ufw常用命令

刷docker的时候又遇到了ufw，上次踩的坑，这次又稳稳踩中。

概念

UFW: uncomplicated Firewall.

ubuntu默认安装，配置文件地址： /etc/default/ufw.

常用指令

查看所有指令：

ufw --help

# 输出
Usage: ufw COMMAND

Commands:
 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 route RULE                      add route RULE
 route delete RULE|NUM           delete route RULE
 route insert NUM RULE           insert route RULE at NUM
 reload                          reload firewall
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy

查看ufw 状态
```
sudo ufw status
```
如果是inactive，可以enable ufw:
```
sudo ufw enable
```
ufw 在 active的状态下，默认是deny all incoming connection, allow all outgoing connection.

也可自行设置：
```
sudo ufw default deny incoming
sudo ufw default allow outgoing
```
如果enable ufw 后没做其他设置，直接退出服务器，再次ssh 登录，会发现一直time out，此时需要设置allow SSH connection.
allow SSH connection
```
sudo ufw allow ssh
```
等同于：
```
sudo ufw allow 22
```
其他如：

allow http：
```
sudo ufw allow http
# 等同于
sudo ufw allow 80
```
allow https:
```
sudo ufw allow https
# 等同于
sudo ufw allow 443
```
allow specific port ranges:
```
sudo ufw allow 6000:6007/tcp
```
allow specific IP address:
```
sudo ufw allow from 14.141.14.15
```
allow PG from specific IP address:

PG 默认在端口5432 监听 .

假定 IP 地址是：14.141.14.15
```
sudo ufw allow from 14.141.14.15 to any port 5432
```
更多有关mail 及 PG， SQL，参考 UFW essentials common firewall rules and commands。

删除UFW rules:

两种方式：使用 delete [number]；delete 搭配 allow.

例子：

# 列出所有的rules，带有number：
sudo ufw status numbered

# 输出
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 443/tcp                    ALLOW IN    Anywhere
[ 4] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 5] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 6] 443/tcp (v6)               ALLOW IN    Anywhere (v6)

sudo ufw delete 3
# 输出
Deleting:
 allow 443/tcp
Proceed with operation (y|n)? y
Rule deleted

# 或者直接：
sudo ufw delete allow https

# 等同于：
sudo ufw delete allow 80

disable ufw

设置 ufw 状态为 inactive:
```
sudo ufw disable
```
reset ufw

重置：
```
sudo ufw reset
```
reload ufw

通常，修改 /etc/default/ufw配置文件后，需要reload下。
```
sudo ufw reload
```

参考

UFW essentials common firewall rules and commands

how to set up a firewall with UFW on Ubuntu