您的位置:首页 > 房产 > 家装 > 用手机制作动画的app_网站平台代理_郑州百度推广公司地址_北京全网营销推广


2025/2/28 14:51:41 来源:https://blog.csdn.net/guoqx/article/details/142739162  浏览:    关键词:用手机制作动画的app_网站平台代理_郑州百度推广公司地址_北京全网营销推广
UFW - Uncomplicated Firewall
Ubuntu 的默认防火墙配置工具是 ufw。ufw 是为简化 iptables 防火墙配置而开发的,它提供了一种用户友好的方式来创建基于 IPv4 或 IPv6 主机的防火墙。默认情况下,UFW 是禁用的。
The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
gufw 是一个图形用户界面前端。
gufw is a GUI that is available as a frontend.
1, Basic Syntax and Examples
Default rules are fine for the average home user /  默认规则对普通家庭用户来说没有问题
当你打开 UFW 时,它会使用一套默认的规则(配置文件),这对普通家庭用户来说应该没问题。这至少是 Ubuntu 开发人员的目标。简而言之,所有的 “传入 ”都会被拒绝,但也有一些例外情况,以方便家庭用户。
When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That's at least the goal of the Ubuntu developers. In short, all 'incoming' is being denied, with some exceptions to make things easier for home users.
Enable and Disable
To turn UFW on with the default set of rules:
sudo ufw enable
To check the status of UFW:
sudo ufw status verbose
Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:
sudo ufw show raw
你还可以读取 /etc/ufw 中的规则文件(文件名以 .rules 结尾的文件)。
You can also read the rules files in /etc/ufw (the files whose names end with .rules).
Disable UFW
To disable ufw use:
sudo ufw disable
Allow and Deny (specific rules)
sudo ufw allow <port>/<optional: protocol>
example: To allow incoming tcp and udp packet on port 53
sudo ufw allow 53
example: To allow incoming tcp packets on port 53
sudo ufw allow 53/tcp
example: To allow incoming udp packets on port 53
sudo ufw allow 53/udp
sudo ufw deny <port>/<optional: protocol>
example: To deny tcp and udp packets on port 53
sudo ufw deny 53
example: To deny incoming tcp packets on port 53
sudo ufw deny 53/tcp
example: To deny incoming udp packets on port 53
sudo ufw deny 53/udp
Delete Existing Rule
To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:
ufw deny 80/tcp
Use this to delete it:
sudo ufw delete deny 80/tcp
你还可以通过服务名称来允许或拒绝,因为 ufw 会读取 /etc/services 以获取服务列表:
You can also allow or deny by service name since ufw reads from /etc/services to see get a list of services:
less /etc/services
Allow by Service Name
sudo ufw allow <service name>
example: to allow ssh by name
sudo ufw allow ssh
Deny by Service Name
example: to deny ssh by name
sudo ufw deny ssh
检查 ufw 的状态会告诉你 ufw 是启用还是禁用,还会列出当前应用于 iptables 的 ufw 规则。
Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables.
To check the status of ufw:
sudo ufw status
if ufw was not enabled the output would be:
sudo ufw status
Status: inactive
To enable logging use:
sudo ufw logging on
To disable logging use:
sudo ufw logging off
Check UFW Logs:
sudo less /var/log/ufw.log
tail -f /var/log/ufw.log
2, Advanced Syntax
You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.
Allow by Specific IP
sudo ufw allow from <ip address>
example:To allow packets from
sudo ufw allow from
Allow by Subnet
You may use a net mask :
sudo ufw allow from
Allow by specific port and IP address
sudo ufw allow from <target> to <destination> port <port number>
example: allow IP address access to port 22 for all protocols
sudo ufw allow from to any port 22
Allow by specific port, IP address and protocol
sudo ufw allow from <target> to <destination> port <port number> proto <protocol name>
example: allow IP address access to port 22 using TCP
sudo ufw allow from to any port 22 proto tcp
Enable PING
对于现代破解脚本来说,“隐蔽安全”的实际好处可能微乎其微。默认情况下,用友软件允许 ping 请求。你可能会发现,你希望启用 (icmp) ping 请求来诊断网络问题。
Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.
