UFW: uncomplicated Firewall.

ubuntu默认安装,配置文件地址: /etc/default/ufw.


  • 查看所有指令:

    ufw --help
    # 输出
    Usage: ufw COMMAND
     enable                          enables the firewall
     disable                         disables the firewall
     default ARG                     set default policy
     logging LEVEL                   set logging to LEVEL
     allow ARGS                      add allow rule
     deny ARGS                       add deny rule
     reject ARGS                     add reject rule
     limit ARGS                      add limit rule
     delete RULE|NUM                 delete RULE
     insert NUM RULE                 insert RULE at NUM
     route RULE                      add route RULE
     route delete RULE|NUM           delete route RULE
     route insert NUM RULE           insert route RULE at NUM
     reload                          reload firewall
     reset                           reset firewall
     status                          show firewall status
     status numbered                 show firewall status as numbered list of RULES
     status verbose                  show verbose firewall status
     show ARG                        show firewall report
     version                         display version information
    Application profile commands:
     app list                        list application profiles
     app info PROFILE                show information on PROFILE
     app update PROFILE              update PROFILE
     app default ARG                 set default application policy
  • 查看ufw 状态

    sudo ufw status

    如果是inactive,可以enable ufw:

    sudo ufw enable

    ufw 在 active的状态下,默认是deny all incoming connection, allow all outgoing connection.


    sudo ufw default deny incoming
    sudo ufw default allow outgoing

    如果enable ufw 后没做其他设置,直接退出服务器,再次ssh 登录,会发现一直time out, 此时需要设置allow SSH connection.

  • allow SSH connection

    sudo ufw allow ssh


    sudo ufw allow 22


    allow http:

    sudo ufw allow http
    # 等同于
    sudo ufw allow 80

    allow https:

    sudo ufw allow https
    # 等同于
    sudo ufw allow 443

    allow specific port ranges:

    sudo ufw allow 6000:6007/tcp

    allow specific IP address:

    sudo ufw allow from

    allow PG from specific IP address:

    PG 默认在端口5432 监听 .

    假定 IP 地址是:

    sudo ufw allow from to any port 5432

    更多有关mail 及 PG, SQL,参考 UFW essentials common firewall rules and commands

  • 删除UFW rules:

    两种方式:使用 delete [number];delete 搭配 allow.


    # 列出所有的rules,带有number:
    sudo ufw status numbered
    # 输出
    Status: active
         To                         Action      From
         --                         ------      ----
    [ 1] 22/tcp                     ALLOW IN    Anywhere
    [ 2] 80/tcp                     ALLOW IN    Anywhere
    [ 3] 443/tcp                    ALLOW IN    Anywhere
    [ 4] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
    [ 5] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
    [ 6] 443/tcp (v6)               ALLOW IN    Anywhere (v6)
    sudo ufw delete 3
    # 输出
     allow 443/tcp
    Proceed with operation (y|n)? y
    Rule deleted
    # 或者直接:
    sudo ufw delete allow https
    # 等同于:
    sudo ufw delete allow 80
  • disable ufw

    设置 ufw 状态为 inactive:

    sudo ufw disable
  • reset ufw


    sudo ufw reset
  • reload ufw

    通常,修改 /etc/default/ufw配置文件后,需要reload下。

    sudo ufw reload


UFW essentials common firewall rules and commands

how to set up a firewall with UFW on Ubuntu