unbntn防火墙ufw的说明页
来源:互联网 发布:全球淘宝网官方下载 编辑:程序博客网 时间:2024/05/16 00:52
很与众不同。与其他Linux一般使用IPTABLES不同,特记录下。
===================================================
UFW:(8) August2009 UFW:(8)
NAME
ufw - program for managing a netfilter firewall
DESCRIPTION
This program is for managing a Linux firewall and aims toprovide an
easy to use interface for the user.
USAGE
ufw [--dry-run] enable|disable|reload
ufw [--dry-run] default allow|deny|reject [incoming|outgoing]
ufw [--dry-run] logging on|off|LEVEL
ufw [--dry-run] reset
ufw [--dry-run] status [verbose|numbered]
ufw [--dry-run] show REPORT
ufw [--dry-run] [delete] [insert NUM]allow|deny|reject|limit [in|out]
[log|log-all] PORT[/protocol]
ufw [--dry-run] [delete][insert NUM] allow|deny|reject|limit [in|out
on INTERFACE] [log|log-all] [proto protocol] [from ADDRESS [portPORT]]
[to ADDRESS [port PORT]]
ufw [--dry-run] delete NUM
ufw [--dry-run] app list|info|default|update
OPTIONS
--version
show program's version number and exit
-h, --help
show help message and exit
--dry-run
don't modify anything, just show the changes
enable reloads firewall and enables firewall on boot.
disable
unloads firewall and disables firewall on boot
reload reloads firewall
default allow|deny|reject DIRECTION
change the default policy for trafficgoing DIRECTION, where
DIRECTION is one of incoming or outgoing. Note that existing
rules will have to be migrated manually when changingthe
default policy. See RULE SYNTAX for more on deny and reject.
logging on|off|LEVEL
toggle logging. Logged packets use the LOG_KERN syslogfacility.
Systems configured for rsyslog support may also log to
/var/log/ufw.log. Specifying a LEVEL turnslogging on for the
specified LEVEL. The default log level is 'low'. See LOGGING
for details.
reset Disables and resets firewall toinstallation defaults. Can also
give the --force option toperform the reset without confirma‐
tion.
status show status of firewall and ufw managed rules.Use status ver‐
bose for extra information. In the status output,'Anywhere' is
synonymous with 'any' and '0.0.0.0/0'.
show REPORT
display information about the running firewall. See REPORTS
allow ARGS
add allow rule. See RULE SYNTAX
deny ARGS
add deny rule. See RULE SYNTAX
reject ARGS
add reject rule. See RULE SYNTAX
limit ARGS
add limit rule. Currently onlyIPv4 is supported. See RULE
SYNTAX
delete RULE|NUM
deletes the corresponding RULE
insert NUM RULE
insert the corresponding RULE as rule number NUM
RULE SYNTAX
Users can specify rules using either a simplesyntax or a full syntax.
The simple syntax only specifies the port andoptionally the protocol
to be allowed or denied on the host. For example:
ufw allow 53
This rule will allow tcp andudp port 53 to any address on this host.
To specify a protocol, append '/protocol' to the port. Forexample:
ufw allow 25/tcp
This will allow tcp port 25 to any address on this host. ufwwill also
check /etc/services for theport and protocol if specifying a service
by name. Eg:
ufw allow smtp
ufw supports both ingress and egress filtering and users mayoptionally
specify a direction of either in or out for either incoming oroutgoing
traffic. If no direction is supplied, the rule applies to incoming
traffic. Eg:
ufw allow in http
ufw reject out smtp
Users can also use a fuller syntax, specifyingthe source and destina‐
tion addresses and ports. This syntax is based on OpenBSD'sPF syntax.
For example:
ufw deny proto tcp to any port 80
This will deny all traffic totcp port 80 on this host. Another exam‐
ple:
ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
This will deny all traffic from the RFC1918 Class A network to tcpport
25 with the address 192.168.0.1.
ufw deny proto tcp from 2001:db8::/32 to any port 25
This will deny all traffic fromthe IPv6 2001:db8::/32 to tcp port 25
on this host. Note that IPv6 must be enabled in /etc/default/ufw for
IPv6 firewalling to work.
ufw allow proto tcp from any to any port 80,443,8080:8090
The above will allow all traffic to tcpports 80, 443 and 8080-8090
inclusive. Note that when specifying multipleports, the ports list
must be numeric, cannot contain spaces and must be modified as awhole.
