ubuntu UFW简述

这又是一篇翻译文档:​​https://help.ubuntu.com/community/UFW​


文章目录


Introduction 介绍


For an introduction to firewalls, please see ​​Firewall​​.


关于防火墙的介绍,可以参考 ​​Firewall​​.

那个页面我就不翻译了==

UFW - Uncomplicated Firewall 简单的防火墙——UFW


The default firewall configuration tool for Ubuntu is ​​ufw​​​. Developed to ease ​​iptables​​​ firewall configuration, ​​ufw​​ provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.


​ufw​​​是​​ubuntu​​​默认的防火墙配置工具,旨在简化​​iptables​​防火墙的配置。它提供了一种较为友好的方式来创建基于IPv4或IPv6主机的防火墙。UFW在默认情况下被禁用。


​Gufw​​ is a GUI that is available as a frontend.


Gufw是带UI的ufw程序。

Basic Syntax and Examples 基本语法和示例

Default rules are fine for the average home user 适合普通家庭用户的默认规则


When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That’s at least the goal of the Ubuntu developers. In short, all ‘incoming’ is being denied, with some exceptions to make things easier for home users.


当打开UFW时,它将使用一组默认规则(配置文件),该规则对普通家庭用户而言是有效的。而这正是Ubuntu开发人员的目标。简而言之,除了少数例外外,所有外来访问都会被拒绝,这能够让这些用户更容易使用。

Enable and Disable 启用和禁用

Enable UFW 启用UFW


To turn UFW on with the default set of rules:


使用默认的规则打开​​ufw​

sudo ufw enable


To check the status of UFW:


检查​​ufw​​的状态

sudo ufw status verbose


The output should be like this:


输出的样子大概是这样的

youruser@yourcomputer:~$ sudo ufw status verbose
[sudo] password for youruser:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
youruser@yourcomputer:~$


Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:


注意,在一般情况下,所有的外来访问都会被拒绝。当然会有一些意外,这可以用以下命令的输出中找到

sudo ufw show raw


You can also read the rules files in /etc/ufw (the files whose names end with .rules).


当然也可以通过阅读规则文件找到。地址是​​/etc/ufw/rules​

Disable UFW 禁用UFW


To disable ufw use:


禁用UFW规则

sudo ufw disable

Allow and Deny (specific rules) 允许和禁止规则

Allow 允许端口

sudo ufw allow <port>/<optional: protocol>


example: To allow incoming tcp and udp packet on port 53


示例:允许在端口53使用tcp或udp

sudo ufw allow 53


example: To allow incoming tcp packets on port 53


示例:允许在端口53使用tcp

sudo ufw allow 53/tcp


example: To allow incoming udp packets on port 53


示例:允许在端口53使用udp

sudo ufw allow 53/udp

Deny 禁止

sudo ufw deny <port>/<optional: protocol>


example: To deny tcp and udp packets on port 53


示例:禁止在端口53使用tcp或udp

sudo ufw deny 53


example: To deny incoming tcp packets on port 53


示例:禁止在端口53使用tcp

sudo ufw deny 53/tcp


example: To deny incoming udp packets on port 53


示例:禁止在端口53使用udp

sudo ufw deny 53/udp

Delete Existing Rule 删除存在的规则


To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:


要删除规则,只需在原始规则前面加上delete。例如,如果原始规则是:

ufw deny 80/tcp


Use this to delete it:


那么这样删除

sudo ufw delete deny 80/tcp

Services 服务


You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services:


也可以按服务名称允许或拒绝,因为ufw从​​/etc/services​​读取

要查看获取服务列表可以这样:

less /etc/services

Allow by Service Name 按服务名允许

sudo ufw allow <service name>


example: to allow ssh by name


你可以按名称允许​​ssh​

sudo ufw allow ssh

Deny by Service Name 按服务名拒绝

sudo ufw deny <service name>


example: to deny ssh by name


你可以按名称拒绝​​ssh​

sudo ufw deny ssh

Status 状态


Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables.


检查ufw的状态将显示ufw是启用还是禁用,同样会列出适用于iptables的当前ufw规则。


To check the status of ufw:


检查​​UFW​​的状态

sudo ufw status

Firewall loaded

To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp ALLOW 192.168.0.0/24
22:udp ALLOW 192.168.0.0/24


if ufw was not enabled the output would be:


如果没有启用UFW,那么输出将会是:

sudo ufw status
Status: inactive

Logging 日志


To enable logging use:


启用日志

sudo ufw logging on


To disable logging use


关闭日志

sudo ufw logging off

Advanced Syntax 高级语法


You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.


可以使用更完整的语法,指定源和目标地址,端口和协议。

Allow Access 允许访问


This section shows how to allow specific access.


