo ufw allow from 192.168.0.4 to any port 22

sudo ufw allow from to port proto

example: allow IP address 192.168.0.4 access to port 22 using TCP

示例：允許IP地址192.168.0.4使用TCP訪問端口22

sudo ufw allow from 192.168.0.4 to any port 22 proto tcp

Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.

注意：使用隱秘的安全性對(duì)于現(xiàn)代解密器腳本可能幾乎沒有實(shí)際好處。默認(rèn)情況下，UFW允許ping請(qǐng)求。您可能會(huì)發(fā)現(xiàn)希望保留（icmp）ping請(qǐng)求以診斷網(wǎng)絡(luò)問題。

In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:

為了禁用ping（icmp）請(qǐng)求，需要編輯/etc/ufw/before.rules并刪除以下幾行：

# ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

or change the “ACCEPT” to “DROP”

或?qū)CCEPT更改為DROP

# ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP -A ufw-before-input -p icmp --icmp-type source-quench -j DROP -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Deny Access 拒絕訪問

sudo ufw deny from

**example:**To block packets from 207.46.232.182:

示例：要阻止來自207.46.232.182的數(shù)據(jù)包：

sudo ufw deny from 207.46.232.182

sudo ufw deny from to port

example: deny ip address 192.168.0.1 access to port 22 for all protocols

示例：對(duì)于所有協(xié)議，拒絕IP地址192.168.0.1訪問端口22

sudo ufw deny from 192.168.0.1 to any port 22

Working with numbered rules 使用編號(hào)規(guī)則

You may use status numbered to show the order and id number of rules:

您可以使用編號(hào)的狀態(tài)來顯示規(guī)則的順序和ID號(hào)

sudo ufw status numbered

Editing numbered rules 編輯編號(hào)規(guī)則

You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.

可以使用數(shù)字刪除規(guī)則。這將刪除第一個(gè)規(guī)則，并且規(guī)則將向上移動(dòng)以填充列表。

sudo ufw delete 1

sudo ufw insert 1 allow from

Advanced Example 進(jìn)階范例

Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp

阻止從192.168.0.1和192.168.0.7訪問端口22，但允許所有其他192.168.0.x IP使用tcp訪問端口22

sudo ufw deny from 192.168.0.1 to any port 22 sudo ufw deny from 192.168.0.7 to any port 22 sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp

This puts the specific rules first and the generic second. Once a rule is matched the others will not be evaluated (see manual below) so you must put the specific rules first. As rules change you may need to delete old rules to ensure that new rules are put in the proper order.

這將特定規(guī)則放在首位，將通用規(guī)則放在第二位。一旦匹配了一條規(guī)則，其他規(guī)則將不會(huì)被評(píng)估（請(qǐng)參閱下面的手冊(cè)），因此您必須將特定規(guī)則放在第一位。

隨著規(guī)則的更改，您可能需要?jiǎng)h除舊規(guī)則以確保新規(guī)則以正確的順序放置。

要檢查您的規(guī)則訂單，您可以檢查狀態(tài)；對(duì)于該場(chǎng)景，以下輸出是規(guī)則正常運(yùn)行所需的輸出

To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly

要檢查您的規(guī)則順序，可以檢查狀態(tài)；

對(duì)于該場(chǎng)景，以下輸出是規(guī)則正常運(yùn)行所需的輸出

sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 22:tcp ALLOW 192.168.0.0/24

Scenario change: You want to block access to port 22 to 192.168.0.3 as well as 192.168.0.1 and 192.168.0.7.

阻止訪問端口22到192.168.0.3以及192.168.0.1和192.168.0.7。

sudo ufw delete allow from 192.168.0.0/24 to any port 22 sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 sudo ufw deny 192.168.0.3 to any port 22 sudo ufw allow 192.168.0.0/24 to any port 22 proto tcp sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 22:tcp DENY 192.168.0.3 22:udp DENY 192.168.0.3 22:tcp ALLOW 192.168.0.0/24

If you simply add the deny rule the allow would have been above it and been applied instead of the deny

如果僅添加拒絕規(guī)則，應(yīng)該允許將在其之上并被應(yīng)用，而不是應(yīng)用拒絕

Linux TCP/IP Ubuntu

版權(quán)聲明：本文內(nèi)容由網(wǎng)絡(luò)用戶投稿，版權(quán)歸原作者所有，本站不擁有其著作權(quán)，亦不承擔(dān)相應(yīng)法律責(zé)任。如果您發(fā)現(xiàn)本站中有涉嫌抄襲或描述失實(shí)的內(nèi)容，請(qǐng)聯(lián)系我們jiasou666@gmail.com 處理，核實(shí)后本網(wǎng)站將在24小時(shí)內(nèi)刪除侵權(quán)內(nèi)容。

版權(quán)聲明：本文內(nèi)容由網(wǎng)絡(luò)用戶投稿，版權(quán)歸原作者所有，本站不擁有其著作權(quán)，亦不承擔(dān)相應(yīng)法律責(zé)任。如果您發(fā)現(xiàn)本站中有涉嫌抄襲或描述失實(shí)的內(nèi)容，請(qǐng)聯(lián)系我們jiasou666@gmail.com 處理，核實(shí)后本網(wǎng)站將在24小時(shí)內(nèi)刪除侵權(quán)內(nèi)容。