ufw常用命令

刷docker的时候又遇到了ufw,上次踩的坑,这次又稳稳踩中。

概念

UFW: uncomplicated Firewall.

ubuntu默认安装,配置文件地址:/etc/default/ufw.

常用指令

  • 查看所有指令:

    ufw --help
    
    # 输出
    Usage: ufw COMMAND
    
    Commands:
     enable                          enables the firewall
     disable                         disables the firewall
     default ARG                     set default policy
     logging LEVEL                   set logging to LEVEL
     allow ARGS                      add allow rule
     deny ARGS                       add deny rule
     reject ARGS                     add reject rule
     limit ARGS                      add limit rule
     delete RULE|NUM                 delete RULE
     insert NUM RULE                 insert RULE at NUM
     route RULE                      add route RULE
     route delete RULE|NUM           delete route RULE
     route insert NUM RULE           insert route RULE at NUM
     reload                          reload firewall
     reset                           reset firewall
     status                          show firewall status
     status numbered                 show firewall status as numbered list of RULES
     status verbose                  show verbose firewall status
     show ARG                        show firewall report
     version                         display version information
    
    Application profile commands:
     app list                        list application profiles
     app info PROFILE                show information on PROFILE
     app update PROFILE              update PROFILE
     app default ARG                 set default application policy
    
  • 查看ufw 状态

    sudo ufw status
    

    如果是inactive,可以enable ufw:

    sudo ufw enable
    

    ufw 在 active的状态下,默认是deny all incoming connection, allow all outgoing connection.

    也可自行设置:

    sudo ufw default deny incoming
    sudo ufw default allow outgoing
    

    如果enable ufw 后没做其他设置,直接退出服务器,再次ssh 登录,会发现一直time out, 此时需要设置allow SSH connection.

  • allow SSH connection

    sudo ufw allow ssh
    

    等同于:

    sudo ufw allow 22
    

    其他如:

    allow http:

    sudo ufw allow http
    # 等同于
    sudo ufw allow 80
    

    allow https:

    sudo ufw allow https
    # 等同于
    sudo ufw allow 443
    

    allow specific port ranges:

    sudo ufw allow 6000:6007/tcp
    

    allow specific IP address:

    sudo ufw allow from 14.141.14.15
    

    allow PG from specific IP address:

    PG 默认在端口5432 监听 .

    假定 IP 地址是:14.141.14.15

    sudo ufw allow from 14.141.14.15 to any port 5432
    

    更多有关mail 及 PG, SQL,参考 UFW essentials common firewall rules and commands

  • 删除UFW rules:

    两种方式:使用 delete [number];delete 搭配 allow.

    例子:

    # 列出所有的rules,带有number:
    sudo ufw status numbered
    
    # 输出
    Status: active
    
         To                         Action      From
         --                         ------      ----
    [ 1] 22/tcp                     ALLOW IN    Anywhere
    [ 2] 80/tcp                     ALLOW IN    Anywhere
    [ 3] 443/tcp                    ALLOW IN    Anywhere
    [ 4] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
    [ 5] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
    [ 6] 443/tcp (v6)               ALLOW IN    Anywhere (v6)
    
    sudo ufw delete 3
    # 输出
    Deleting:
     allow 443/tcp
    Proceed with operation (y|n)? y
    Rule deleted
    
    # 或者直接:
    sudo ufw delete allow https
    
    # 等同于:
    sudo ufw delete allow 80
    
  • disable ufw

    设置 ufw 状态为 inactive:

    sudo ufw disable
    
  • reset ufw

    重置:

    sudo ufw reset
    
  • reload ufw

    通常,修改 /etc/default/ufw配置文件后,需要reload下。

    sudo ufw reload
    

参考

UFW essentials common firewall rules and commands

how to set up a firewall with UFW on Ubuntu