要禁用 ping (icmp) 请求,需要编辑 /etc/ufw/before.rules 并删除以下几行:
In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
or change the "ACCEPT" to "DROP"
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Deny Access
Deny by specific IP
sudo ufw deny from <ip address>
example:To block packets from
sudo ufw deny from
Deny by specific port and IP address
sudo ufw deny from <ip address> to <protocol> port <port number>
example: deny ip address access to port 22 for all protocols
sudo ufw deny from to any port 22
Working with numbered rules
Listing rules with a reference number 
你可以使用状态编号来显示规则的顺序和 ID 编号:
You may use status numbered to show the order and id number of rules:
sudo ufw status numbered
Editing numbered rules
Delete numbered rule
You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.
sudo ufw delete 1
Insert numbered rule
sudo ufw insert 1 allow from <ip address>
Advanced Example
情景: 你想阻止 和 访问端口 22,但允许所有其他 192.168.0.x IP 使用 tcp 访问端口 22。
Scenario: You want to block access to port 22 from and but allow all other 192.168.0.x IPs to have access to port 22 using tcp
sudo ufw deny from to any port 22
sudo ufw deny from to any port 22
sudo ufw allow from to any port 22 proto tcp
This puts the specific rules first and the generic second. Once a rule is matched the others will not be evaluated (see manual below) so you must put the specific rules first. As rules change you may need to delete old rules to ensure that new rules are put in the proper order.
To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly
sudo ufw status
Firewall loaded
To                         Action  From
--                         ------  ----
22:tcp                     DENY
22:udp                     DENY
22:tcp                     DENY
22:udp                     DENY
22:tcp                     ALLOW
Scenario change: You want to block access to port 22 to as well as and
场景更改: 你想阻止 以及 和 对端口 22 的访问。
sudo ufw delete allow from to any port 22
sudo ufw status
Firewall loaded
To                         Action  From
--                         ------  ----
22:tcp                     DENY
22:udp                     DENY
22:tcp                     DENY
22:udp                     DENY
sudo ufw deny to any port 22
sudo ufw allow to any port 22 proto tcp
sudo ufw status
Firewall loaded
To                         Action  From
--                         ------  ----
22:tcp                     DENY
22:udp                     DENY
22:tcp                     DENY
22:udp                     DENY
22:tcp                     DENY
22:udp                     DENY
22:tcp                     ALLOW
If you simply add the deny rule the allow would have been above it and been applied instead of the deny
UFW 可以轻松配置基本防火墙,尤其是对于不熟悉高级 iptables 语法的用户。它设计简单,但仍能提供对网络安全的基本控制。
UFW makes it easy to configure a basic firewall, especially for users who are not familiar with the more advanced iptables syntax. It's designed for simplicity, while still providing essential control over network security.
3, Other UFW commands
为了确保从头开始,请禁用 UFW 并将其重置为默认状态:
To make sure start from scratch, then disable and reset UFW to a default state:
# ufw disable
Firewall stopped and disabled on system startup
# ufw reset
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
UFW Default Policy
# ufw default deny incoming
# ufw default allow outgoing
This default policy means that no port should be open. More precisely, all ports should be stealth.
需要开放端口的应用程序可以包含一个 UFW 配置文件,详细说明需要开放哪些端口。这些配置文件位于 /etc/ufw/applications.d 目录中。让我们看看哪些应用程序安装了配置文件:
Applications that require open ports can include a UFW profile, which details which ports need to be opened. These profiles are in the /etc/ufw/applications.d directory. Let’s see which applications have installed a profile:
# ufw app list
Available applications:
目前,我们只有一个应用程序。让我们在安装 Apache 等网络服务器后重复测试:
At the moment, we have only one application. Let’s repeat the test after installing a web server, such as Apache:
# apt install apache2
# ufw app list
Available applications:
  Apache Full
  Apache Secure
Then, let’s inspect each profile to know which ports it opens:
# ufw app info "Apache"
# ufw app info "Apache Full"
# ufw app info "Apache Secure"
# ufw app info "OpenSSH"
Actually, knowing the ports associated with each application profile isn’t strictly necessary. However, it makes us more aware of what we’re doing.