Eg, in the above example you cannot later try to delete justthe '443'
port. You cannot specify morethan 15 ports (ranges count as 2 ports,
so the port count in the above example is 4).
ufw supports connection rate limiting, which isuseful for protecting
against brute-force loginattacks. ufw will deny connections if an IP
address has attempted to initiate 6 or more connections in thelast 30
seconds. See http://www.debian-administration.org/articles/187 for
details. Typical usage is:
ufw limit ssh/tcp
Sometimes it is desirable to let the sender know when trafficis being
denied, rather than simply ignoring it. In these cases, use reject
instead of deny. For example:
ufw reject auth
By default, ufw will apply rules to all available interfaces.To limit
this, specify DIRECTION onINTERFACE, where DIRECTION is one of in or
out (interface aliases are not supported). Forexample, to allow all
new incoming http connections on eth0, use:
ufw allow in on eth0 to any port 80 proto tcp
To delete a rule, simply prefix theoriginal rule with delete. For
example, if the original rule was:
ufw deny 80/tcp
Use this to delete it:
ufw delete deny 80/tcp
You may also specify the rule by NUM, as seen in the status numbered
output. For example, if you want to delete rule number '3',use:
ufw delete 3
If you have IPv6 enabled andare deleting a generic rule that applies
to both IPv4 and IPv6 (eg 'ufw allow 22/tcp'), deleting byrule number
will delete only the specifiedrule. To delete both with one command,
prefix the original rule with delete.
To insert a rule, specify the new rule as normal, butprefix the rule
with the rule number to insert. For example, if you have four rules,
and you want to insert a new rule as rule number three, use:
ufw insert 3 deny to any port 22 from 10.0.0.135 proto tcp
To see a list of numbered rules, use:
ufw status numbered
ufw supports per rule logging. By default, no logging is performedwhen
a packet matches a rule. Specifying log will log all newconnections
matching the rule, and log-all will log all packets matchingthe rule.
For example, to allow and log all new ssh connections, use:
ufw allow log 22/tcp
See LOGGING for more information on logging.
EXAMPLES
Deny all access to port 53:
ufw deny 53
Allow all access to tcp port 80:
ufw allow 80/tcp
Allow all access from RFC1918 networks to this host:
ufw allow from 10.0.0.0/8
ufw allow from 172.16.0.0/12
ufw allow from 192.168.0.0/16
Deny access to udp port 514 from host 1.2.3.4:
ufw deny proto udp from 1.2.3.4 to any port 514
Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469:
ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
REMOTE MANAGEMENT
When running ufw enable or starting ufw via its initscript,ufw will
flush its chains. This is required so ufw can maintain a consistent
state, but it may drop existing connections (egssh). ufw does support
adding rules before enabling the firewall, so administrators cando:
ufw allow proto tcp from any to any port 22
before running 'ufw enable'. The rules will still beflushed, but the
ssh port will be open after enabling the firewall. Please notethat
once ufw is 'enabled', ufw will not flush the chains when adding or
removing rules (but will when modifying a rule orchanging the default
policy). By default, ufw will prompt when enablingthe firewall while
running under ssh. This can be disabled by using 'ufw --forceenable'.
APPLICATION INTEGRATION
ufw supports application integration byreading profiles located in
/etc/ufw/applications.d. To list the names of application profiles
known to ufw, use:
ufw app list
Users can specify one of the applications nameswhen adding rules. For
example, when using the simple syntax, users can use:
ufw allow <name>
Or for the extended syntax:
ufw allow from 192.168.0.0/16 to any app<name>
You should not specify the protocol with eithersyntax, and with the
extended syntax, use app in place of the port clause.
Details on the firewall profile for agiven application can be seen
with:
ufw app info <name>
where '<name>' is one of theapplications seen with the app list com‐
mand. User's may also specify all to see the profiles for allknown
applications.
After creating or editing an application profile, user's canrun:
ufw app update <name>
This command will automatically update the firewallwith updated pro‐
file information. If specify 'all' for name, then all the profileswill
be updated. To update a profile and add anew rule to the firewall
automatically, user's can run:
ufw app update --add-new <name>
The behavior of the update --add-new command can be configuredusing:
ufw app default <policy>
The default application policy is skip,which means that the update
--add-new command will do nothing. Users may also specifya policy of
allow or deny so the update --add-new command mayautomatically update
the firewall. WARNING: it may be a security torisk to use a default
allow policy for applications profiles. Carefully consider thesecurity
ramifications before using a default allow policy.
LOGGING
ufw supports multiple logging levels. ufwdefaults to a loglevel of
'low' when a loglevel is not specified. Users may specify a loglevel
with:
ufw logging LEVEL
LEVEL may be 'off', 'low', 'medium', 'high' andfull. Log levels are
defined as:
off disablesufw managed logging
low logs all blocked packets notmatching the default policy (with
rate limiting), as well as packets matching logged rules
medium log level low, plus all allowed packets not matching thedefault
policy, all INVALID packets, and all newconnections. All log‐
ging is done with rate limiting.
high log level medium (withoutrate limiting), plus all packets with
rate limiting
full log level high withoutrate limiting
Loglevels above medium generate a lot of logging output, and may
quickly fill up your disk. Loglevel medium may generate alot of log‐
ging output on a busy system.
Specifying 'on' simply enables logging at log level 'low' iflogging is
currently not enabled.
