一、ufw简介

  ufw是Ubuntu系列发行版自带的类似iptables的防火墙管理软件,底层也是基于netfilter的。ufw是Uncomplicated FireWall的简称,真正地简化了 iptables,它从出现的这几年,已经成为 Ubuntu 和 Debian 等系统上的默认防火墙。而且 ufw 出乎意料的简单,这对新管理员来说是一个福音,否则他们可能需要投入大量时间来学习防火墙管理。ufw默认关闭,开放所有端口。环境说明:如下操作命令和示例均在Ubuntu20.04系统中测试。

二、使用示例

ufw命令需要通过root或者具有sudo权限的用户执行。

  1. 获取ufw命令帮助
    root@s162:~# ufw --help
  2. 版本查看
    root@s162:~# ufw version
ufw 0.36
Copyright 2008-2015 Canonical Ltd.
  3. 防火墙服务启停管理
    查看防火墙状态
    root@s162:~# ufw status
Status: active
To Action From
– ------ ----
80/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
88/tcp DENY OUT Anywhere
88/tcp (v6) DENY OUT Anywhere (v6)

    查看防火墙状态详细信息

    root@s162:~# ufw status verbose
Status: active
Logging: on (full)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
– ------ ----
80/tcp ALLOW IN Anywhere
80/tcp (v6) ALLOW IN Anywhere (v6)
88/tcp DENY OUT Anywhere
88/tcp (v6) DENY OUT Anywhere (v6)

    启动防火墙并设置开机自启动

    root@s162:~# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

    停止防火墙并取消开机自启动

    root@s162:~# ufw disable
Firewall stopped and disabled on system startup

    重启防火墙

    root@s162:~# ufw reload
Firewall reloaded

    重置防火墙

    root@s162:~# ufw reset
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
Backing up ‘user.rules’ to ‘/etc/ufw/user.rules.20210914_061746’
Backing up ‘before.rules’ to ‘/etc/ufw/before.rules.20210914_061746’
Backing up ‘after.rules’ to ‘/etc/ufw/after.rules.20210914_061746’
Backing up ‘user6.rules’ to ‘/etc/ufw/user6.rules.20210914_061746’
Backing up ‘before6.rules’ to ‘/etc/ufw/before6.rules.20210914_061746’
Backing up ‘after6.rules’ to ‘/etc/ufw/after6.rules.20210914_061746’
  4. 防火墙日志管理
    关闭防火墙日志
    root@s162:~# ufw logging off
Logging disabled

    开启防火墙日志

    root@s162:~# ufw logging on
Logging enabled

    设置防火墙日志级别为low

    root@s162:~# ufw logging low
Logging enabled

    设置防火墙日志级别为medium

    root@s162:~# ufw logging medium
Logging enabled

    设置防火墙日志级别为high

    root@s162:~# ufw logging high
Logging enabled

    设置防火墙日志级别为full

    root@s162:~# ufw logging full
Logging enabled
  5. 添加防火墙策略
    如下示例以添加放行策略为例,示例同理适用allow、deny、reject,添加策略默认添加到入方向,如果需要添加到出方向使用关键词out。

添加放行一个端口策略

root@s162:~# ufw allow 8080
Rules updated
Rules updated (v6)

添加放行一组端口段策略

root@s162:~# ufw allow 6000:7000/tcp
#6000:7000 是端口范围,tcp是协议

添加放行一个协议端口策略

root@s162:~# ufw allow 8081/tcp
Rules updated
Rules updated (v6)
root@s162:~# ufw allow 8082/udp
Rules updated
Rules updated (v6)

添加放行一个应用协议策略

root@s162:~# ufw allow http
Rule added
Rule added (v6)

添加放行一个端口策略

root@s162:~# ufw allow proto tcp to any port 81
Rule added
Rule added (v6)

允许指定源地址访问指定端口

root@s162:~# ufw allow proto tcp from 192.168.0.0/24 to 192.168.0.162 port 88
Rule added

运行指定源地址端口访问指定地址指定端口

root@s162:~# ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
Rule added

添加出方向安全策略

root@s162:~# ufw deny out 88/tcp
Rule added
Rule added (v6)
  1. 删除防火墙策略
    查看策略编号
    root@s162:~# ufw status numbered
Status: active
To Action From
– ------ ----
[ 1] 80/tcp ALLOW IN Anywhere
[ 2] 80/tcp (v6) ALLOW IN Anywhere (v6)

    删除指定编号策略

    root@s162:~# ufw delete 2
Deleting:
allow 80/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)

    删除指定规则策略

    root@s162:~# ufw delete allow 80/tcp
Rule deleted
Could not delete non-existent rule (v6)
  2. 插入安全策略
    root@s162:~# ufw insert 1 deny proto tcp from 192.168.0.1 to any port 80
Rule inserted
root@s162:~# ufw insert 2 deny from 192.168.0.1 to any port 80
Rule inserted
  3. 添加默认安全策略
    以下示例使用–dry-run参数模拟执行展示。
    设置默认入策略为允许
    root@s162:~# ufw --dry-run default allow
running ufw-init
running ufw-init
Default incoming policy changed to ‘allow’
(be sure to update your rules accordingly)

    设置默认出策略为拒绝

    root@s162:~# ufw --dry-run default deny outgoing
running ufw-init
running ufw-init
Default outgoing policy changed to ‘deny’
(be sure to update your rules accordingly)
  4. 添加自定义应用
    首先自定义一个应用
    root@s162:/etc/ufw/applications.d# cat test
[test]
title=test
description=this is a test.
ports=81/tcp

    添加策略时调用应用名称

    root@s162:/etc/ufw/applications.d# ufw allow test
Rule added
Rule added (v6)

    查看防火墙策略

    root@s162:/etc/ufw/applications.d# ufw status
Status: active
To Action From
– ------ ----
80/tcp DENY 192.168.0.1
80 DENY 192.168.0.1
80/tcp REJECT Anywhere
test ALLOW Anywhere
80/tcp (v6) REJECT Anywhere (v6)
test (v6) ALLOW Anywhere (v6)
88/tcp DENY OUT Anywhere
88/tcp (v6) DENY OUT Anywhere (v6)

三、ufw常用及默认规则说明

ufw默认关闭
ufw默认拒绝入流量,放行出流量
ufw日志级别默认为low
ufw添加策略默认为in放行,需要在出方向添加安全策略使用关键词out
ufw添加策略为指定协议是默认为IP协议,包含TCP和UDP
ufw使用–dry-run参数模拟执行

四、ufw使用语法

ufw [–dry-run] enable|disable|reload
ufw [–dry-run] default allow|deny|reject [incoming|outgoing|routed]
ufw [–dry-run] logging on|off|LEVEL
ufw [–dry-run] reset
ufw [–dry-run] status [verbose|numbered]
ufw [–dry-run] show REPORT
ufw [–dry-run] [delete] [insert NUM] allow|deny|reject|limit [in|out] [log|log-all]
PORT[/PROTOCOL]
ufw [–dry-run] [rule] [delete] [insert NUM] allow|deny|reject|limit [in|out [on
INTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT]] [to ADDRESS [port
PORT]]
ufw [–dry-run] route [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE]
[log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT]] [to ADDRESS [port PORT]]
ufw [–dry-run] delete NUM
ufw [–dry-run] app list|info|default|update

五、重要文件说明

参数配置文件/etc/ufw/ufw.conf
防火墙日志文件/var/log/ufw.log
路由转发参数配置文件/etc/ufw/sysctl.conf
应用定义文件目录/etc/ufw/applications.d