ufw简明教程

iptables过于复杂，ufw才是给平常人用的。首先我们要安装ufw：

$ sudo pacman -S ufw  # ArchLinux
$ sudo apt install -y ufw  # Ubuntu, Debian

首先要知道ufw有个全局参数，那就是 --dry-run，如果加了这个参数，那么不会真的执行，而是会输出将会怎样执行，可以类比为MySQL的explain。例如：

$ sudo ufw --dry-run allow http
...

然后我们看看ufw共有这么几个命令：

$ ufw --help

Usage: ufw COMMAND

Commands:
 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 route RULE                      add route RULE
 route delete RULE|NUM           delete route RULE
 route insert NUM RULE           insert route RULE at NUM
 reload                          reload firewall
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy

ufw enable 和 ufw disable 是用来启动或者关闭ufw的，ufw app 则是一些内建规则，这个我们不看，ufw reset则是把规则重置成安装时的样子，ufw logging 是设置日志输出level的，ufw reload 是重新加载规则。

ufw status 是输出状态，可以不加参数，或者使用 numbered 或者 verbose 两个参数，分别是输出编号和详细输出：

jiajun@mate  ~ $ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
syncthing                  ALLOW       Anywhere                  
22                         ALLOW       Anywhere                  
Anywhere                   ALLOW       192.168.0.0/16             
syncthing (v6)             ALLOW       Anywhere (v6)             
22 (v6)                    ALLOW       Anywhere (v6)             

jiajun@mate  ~ $ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] syncthing                  ALLOW IN    Anywhere                  
[ 2] 22                         ALLOW IN    Anywhere                  
[ 3] Anywhere                   ALLOW IN    192.168.0.0/16             
[ 4] syncthing (v6)             ALLOW IN    Anywhere (v6)             
[ 5] 22 (v6)                    ALLOW IN    Anywhere (v6)             

jiajun@mate  ~ $ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22000/tcp (syncthing)      ALLOW IN    Anywhere                  
21027/udp (syncthing)      ALLOW IN    Anywhere                  
22                         ALLOW IN    Anywhere                  
Anywhere                   ALLOW IN    192.168.0.0/16             
22000/tcp (syncthing (v6)) ALLOW IN    Anywhere (v6)             
21027/udp (syncthing (v6)) ALLOW IN    Anywhere (v6)             
22 (v6)                    ALLOW IN    Anywhere (v6)

为什么要这个 numbered 呢？这是因为删除规则的时候，既可以直接指定规则，也可以指定编号，例如上面的规则里，如果想要删除ssh这个规则，可以使用 ufw delete allow 22，也可以使用 ufw delete 2。

ufw limit 是进行限速，它默认的限速规则是20秒内不得超过6次，例如 ufw limit ssh 就会限制ssh被疯狂登录。

最后我们看一看常用的写法：

允许ssh访问
```
$ sudo ufw allow ssh
```
允许端口访问
```
$ sudo ufw allow 1234
```

允许udp流量或者tcp流量

$ sudo ufw allow 1234/tcp
$ sudo ufw allow 1234/udp

允许一个IP段(IP range)访问
```
$ sudo ufw allow from 192.168.0.0/16
```

允许一个IP段访问特定的端口

$ sudo ufw allow from 192.168.0.0/16 to any port 3306

这就是ufw的常见用法了。

ufw简明教程

更多文章