REPORTS
The following reports are supported. Each is based onthe live system
and with the exception of the listening report, is in raw iptablesfor‐
mat:
raw
builtins
before-rules
user-rules
after-rules
logging-rules
listening
The raw report shows the complete firewall, while the others show a
subset of what is in the raw report.
The listening report willdisplay the ports on the live system in the
listening state for tcp and the open state for udp, along with the
address of the interface andthe executable listening on the port. An
'*' is used in place of the address of the interface when the exe‐
cutable is bound to all interfaces on that port.Following this infor‐
mation is a list of rules which may affectconnections on this port.
The rules are listed in the order they are evaluated by the kernel,and
the first match wins. Please note that the default policy is notlisted
and tcp6 and udp6 are shown only if IPV6 is enabled.
NOTES
On installation, ufw is disabled with a default incoming policy ofdeny
and a default outgoing policy of allow, with stateful trackingfor NEW
connections. Having a default policy of allow without statefultracking
can be achieved by using ACCEPT_NO_TRACK instead of ACCEPT in
/etc/defaults/ufw.
Rule ordering is important and the firstmatch wins. Therefore when
adding rules, add the more specific rules first with more generalrules
later.
ufw is not intended to provide complete firewallfunctionality via its
command interface, but instead provides an easy wayto add or remove
simple rules. It is currently mainly used for host-basedfirewalls.
The status command shows basic information about the state of thefire‐
wall, as well as rules managed via the ufw command.It does not show
rules from the rules files in /etc/ufw. To see the completestate of
the firewall, users can ufw show raw. Thisdisplays the filter, nat,
mangle and raw tables using:
iptables -n -L -v -x -t <table>
ip6tables -n -L -v -x -t <table>
See the iptables and ip6tables documentation for more details.
If the default policy is set to REJECT, ufw mayinterfere with rules
added outside of the ufw framework. See README for details.
IPv6 is blocked by default and only IPv6 traffic on the loopbackinter‐
face is allowed. To change this behavior, set IPV6 to 'yes' in
/etc/defaults/ufw and reload ufw. Once IPv6 is enabled, you mayspecify
rules in the same way as for IPv4 rules, and they will bedisplayed
with ufw status. Rules that match both IPv4 and IPv6 addressesapply to
both IP versions. For example, when IPv6 is enabled, the followingrule
will allow access to port 22 for both IPv4 and IPv6 traffic:
ufw allow 22
IPv6 over IPv4 tunnels and 6to4 are supported by using the'ipv6' pro‐
tocol ('41'). This protocol can only be used withthe full syntax. For
example:
ufw allow to 10.0.0.1 proto ipv6
ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ipv6
IPSec is supported by using the 'esp' ('50') and 'ah' ('51')protocols.
These protocols can only be used with the full syntax. Forexample:
ufw allow to 10.0.0.1 proto esp
ufw allow to 10.0.0.1 from 10.4.0.0/16 proto esp
ufw allow to 10.0.0.1 proto ah
ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ah
In addition to the command-lineinterface, ufw also provides a frame‐
work which allows administrators to take fulladvantage of netfilter.
See the ufw-framework manual page for more information.
SEE ALSO
ufw-framework, iptables(8), ip6tables(8), iptables-restore(8),
ip6tables-restore(8), sysctl(8), sysctl.conf(5)
AUTHOR
ufw is Copyright 2008-2009, Canonical Ltd.
ufw and this manual page was originally written by Jamie Strandboge
<jamie@canonical.com>
August2009 UFW:(8)
- unbntn防火墙ufw的说明页
- Ubuntu的防火墙UFW
- 使用ufw的简单防火墙
- ubuntu ufw 防火墙的设置
- Ubuntu的防火墙配置-ufw-iptables
- linux下防火墙的简单设置 ufw
- Ubuntu的防火墙配置-ufw-iptables
- ufw 防火墙的配置及其开启
- ubuntu中自带的ufw防火墙
- Ubuntu的防火墙配置-ufw-iptables
- UFW防火墙简单设置
- ubuntu ufw防火墙
- ubuntu ufw防火墙
- Ubuntu防火墙 - Ufw
- Ubuntu防火墙ufw
- Ubuntu防火墙ufw
- Ubuntu UFW 防火墙
- Ubuntu防火墙 UFW 设置
- 为什么JBossAS7 这么快
- ubuntu怎么关闭防火墙?
- Proxy Support HOW-TO
- C++Primer学习笔记(6)
- 输入日志标题
- unbntn防火墙ufw的说明页
- ufw ubuntu防火墙简单设置
- 网页自动跳转代码html
- 推荐的 PHP 读物列表
- IBM网站的Python学习资料
- Apache推出HTTP服务器2.4版
- linux apache反向代理 tomcat
- Apache负载均衡+Tomcat集群
- 使用Apache反向代理tomcat