GNU/Linux - Ubuntu中的UFW介绍

UFW - Uncomplicated Firewall

Ubuntu 的默认防火墙配置工具是 ufw。ufw 是为简化 iptables 防火墙配置而开发的，它提供了一种用户友好的方式来创建基于 IPv4 或 IPv6 主机的防火墙。默认情况下，UFW 是禁用的。

The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.

gufw 是一个图形用户界面前端。

gufw is a GUI that is available as a frontend.

1, Basic Syntax and Examples

Default rules are fine for the average home user /  默认规则对普通家庭用户来说没有问题

当你打开 UFW 时，它会使用一套默认的规则（配置文件），这对普通家庭用户来说应该没问题。这至少是 Ubuntu 开发人员的目标。简而言之，所有的 “传入 ”都会被拒绝，但也有一些例外情况，以方便家庭用户。

When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That's at least the goal of the Ubuntu developers. In short, all 'incoming' is being denied, with some exceptions to make things easier for home users.

Enable and Disable

To turn UFW on with the default set of rules:

sudo ufw enable

To check the status of UFW:

sudo ufw status verbose

请注意，默认情况下，拒绝将应用于传入。但也有例外情况，可在该命令的输出中找到：

Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:

sudo ufw show raw

你还可以读取 /etc/ufw 中的规则文件（文件名以 .rules 结尾的文件）。

You can also read the rules files in /etc/ufw (the files whose names end with .rules).

Disable UFW

To disable ufw use:

sudo ufw disable

Allow and Deny (specific rules)

Allow

sudo ufw allow <port>/<optional: protocol>

example: To allow incoming tcp and udp packet on port 53

sudo ufw allow 53

example: To allow incoming tcp packets on port 53

sudo ufw allow 53/tcp

example: To allow incoming udp packets on port 53

sudo ufw allow 53/udp

Deny

sudo ufw deny <port>/<optional: protocol>

example: To deny tcp and udp packets on port 53

sudo ufw deny 53

example: To deny incoming tcp packets on port 53

sudo ufw deny 53/tcp

example: To deny incoming udp packets on port 53

sudo ufw deny 53/udp

Delete Existing Rule

要删除一条规则，只需在原规则前加上删除即可。例如，如果原来的规则是:

To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:

ufw deny 80/tcp

Use this to delete it:

sudo ufw delete deny 80/tcp

Services

你还可以通过服务名称来允许或拒绝，因为 ufw 会读取 /etc/services 以获取服务列表：

You can also allow or deny by service name since ufw reads from /etc/services to see get a list of services:

less /etc/services

Allow by Service Name

sudo ufw allow <service name>

example: to allow ssh by name

sudo ufw allow ssh

Deny by Service Name

example: to deny ssh by name

sudo ufw deny ssh

Status

检查 ufw 的状态会告诉你 ufw 是启用还是禁用，还会列出当前应用于 iptables 的 ufw 规则。

Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables.

To check the status of ufw:

sudo ufw status

if ufw was not enabled the output would be:

sudo ufw status

Status: inactiv