安裝 ufw 套件
# apt-get install ufw
設定 ufw (0.35-0ubuntu2) …
Creating config file /etc/ufw/before.rules with new version
Creating config file /etc/ufw/before6.rules with new version
Creating config file /etc/ufw/after.rules with new version
Creating config file /etc/ufw/after6.rules with new version
Processing triggers for systemd (229-4ubuntu13) …
Processing triggers for ureadahead (0.100.0-19) …
1. 停用防火牆,取消開機時執行
# ufw disable
Firewall stopped and disabled on system startup
未啟用
# ufw status
Status: inactiv[@more@]2. 啟用防火牆
# ufw enable
Firewall is active and enabled on system startup
已啟用
# ufw status
Status: active
3. 預設規則
預設同意
# ufw default allow
拒絕外部連線
# ufw default deny incoming
Default incoming policy changed to ‘deny’
(be sure to update your rule accordingly)
預設拒絕
# ufw default deny
同意對外連線
# ufw default allow outgoing
Default outgoing policy changed to ‘allow’
(be sure to update your rule accordingly)
4. 防火牆規則
# ufw allow in 22/tcp
# ufw allow in ssh
# ufw allow in http
# ufw allow out http
# ufw allow from 192.168.1.0/24
# ufw allow from 192.168.1.0/24 port 22
# ufw allow proto tcp from 192.168.1.0/24 port 22
# ufw deny from 192.168.1.17 to 192.168.1.16 port 22
# ufw allow from 192.168.1.0/24 to 192.168.1.16 port 22
5. 列出防火牆規則
# ufw status
Status: active
To Action From
— —— —-
22 ALLOW Anywhere
443/tcp ALLOW Anywhere
53 ALLOW Anywhere
22/tcp ALLOW Anywhere
1194/tcp ALLOW Anywhere
22 ALLOW 192.168.1.0/24
22 (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
53 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
1194/tcp (v6) ALLOW Anywhere (v6)
加上編號
# ufw status numbered
Status: active
To Action From
— —— —-
[ 1] 22 ALLOW IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere
[ 3] 53 ALLOW IN Anywhere
[ 4] 22/tcp ALLOW IN Anywhere
[ 5] 1194/tcp ALLOW IN Anywhere
[ 6] 22 ALLOW IN 192.168.1.0/24
[ 7] 22 (v6) ALLOW IN Anywhere (v6)
[ 8] 443/tcp (v6) ALLOW IN Anywhere (v6)
[ 9] 53 (v6) ALLOW IN Anywhere (v6)
[10] 22/tcp (v6) ALLOW IN Anywhere (v6)
[11] 1194/tcp (v6) ALLOW IN Anywhere (v6)
列出更詳細的資訊
# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
— —— —-
192.168.1.16 22 ALLOW IN 192.168.1.0/24
6. 刪除防火牆則
# ufw delete allow 22/tcp
# ufw delete allow from 192.168.1.0/24 to 192.168.1.16 port 22
# ufw delete 6
Deleting:
allow from 192.168.1.0/24 to any port 22
Proceed with operation (y|n)? y
Rule deleted
原本第六條規則已刪除
# ufw status numbered
Status: active
To Action From
— —— —-
[ 1] 22 ALLOW IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere
[ 3] 53 ALLOW IN Anywhere
[ 4] 22/tcp ALLOW IN Anywhere
[ 5] 1194/tcp ALLOW IN Anywhere
[ 6] 22 (v6) ALLOW IN Anywhere (v6)
[ 7] 443/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] 53 (v6) ALLOW IN Anywhere (v6)
[ 9] 22/tcp (v6) ALLOW IN Anywhere (v6)
[10] 1194/tcp (v6) ALLOW IN Anywhere (v6)
7. 清除所有的規則
# ufw reset
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
Backing up ‘after.rules’ to ‘/etc/ufw/after.rules.20161225_095230’
Backing up ‘after6.rules’ to ‘/etc/ufw/after6.rules.20161225_095230’
Backing up ‘user.rules’ to ‘/etc/ufw/user.rules.20161225_095230’
Backing up ‘before.rules’ to ‘/etc/ufw/before.rules.20161225_095230’
Backing up ‘user6.rules’ to ‘/etc/ufw/user6.rules.20161225_095230’
Backing up ‘before6.rules’ to ‘/etc/ufw/before6.rules.20161225_095230’
8. 啟用日誌功能:
# ufw logging on
Logging enabled
停用日誌功能:
# ufw logging off
Logging disabled
日誌預設會存在 /var/log/ufw.log
設定日誌的層級(預設是 low)
# ufw logging (low | medium | high | full)
10. 直接修改預設規則 /etc/ufw/before.rules
拒絕 Ping
# sed -i ‘34,38 s/ACCEPT/DROP/’ /etc/ufw/before.rules
重新載入
# ufw reload
Firewall reloaded