UFW - Uncomplicated Firewall
Ubuntu 的默认防火墙配置工具是 ufw。ufw 是为简化 iptables 防火墙配置而开发的,它提供了一种用户友好的方式来创建基于 IPv4 或 IPv6 主机的防火墙。默认情况下,UFW 是禁用的。
The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
gufw 是一个图形用户界面前端。
gufw is a GUI that is available as a frontend.
1, Basic Syntax and Examples
Default rules are fine for the average home user /
默认规则对普通家庭用户来说没有问题
当你打开 UFW 时,它会使用一套默认的规则(配置文件),这对普通家庭用户来说应该没问题。这至少是 Ubuntu 开发人员的目标。简而言之,所有的 “传入 ”都会被拒绝,但也有一些例外情况,以方便家庭用户。
When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That's at least the goal of the Ubuntu developers. In short, all 'incoming' is being denied, with some exceptions to make things easier for home users.
Enable and Disable
To turn UFW on with the default set of rules:
sudo ufw enable
To check the status of UFW:
sudo ufw status verbose
请注意,默认情况下,拒绝将应用于传入。但也有例外情况,可在该命令的输出中找到:
Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:
sudo ufw show raw
你还可以读取 /etc/ufw 中的规则文件(文件名以 .rules 结尾的文件)。
You can also read the rules files in /etc/ufw (the files whose names end with .rules).
Disable UFW
To disable ufw use:
sudo ufw disable
Allow and Deny (specific rules)
Allow
sudo ufw allow <port>/<optional: protocol>
example: To allow incoming tcp and udp packet on port 53
sudo ufw allow 53
example: To allow incoming tcp packets on port 53
sudo ufw allow 53/tcp
example: To allow incoming udp packets on port 53
sudo ufw allow 53/udp
Deny
sudo ufw deny <port>/<optional: protocol>
example: To deny tcp and udp packets on port 53
sudo ufw deny 53
example: To deny incoming tcp packets on port 53
sudo ufw deny 53/tcp
example: To deny incoming udp packets on port 53
sudo ufw deny 53/udp
Delete Existing Rule
要删除一条规则,只需在原规则前加上删除即可。例如,如果原来的规则是:
To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:
ufw deny 80/tcp
Use this to delete it:
sudo ufw delete deny 80/tcp
Services
你还可以通过服务名称来允许或拒绝,因为 ufw 会读取 /etc/services 以获取服务列表:
You can also allow or deny by service name since ufw reads from /etc/services to see get a list of services:
less /etc/services
Allow by Service Name
sudo ufw allow <service name>
example: to allow ssh by name
sudo ufw allow ssh
Deny by Service Name
example: to deny ssh by name
sudo ufw deny ssh
Status
检查 ufw 的状态会告诉你 ufw 是启用还是禁用,还会列出当前应用于 iptables 的 ufw 规则。
Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables.
To check the status of ufw:
sudo ufw status
if ufw was not enabled the output would be:
sudo ufw status
Status: inactive
Logging
To enable logging use:
sudo ufw logging on
To disable logging use:
sudo ufw logging off
Check UFW Logs:
sudo less /var/log/ufw.log
or
tail -f /var/log/ufw.log
2, Advanced Syntax
你也可以使用更完整的语法,指定源地址和目标地址、端口和协议。
You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.
Allow by Specific IP
sudo ufw allow from <ip address>
example:To allow packets from 207.46.232.182:
sudo ufw allow from 207.46.232.182
Allow by Subnet
You may use a net mask :
sudo ufw allow from 192.168.1.0/24
Allow by specific port and IP address
sudo ufw allow from <target> to <destination> port <port number>
example: allow IP address 192.168.0.4 access to port 22 for all protocols
sudo ufw allow from 192.168.0.4 to any port 22
Allow by specific port, IP address and protocol
sudo ufw allow from <target> to <destination> port <port number> proto <protocol name>
example: allow IP address 192.168.0.4 access to port 22 using TCP
sudo ufw allow from 192.168.0.4 to any port 22 proto tcp
Enable PING
对于现代破解脚本来说,“隐蔽安全”的实际好处可能微乎其微。默认情况下,用友软件允许 ping 请求。你可能会发现,你希望启用 (icmp) ping 请求来诊断网络问题。
Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.