这部分内容展现怎么允许某些特定的访问

Allow by Specific IP 通过IP允许

sudo ufw allow from <ip address>


**example:**To allow packets from 207.46.232.182:


示例:允许来自​IP​​ 207.46.232.182的数据包

sudo ufw allow from 207.46.232.182

Allow by Subnet 通过子网允许


You may use a net mask :


可以使用子网掩码

sudo ufw allow from 192.168.1.0/24

Allow by specific port and IP address 使用IP端口和地址允许

sudo ufw allow from <target> to <destination> port <port number>


example: allow IP address 192.168.0.4 access to port 22 for all protocols


示例:允许所有协议的IP地址192.168.0.4访问端口22

sudo ufw allow from 192.168.0.4 to any port 22

Allow by specific port, IP address and protocol 通过特定的端口,IP地址和协议允许

sudo ufw allow from <target> to <destination> port <port number> proto <protocol name>


example: allow IP address 192.168.0.4 access to port 22 using TCP


示例:允许IP地址192.168.0.4使用TCP访问端口22

sudo ufw allow from 192.168.0.4 to any port 22 proto tcp

Enable PING 启用PING


Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.


注意:使用隐秘的安全性对于现代解密器脚本可能几乎没有实际好处。默认情况下,UFW允许ping请求。您可能会发现希望保留(icmp)ping请求以诊断网络问题。


In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:


为了禁用ping(icmp)请求,需要编辑​​/etc/ufw/before.rules​​并删除以下几行:

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT


or change the “ACCEPT” to “DROP”


或将ACCEPT更改为DROP

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Deny Access 拒绝访问

Deny by specific IP 通过特定IP拒绝

sudo ufw deny from <ip address>


**example:**To block packets from 207.46.232.182:


示例:要阻止来自207.46.232.182的数据包:

sudo ufw deny from 207.46.232.182

Deny by specific port and IP address 通过特定的端口和IP地址拒绝

sudo ufw deny from <ip address> to <protocol> port <port number>


example: deny ip address 192.168.0.1 access to port 22 for all protocols


示例:对于所有协议,拒绝IP地址192.168.0.1访问端口22

sudo ufw deny from 192.168.0.1 to any port 22

Working with numbered rules 使用编号规则

Listing rules with a reference number 带有参考编号的上市规则


You may use status numbered to show the order and id number of rules:


您可以使用编号的状态来显示规则的顺序和ID号

sudo ufw status numbered

Editing numbered rules 编辑编号规则

Delete numbered rule 删除编号规则


You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.


可以使用数字删除规则。这将删除第一个规则,并且规则将向上移动以填充列表。

sudo ufw delete 1

Insert numbered rule 插入编号规则

sudo ufw insert 1 allow from <ip address>

Advanced Example 进阶范例


Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp


阻止从192.168.0.1和192.168.0.7访问端口22,但允许所有其他192.168.0.x IP使用tcp访问端口22

sudo ufw deny from 192.168.0.1 to any port 22
sudo ufw deny from 192.168.0.7 to any port 22
sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp


This puts the specific rules first and the generic second. Once a rule is matched the others will not be evaluated (see manual below) so you must put the specific rules first. As rules change you may need to delete old rules to ensure that new rules are put in the proper order.


这将特定规则放在首位,将通用规则放在第二位。一旦匹配了一条规则,其他规则将不会被评估(请参阅下面的手册),因此您必须将特定规则放在第一位。

随着规则的更改,您可能需要删除旧规则以确保新规则以正确的顺序放置。

要检查您的规则订单,您可以检查状态;对于该场景,以下输出是规则正常运行所需的输出


To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly


要检查您的规则顺序,可以检查状态;

对于该场景,以下输出是规则正常运行所需的输出

sudo ufw status
Firewall loaded

To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp ALLOW 192.168.0.0/24


Scenario change: You want to block access to port 22 to 192.168.0.3 as well as 192.168.0.1 and 192.168.0.7.


阻止访问端口22到192.168.0.3以及192.168.0.1和192.168.0.7。

sudo ufw delete allow from 192.168.0.0/24 to any port 22
sudo ufw status
Firewall loaded

To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7

sudo ufw deny 192.168.0.3 to any port 22
sudo ufw allow 192.168.0.0/24 to any port 22 proto tcp
sudo ufw status

Firewall loaded

To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp DENY 192.168.0.3
22:udp DENY 192.168.0.3
22:tcp ALLOW 192.168.0.0/24


If you simply add the deny rule the allow would have been above it and been applied instead of the deny


如果仅添加拒绝规则,应该允许将在其之上并被应用,而不是应用拒绝