UFW

匹配方式

  • 根据 status 返回结果,自上而下进行匹配,被规则命中后,不会继续进行匹配

参数

ufw status

  • 查看 ufw 状态
 1
 2
 3
 4
 5
 6
 7
 8
 9
10

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                   # ssh port
80/tcp                     ALLOW       Anywhere                   # ssh port
443/tcp                    ALLOW       Anywhere                   # ssh port
80/tcp (v6)                ALLOW       Anywhere (v6)              # ssh port
443/tcp (v6)               ALLOW       Anywhere (v6)              # ssh port

ufw status numbered

  • show firewall status as numbered list of RULES
 1
 2
 3
 4
 5
 6
 7
 8
 9
10

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                   # ssh port
[ 2] 80/tcp                     ALLOW IN    Anywhere                   # ssh port
[ 3] 443/tcp                    ALLOW IN    Anywhere                   # ssh port
[ 4] 80/tcp (v6)                ALLOW IN    Anywhere (v6)              # ssh port
[ 5] 443/tcp (v6)               ALLOW IN    Anywhere (v6)              # ssh port

ufw enable

  • 开启 ufw
  • PS:ufw 开启后,默认会拒绝所有请求,应该开启 ufw 前先增加允许 ssh 的端口
1
2
3
4

# 允许在任何地方访问 22 端口
sudo ufw allow proto tcp from 0.0.0.0/0 to any port 22 comment "ssh port"
# 开启 ufw
sudo ufw enable

ufw disable

  • 关闭防火墙

ufw allow

  • 配置防火墙放行规则

参数

  • proto tcp:指定协议
  • from/to any:指定源/目的地址(any 表示所有)
  • port 80:指定端口
  • comment:注释
1
2

# 允许 任何地方 访问 本机的 80 端口
$ ufw allow proto tcp from any to any port 80 comment "http port"

ufw insert

  • 在指定位置插入规则
1
2

# 增加一条 deny 规则,放在第二条规则的位置
$ ufw insert 2 deny from 121.224.96.12/32 to any port 80 comment "test"

ufw delete

  • 删除指定规则
  • ufw delete $numbered:根据 number list id 删除
1
2

# 删除指定规则
$ sudo ufw delete allow proto tcp from 0.0.0.0/0 to any port 22 comment "ssh port"

ufw logging

  • 调整 ufw 日志级别(‘off’ ‘low’ ‘medium’ ‘high’ ‘full’)

example

增加规则

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

# 允许在任何地方(ipv4)访问 22 端口
$ sudo ufw allow proto tcp from 0.0.0.0/0 to any port 22 comment "ssh port"
$ sudo status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                   # ssh port

# 允许在任何地方(ipv4 and ipv6)访问 22 端口
$ sudo ufw allow proto tcp from any to any port 22 comment "ssh port"
$ sudo status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                   # ssh port
22/tcp (v6)                ALLOW       Anywhere (v6)              # ssh port

在指定位置增加规则

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

$ ufw status  numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22222/tcp                  ALLOW IN    Anywhere                   # ssh port
[ 2] 80/tcp                     ALLOW IN    Anywhere                   # http port
[ 3] 443/tcp                    ALLOW IN    Anywhere                   # https port
[ 4] 80/tcp (v6)                ALLOW IN    Anywhere (v6)              # http port
[ 5] 443/tcp (v6)               ALLOW IN    Anywhere (v6)              # https port

$ ufw insert 2 deny from 121.224.96.12/32 to any port 80 comment "test"
$ ufw status
Status: active

To                         Action      From
--                         ------      ----
22222/tcp                  ALLOW       Anywhere                   # ssh port
80                         DENY        121.224.96.12              # test
80/tcp                     ALLOW       Anywhere                   # http port
443/tcp                    ALLOW       Anywhere                   # https port
80/tcp (v6)                ALLOW       Anywhere (v6)              # http port
443/tcp (v6)               ALLOW       Anywhere (v6)              # https port

删除规则

1
2
3
4
5
6
7
8
9

# 根据规则删除
$ sudo ufw delete allow proto tcp from 0.0.0.0/0 to any port 22 comment "ssh port"

# 根据 rule id 删除
$ ufw  delete 5
Deleting:
 allow 443/tcp comment 'https port'
Proceed with operation (y|n)? y
Rule deleted (v6)

参考