Säkerhet

Linux UFW

Working with the Command
The fundamental UFW command structure looks like this:
ufw [--dry-run] [options] [rule syntax]
Notice the –dry-run section. UFW includes the ability to include this argument which informs the command to not make any changes. Instead, you will see the results of your changes in the output.
As for working with the command, UFW can be used in two ways:
Simple syntax: Specifies a port and (optionally) the protocol
Full syntax: Specifies source, destination, port, and (optionally) the protocol
Let’s look at the simple syntax first. Say, for example, you want to allow traffic on port 22 (SSH). To do this with UFW, you’d run a command like:
sudo ufw allow 22
NOTE: I added sudo to the command because you must have admin privileges to run ufw. If you’re using a distribution that doesn’t take advantage of sudo, you’d first have to su to root and then run the same command (minus sudo).
Conversely, say you want to prevent traffic on port 22. To do this, the command would look like:
sudo ufw deny 22
Should you want to add a protocol to this, the command would look like:
sudo ufw deny 22/tcp
What happens if you don’t happen to know the port number for a service? The developers have taken that into consideration. UFW will run against /etc/services in such a way that you can define a rule using a service instead of a port. To allow SSH traffic, that command would look like:
sudo ufw allow ssh
Pretty simple, right? You can also add protocols to the above command, in the same way you did when defining a rule via port number.
sudo ufw allow ssh/tcp
Of the available arguments, the ones you’ll use the most with the ufw command are:
allow
deny
reject
limit
status: displays if the firewall is active or inactive
show: displays the current running rules on your firewall
reset: disables and resets the firewall to default
reload: reloads the current running firewall
disable: disables the firewall
If you want to use a fuller syntax, you can then begin to define a source and a destination for a rule. Say, for example, you have an IP address you’ve discovered has been attempting to get into your machine (for whatever reason) through port 25 (SMTP). Let’s say that address is 192.168.2.100 (even though it’s an internal address) and your machine address is 192.168.2.101. To block that address from gaining access (through any port), you could create the rule like so:
sudo ufw deny from 192.168.2.100/8 to 192.168.2.101 port 25
Let’s look at the limit option. If you have any reason for concern that someone might be attempting a denial of service attack on your machine, via port 80. You can limit connections to that port with UFW, like so:
sudo ufw limit 80/tcp
By default, the connection will be blocked after six attempts in a 30-second period.
You might also have a need to allow outgoing traffic on a certain port but deny incoming traffic on the same port. To do this, you would use the directional argument like so. To allow outgoing traffic on port 25 (SMTP), issue the command:
sudo ufw allow out on eth0 to any port 25 proto tcp
You could then add the next rule to block incoming traffic on the same interface and port:
sudo ufw deny in on eth0 from any 25 proto tcp
Du kan nu även köra följande kommando för att se satusen för din enkel brandvägg:
ufw status

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.