ufw简明教程
iptables过于复杂,ufw才是给平常人用的。首先我们要安装ufw:
$ sudo pacman -S ufw # ArchLinux
$ sudo apt install -y ufw # Ubuntu, Debian
首先要知道ufw有个全局参数,那就是 --dry-run
,如果加了这个参数,那么不会真的执行,而是会输出将会怎样执行,可以
类比为MySQL的explain。例如:
$ sudo ufw --dry-run allow http
...
然后我们看看ufw共有这么几个命令:
$ ufw --help
Usage: ufw COMMAND
Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE|NUM delete RULE
insert NUM RULE insert RULE at NUM
route RULE add route RULE
route delete RULE|NUM delete route RULE
route insert NUM RULE insert route RULE at NUM
reload reload firewall
reset reset firewall
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information
Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set default application policy
ufw enable
和 ufw disable
是用来启动或者关闭ufw的,ufw app
则是一些内建规则,这个我们不看,ufw reset
则是把
规则重置成安装时的样子,ufw logging
是设置日志输出level的,ufw reload
是重新加载规则。
ufw status
是输出状态,可以不加参数,或者使用 numbered
或者 verbose
两个参数,分别是输出编号和详细输出:
jiajun@mate ~ $ sudo ufw status
Status: active
To Action From
-- ------ ----
syncthing ALLOW Anywhere
22 ALLOW Anywhere
Anywhere ALLOW 192.168.0.0/16
syncthing (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
jiajun@mate ~ $ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] syncthing ALLOW IN Anywhere
[ 2] 22 ALLOW IN Anywhere
[ 3] Anywhere ALLOW IN 192.168.0.0/16
[ 4] syncthing (v6) ALLOW IN Anywhere (v6)
[ 5] 22 (v6) ALLOW IN Anywhere (v6)
jiajun@mate ~ $ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22000/tcp (syncthing) ALLOW IN Anywhere
21027/udp (syncthing) ALLOW IN Anywhere
22 ALLOW IN Anywhere
Anywhere ALLOW IN 192.168.0.0/16
22000/tcp (syncthing (v6)) ALLOW IN Anywhere (v6)
21027/udp (syncthing (v6)) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
为什么要这个 numbered
呢?这是因为删除规则的时候,既可以直接指定规则,也可以指定编号,例如上面的规则里,如果想要
删除ssh这个规则,可以使用 ufw delete allow 22
,也可以使用 ufw delete 2
。
ufw limit
是进行限速,它默认的限速规则是20秒内不得超过6次,例如 ufw limit ssh
就会限制ssh被疯狂登录。
最后我们看一看常用的写法:
允许ssh访问
$ sudo ufw allow ssh
允许端口访问
$ sudo ufw allow 1234
允许udp流量或者tcp流量
$ sudo ufw allow 1234/tcp $ sudo ufw allow 1234/udp
允许一个IP段(IP range)访问
$ sudo ufw allow from 192.168.0.0/16
允许一个IP段访问特定的端口
$ sudo ufw allow from 192.168.0.0/16 to any port 3306
这就是ufw的常见用法了。
更多文章
本站热门
- socks5 协议详解
- zerotier简明教程
- 搞定面试中的系统设计题
- 用peewee代替SQLAlchemy
- frp 源码阅读与分析(一):流程和概念
- Golang(Go语言)中实现典型的fork调用
- DNSCrypt简明教程
- 一个Gunicorn worker数量引发的血案
- Golang validator使用教程
- Docker组件介绍(一):runc和containerd
- Docker组件介绍(二):shim, docker-init和docker-proxy
- 使用Go语言实现一个异步任务框架
- 协程(coroutine)简介 - 什么是协程?
- SQLAlchemy简明教程
- Go Module 简明教程