一、ufw簡介

??ufw是Ubuntu系列發行版自帶的類似iptables的防火墻管理軟件，底層也是基于netfilter的。ufw是Uncomplicated FireWall的簡稱，真正地簡化了 iptables，它從出現的這幾年，已經成為 Ubuntu 和 Debian 等系統上的默認防火墻。而且 ufw 出乎意料的簡單，這對新管理員來說是一個福音，否則他們可能需要投入大量時間來學習防火墻管理。ufw默認關閉，開放所有端口。環境說明：如下操作命令和示例均在Ubuntu20.04系統中測試。

二、使用示例

ufw命令需要通過root或者具有sudo權限的用戶執行。

1、獲取ufw命令幫助

root@s162:~# ufw --help

2、版本查看

root@s162:~# ufw version
ufw 0.36
Copyright 2008-2015 Canonical Ltd.

3、防火墻服務啟停管理

• 查看防火墻狀態

root@s162:~# ufw status
Status: active

To Action From
– ------ ----
80/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)

88/tcp DENY OUT Anywhere
88/tcp (v6) DENY OUT Anywhere (v6)

• 查看防火墻狀態詳細信息

root@s162:~# ufw status verbose
Status: active
Logging: on (full)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
– ------ ----
80/tcp ALLOW IN Anywhere
80/tcp (v6) ALLOW IN Anywhere (v6)

88/tcp DENY OUT Anywhere
88/tcp (v6) DENY OUT Anywhere (v6)

• 啟動防火墻并設置開機自啟動

root@s162:~# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

• 停止防火墻并取消開機自啟動

root@s162:~# ufw disable
Firewall stopped and disabled on system startup

• 重啟防火墻

root@s162:~# ufw reload
Firewall reloaded

• 重置防火墻

root@s162:~# ufw reset
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
Backing up ‘user.rules’ to ‘/etc/ufw/user.rules.20210914_061746’
Backing up ‘before.rules’ to ‘/etc/ufw/before.rules.20210914_061746’
Backing up ‘after.rules’ to ‘/etc/ufw/after.rules.20210914_061746’
Backing up ‘user6.rules’ to ‘/etc/ufw/user6.rules.20210914_061746’
Backing up ‘before6.rules’ to ‘/etc/ufw/before6.rules.20210914_061746’
Backing up ‘after6.rules’ to ‘/etc/ufw/after6.rules.20210914_061746’

4、防火墻日志管理

• 關閉防火墻日志

root@s162:~# ufw logging off
Logging disabled

• 開啟防火墻日志

root@s162:~# ufw logging on
Logging enabled

• 設置防火墻日志級別為low

root@s162:~# ufw logging low
Logging enabled

• 設置防火墻日志級別為medium

root@s162:~# ufw logging medium
Logging enabled

• 設置防火墻日志級別為high

root@s162:~# ufw logging high
Logging enabled

• 設置防火墻日志級別為full

root@s162:~# ufw logging full
Logging enabled

5、添加防火墻策略

如下示例以添加放行策略為例，示例同理適用allow、deny、reject，添加策略默認添加到入方向，如果需要添加到出方向使用關鍵詞out。

• 添加放行一個端口策略

root@s162:~# ufw allow 8080
Rules updated
Rules updated (v6)

• 添加放行一個協議端口策略

root@s162:~# ufw allow 8081/tcp
Rules updated
Rules updated (v6)
root@s162:~# ufw allow 8082/udp
Rules updated
Rules updated (v6)

• 添加放行一個應用協議策略

root@s162:~# ufw allow http
Rule added
Rule added (v6)

• 添加放行一個端口策略

root@s162:~# ufw allow proto tcp to any port 81
Rule added
Rule added (v6)

• 允許指定源地址訪問指定端口

root@s162:~# ufw allow proto tcp from 192.168.0.0/24 to 192.168.0.162 port 88
Rule added

• 運行指定源地址端口訪問指定地址指定端口

root@s162:~# ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
Rule added

• 添加出方向安全策略

root@s162:~# ufw deny out 88/tcp
Rule added
Rule added (v6)

6、刪除防火墻策略

• 查看策略編號

root@s162:~# ufw status numbered
Status: active

To Action From
– ------ ----
[ 1] 80/tcp ALLOW IN Anywhere
[ 2] 80/tcp (v6) ALLOW IN Anywhere (v6)

• 刪除指定編號策略

root@s162:~# ufw delete 2
Deleting:
allow 80/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)

• 刪除指定規則策略

root@s162:~# ufw delete allow 80/tcp
Rule deleted
Could not delete non-existent rule (v6)

7、插入安全策略

root@s162:~# ufw insert 1 deny proto tcp from 192.168.0.1 to any port 80
Rule inserted
root@s162:~# ufw insert 2 deny from 192.168.0.1 to any port 80
Rule inserted

8、添加默認安全策略

以下示例使用–dry-run參數模擬執行展示。

• 設置默認入策略為允許

root@s162:~# ufw --dry-run default allow
running ufw-init
running ufw-init
Default incoming policy changed to ‘allow’
(be sure to update your rules accordingly)

• 設置默認出策略為拒絕

root@s162:~# ufw --dry-run default deny outgoing
running ufw-init
running ufw-init
Default outgoing policy changed to ‘deny’
(be sure to update your rules accordingly)

9、添加自定義應用

• 首先自定義一個應用

root@s162:/etc/ufw/applications.d# cat test
[test]
title=test
description=this is a test.
ports=81/tcp

• 添加策略時調用應用名稱

root@s162:/etc/ufw/applications.d# ufw allow test
Rule added
Rule added (v6)

• 查看防火墻策略

root@s162:/etc/ufw/applications.d# ufw status
Status: active

To Action From
– ------ ----
80/tcp DENY 192.168.0.1
80 DENY 192.168.0.1
80/tcp REJECT Anywhere
test ALLOW Anywhere
80/tcp (v6) REJECT Anywhere (v6)
test (v6) ALLOW Anywhere (v6)

88/tcp DENY OUT Anywhere
88/tcp (v6) DENY OUT Anywhere (v6)

三、ufw常用及默認規則說明

• ufw默認關閉
• ufw默認拒絕入流量，放行出流量
• ufw日志級別默認為low
• ufw添加策略默認為in放行，需要在出方向添加安全策略使用關鍵詞out
• ufw添加策略為指定協議是默認為IP協議，包含TCP和UDP
• ufw使用–dry-run參數模擬執行

四、ufw使用語法

ufw [–dry-run] enable|disable|reload

ufw [–dry-run] default allow|deny|reject [incoming|outgoing|routed]

ufw [–dry-run] logging on|off|LEVEL

ufw [–dry-run] reset

ufw [–dry-run] status [verbose|numbered]

ufw [–dry-run] show REPORT

ufw [–dry-run] [delete] [insert NUM] allow|deny|reject|limit [in|out] [log|log-all]
PORT[/PROTOCOL]

ufw [–dry-run] [rule] [delete] [insert NUM] allow|deny|reject|limit [in|out [on
INTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT]] [to ADDRESS [port
PORT]]

ufw [–dry-run] route [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE]
[log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT]] [to ADDRESS [port PORT]]

ufw [–dry-run] delete NUM

ufw [–dry-run] app list|info|default|update

五、重要文件說明

• 參數配置文件/etc/ufw/ufw.conf
• 防火墻日志文件/var/log/ufw.log
• 路由轉發參數配置文件/etc/ufw/sysctl.conf
• 應用定義文件目錄/etc/ufw/applications.d

總結

以上是生活随笔為你收集整理的Ubuntu之ufw安装和使用的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。