Enable Application Profiles
我们对 “Apache Full ”和 “OpenSSH ”配置文件感兴趣。让我们启用它们:
We’re interested in the “Apache Full” and “OpenSSH” profiles. Let’s enable them:
# ufw allow "Apache Full"
# ufw allow "OpenSSH"
现在,UFW 已可用于我们的测试用例。让我们启用它并检查其状态:
UFW is now ready-to-use for our test case. Let’s enable it and check its status:
# ufw enable
# ufw status verbose
To                         Action      From
--                         ------      ----
80,443/tcp (Apache Full)   ALLOW IN    Anywhere                  
22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
80,443/tcp (Apache Full (v6)) ALLOW IN    Anywhere (v6)             
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)   
每条规则都是双倍的,因为一条适用于 IPv4,另一条适用于 IPv6。
Each rule is doubled because one applies to IPv4 and the other to IPv6.
Operation Confirmation by Port Scanning
根据我们的 UFW 规则,除了 22(SSH)、80(HTTP)和 443(HTTPS)之外,所有端口都必须隐身。让我们使用 nmap 从服务器网络外的计算机扫描服务器端口,检查一下实际情况是否如此:
According to our UFW rules, all ports must be stealth except 22 (SSH), 80 (HTTP), and 443 (HTTPS). Let’s check whether this is actually the case, using nmap to scan the server ports from a computer outside the server’s network:
# nmap
Not shown: 997 filtered ports
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https
这样,nmap 只扫描了前 1000 个端口,并报告了 997 个被过滤的端口。在 nmap 的词典中,过滤和隐身是同义词。因此,除了 UFW 规则中指定的三个端口外,其他所有端口都是隐身的,这正是我们想要的。
In this way, nmap scanned only the first 1,000 ports and reported 997 filtered ports. In the nmap lexicon, filtered and stealth are synonyms. Thus, except for the three ports specified in the UFW rules, all the others are stealth, precisely as we wanted.
In general, port scanning is a method of confirming whether our firewall is working as intended.
Limit the Number of Connections to a Given Port Over Time
UFW 具有速率限制功能,如果一个 IP 地址在过去 30 秒内尝试启动了 6 次或更多连接,则 UFW 将拒绝该 IP 地址的连接。这有助于防止暴力攻击。
UFW has a rate-limiting feature that denies connections from an IP address that has attempted to initiate six or more connections in the last 30 seconds. This helps prevent brute force attacks.
让我们重新打开所有 IP 的 SSH 连接,但这次要使用速率限制功能:
Let’s reopen SSH connections to all IPs, but this time, with rate-limiting:
# ufw limit ssh
Rule added
Rule added (v6)
Then let’s remove the old rule:
# ufw status numbered
[ 5] 22/tcp                     ALLOW IN             
[ 6] 22/tcp                     LIMIT IN    Anywhere
[10] 22/tcp (v6)                LIMIT IN    Anywhere (v6)             
root@TEST:~# ufw delete 5
从现在起,如果我们在 30 秒内至少连接六次(无论登录是否成功),UFW 就会阻止我们。在这种情况下,端口不会隐身,而是关闭。不过,我们不必担心,因为这个禁令会在 30 秒后失效。
From this point on, if we connect at least six times in 30 seconds (regardless of whether the login succeeds), UFW will block us. In this case, the port won’t become stealth but closed. But, we don’t need to worry, as this ban will expire after 30 seconds.
UFW - Community Help Wiki (ubuntu.com)
UncomplicatedFirewall - Ubuntu Wiki
How to Use UFW (Uncomplicated Firewall) | Baeldung on Linux