要禁用 ping (icmp) 请求,需要编辑 /etc/ufw/before.rules 并删除以下几行:
In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
or change the "ACCEPT" to "DROP"
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Deny Access
Deny by specific IP
sudo ufw deny from <ip address>
example:To block packets from 207.46.232.182:
sudo ufw deny from 207.46.232.182
Deny by specific port and IP address
sudo ufw deny from <ip address> to <protocol> port <port number>
example: deny ip address 192.168.0.1 access to port 22 for all protocols
sudo ufw deny from 192.168.0.1 to any port 22
Working with numbered rules
用参考编号列出规则
Listing rules with a reference number
你可以使用状态编号来显示规则的顺序和 ID 编号:
You may use status numbered to show the order and id number of rules:
sudo ufw status numbered
Editing numbered rules
删除编号规则
Delete numbered rule
然后,你可以使用编号删除规则。这将删除第一条规则,然后规则会向上移动以填满列表。
You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.
sudo ufw delete 1
Insert numbered rule
sudo ufw insert 1 allow from <ip address>
Advanced Example
情景: 你想阻止 192.168.0.1 和 192.168.0.7 访问端口 22,但允许所有其他 192.168.0.x IP 使用 tcp 访问端口 22。
Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp
sudo ufw deny from 192.168.0.1 to any port 22
sudo ufw deny from 192.168.0.7 to any port 22
sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp
这样就把特定规则放在首位,通用规则放在第二位。一旦某条规则被匹配,其他规则将不会被评估(请参阅下面的手册),因此必须将特定规则放在前面。当规则发生变化时,你可能需要删除旧规则,以确保新规则的顺序正确。
This puts the specific rules first and the generic second. Once a rule is matched the others will not be evaluated (see manual below) so you must put the specific rules first. As rules change you may need to delete old rules to ensure that new rules are put in the proper order.
要检查规则的顺序,可以查看状态;在该方案中,以下输出是规则正常工作所需的输出
To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp ALLOW 192.168.0.0/24
Scenario change: You want to block access to port 22 to 192.168.0.3 as well as 192.168.0.1 and 192.168.0.7.
场景更改: 你想阻止 192.168.0.3 以及 192.168.0.1 和 192.168.0.7 对端口 22 的访问。
sudo ufw delete allow from 192.168.0.0/24 to any port 22
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
sudo ufw deny 192.168.0.3 to any port 22
sudo ufw allow 192.168.0.0/24 to any port 22 proto tcp
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp DENY 192.168.0.3
22:udp DENY 192.168.0.3
22:tcp ALLOW 192.168.0.0/24
如果你只添加了拒绝规则,那么允许规则就会在其上方应用,而不是拒绝规则
If you simply add the deny rule the allow would have been above it and been applied instead of the deny
UFW 可以轻松配置基本防火墙,尤其是对于不熟悉高级 iptables 语法的用户。它设计简单,但仍能提供对网络安全的基本控制。
UFW makes it easy to configure a basic firewall, especially for users who are not familiar with the more advanced iptables syntax. It's designed for simplicity, while still providing essential control over network security.
3, Other UFW commands
为了确保从头开始,请禁用 UFW 并将其重置为默认状态:
To make sure start from scratch, then disable and reset UFW to a default state:
# ufw disable
Firewall stopped and disabled on system startup
# ufw reset
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
[...]
UFW Default Policy
# ufw default deny incoming
[...]
# ufw default allow outgoing
[...]
这一默认策略意味着不应开放任何端口。更确切地说,所有端口都应该是隐蔽的。
This default policy means that no port should be open. More precisely, all ports should be stealth.
需要开放端口的应用程序可以包含一个 UFW 配置文件,详细说明需要开放哪些端口。这些配置文件位于 /etc/ufw/applications.d 目录中。让我们看看哪些应用程序安装了配置文件:
Applications that require open ports can include a UFW profile, which details which ports need to be opened. These profiles are in the /etc/ufw/applications.d directory. Let’s see which applications have installed a profile:
# ufw app list
Available applications:
OpenSSH
目前,我们只有一个应用程序。让我们在安装 Apache 等网络服务器后重复测试:
At the moment, we have only one application. Let’s repeat the test after installing a web server, such as Apache:
# apt install apache2
[...]
# ufw app list
Available applications:
Apache
Apache Full
Apache Secure
OpenSSH
然后,让我们检查每个配置文件,了解它打开了哪些端口:
Then, let’s inspect each profile to know which ports it opens:
# ufw app info "Apache"
[...]
80/tcp
# ufw app info "Apache Full"
[...]
80,443/tcp
# ufw app info "Apache Secure"
[...]
443/tcp
# ufw app info "OpenSSH"
[...]
22/tcp
实际上,了解与每个应用程序配置文件相关的端口并非绝对必要。不过,它能让我们更清楚自己在做什么。
Actually, knowing the ports associated with each application profile isn’t strictly necessary. However, it makes us more aware of what we’re doing.
Enable Application Profiles
我们对 “Apache Full ”和 “OpenSSH ”配置文件感兴趣。让我们启用它们:
We’re interested in the “Apache Full” and “OpenSSH” profiles. Let’s enable them:
# ufw allow "Apache Full"
[...]
# ufw allow "OpenSSH"
[...]
现在,UFW 已可用于我们的测试用例。让我们启用它并检查其状态:
UFW is now ready-to-use for our test case. Let’s enable it and check its status:
# ufw enable
[...]
# ufw status verbose
[...]
To Action From
-- ------ ----
80,443/tcp (Apache Full) ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Apache Full (v6)) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
每条规则都是双倍的,因为一条适用于 IPv4,另一条适用于 IPv6。
Each rule is doubled because one applies to IPv4 and the other to IPv6.
Operation Confirmation by Port Scanning
根据我们的 UFW 规则,除了 22(SSH)、80(HTTP)和 443(HTTPS)之外,所有端口都必须隐身。让我们使用 nmap 从服务器网络外的计算机扫描服务器端口,检查一下实际情况是否如此:
According to our UFW rules, all ports must be stealth except 22 (SSH), 80 (HTTP), and 443 (HTTPS). Let’s check whether this is actually the case, using nmap to scan the server ports from a computer outside the server’s network:
# nmap 217.69.7.111
[...]
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
[...]
这样,nmap 只扫描了前 1000 个端口,并报告了 997 个被过滤的端口。在 nmap 的词典中,过滤和隐身是同义词。因此,除了 UFW 规则中指定的三个端口外,其他所有端口都是隐身的,这正是我们想要的。
一般来说,端口扫描是确认防火墙是否按预期工作的一种方法。
In this way, nmap scanned only the first 1,000 ports and reported 997 filtered ports. In the nmap lexicon, filtered and stealth are synonyms. Thus, except for the three ports specified in the UFW rules, all the others are stealth, precisely as we wanted.
In general, port scanning is a method of confirming whether our firewall is working as intended.
Limit the Number of Connections to a Given Port Over Time
UFW 具有速率限制功能,如果一个 IP 地址在过去 30 秒内尝试启动了 6 次或更多连接,则 UFW 将拒绝该 IP 地址的连接。这有助于防止暴力攻击。
UFW has a rate-limiting feature that denies connections from an IP address that has attempted to initiate six or more connections in the last 30 seconds. This helps prevent brute force attacks.
让我们重新打开所有 IP 的 SSH 连接,但这次要使用速率限制功能:
Let’s reopen SSH connections to all IPs, but this time, with rate-limiting:
# ufw limit ssh
Rule added
Rule added (v6)
Then let’s remove the old rule:
# ufw status numbered
[...]
[ 5] 22/tcp ALLOW IN 195.231.79.38
[ 6] 22/tcp LIMIT IN Anywhere
[...]
[10] 22/tcp (v6) LIMIT IN Anywhere (v6)
root@TEST:~# ufw delete 5
[...]
从现在起,如果我们在 30 秒内至少连接六次(无论登录是否成功),UFW 就会阻止我们。在这种情况下,端口不会隐身,而是关闭。不过,我们不必担心,因为这个禁令会在 30 秒后失效。
From this point on, if we connect at least six times in 30 seconds (regardless of whether the login succeeds), UFW will block us. In this case, the port won’t become stealth but closed. But, we don’t need to worry, as this ban will expire after 30 seconds.
参考: