{"id":4086,"date":"2023-04-23T18:04:50","date_gmt":"2023-04-23T10:04:50","guid":{"rendered":"https:\/\/www.fatesky.com\/?p=4086"},"modified":"2024-03-19T21:58:57","modified_gmt":"2024-03-19T13:58:57","slug":"%e7%ae%80%e5%8d%95%e8%80%8c%e5%bc%ba%e5%a4%a7%ef%bc%9a-ufw-%e9%98%b2%e7%81%ab%e5%a2%99","status":"publish","type":"post","link":"https:\/\/www.fatesky.com\/?p=4086","title":{"rendered":"\u7b80\u5355\u800c\u5f3a\u5927\uff1a UFW \u9632\u706b\u5899"},"content":{"rendered":"\n

\u5173\u4e8eufw<\/h3>\n\n\n\n

ufw\uff08Uncomplicated Firewall\uff09\u662f\u4e00\u4e2a\u7b80\u5316\u7684\u3001\u6613\u4e8e\u4f7f\u7528\u7684Linux\u9632\u706b\u5899\u5de5\u5177\uff0c\u65e8\u5728\u65b9\u4fbf\u7528\u6237\u7ba1\u7406iptables\u9632\u706b\u5899\u89c4\u5219\u3002\u5b83\u4e3a\u7528\u6237\u63d0\u4f9b\u4e86\u4e00\u4e2a\u76f4\u89c2\u4e14\u6613\u4e8e\u7406\u89e3\u7684\u547d\u4ee4\u884c\u754c\u9762\uff0c\u4f7f\u5f97\u914d\u7f6e\u9632\u706b\u5899\u89c4\u5219\u53d8\u5f97\u66f4\u52a0\u7b80\u5355\u3002<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

ufw\u7684\u4e00\u4e9b\u4e3b\u8981\u7279\u70b9\u548c\u529f\u80fd\uff1a<\/strong><\/p>\n\n\n\n

    \n
  1. \u7b80\u5316\u7684\u9632\u706b\u5899\u7ba1\u7406<\/strong>\uff1aufw\u63d0\u4f9b\u4e86\u4e00\u4e2a\u7b80\u6d01\u7684\u547d\u4ee4\u884c\u754c\u9762\uff0c\u8ba9\u60a8\u80fd\u591f\u8f7b\u677e\u5730\u6dfb\u52a0\u3001\u5220\u9664\u548c\u4fee\u6539\u9632\u706b\u5899\u89c4\u5219\u3002<\/li>\n\n\n\n
  2. \u57fa\u4e8eiptables<\/strong>\uff1aufw\u662f\u57fa\u4e8eiptables\u7684\uff0c\u56e0\u6b64\u5b83\u4e0eLinux\u5185\u6838\u4e2d\u73b0\u6709\u7684\u9632\u706b\u5899\u6280\u672f\u517c\u5bb9\u3002\u5b83\u5b9e\u9645\u4e0a\u662fiptables\u7684\u4e00\u4e2a\u53cb\u597d\u7684\u524d\u7aef\u3002<\/li>\n\n\n\n
  3. \u5141\u8bb8\u548c\u62d2\u7edd\u89c4\u5219<\/strong>\uff1a\u60a8\u53ef\u4ee5\u4f7f\u7528ufw\u521b\u5efa\u5141\u8bb8\u548c\u62d2\u7edd\u89c4\u5219\uff0c\u4ee5\u63a7\u5236\u5165\u7ad9\u548c\u51fa\u7ad9\u6d41\u91cf\u3002\u8fd9\u8ba9\u60a8\u53ef\u4ee5\u7cbe\u786e\u5730\u63a7\u5236\u5141\u8bb8\u54ea\u4e9b\u8fde\u63a5\u8fdb\u5165\u6216\u79bb\u5f00\u60a8\u7684\u7cfb\u7edf\u3002<\/li>\n\n\n\n
  4. \u653e\u884c\u7279\u5b9a\u7aef\u53e3\u3001\u534f\u8bae\u548cIP<\/strong>\uff1aufw\u5141\u8bb8\u60a8\u653e\u884c\u7279\u5b9a\u7aef\u53e3\u3001\u534f\u8bae\uff08TCP\u6216UDP\uff09\u4ee5\u53ca\u7279\u5b9a\u6765\u6e90\u6216\u76ee\u6807IP\u5730\u5740\u7684\u8fde\u63a5\u3002<\/li>\n\n\n\n
  5. \u9650\u5236\u7279\u5b9aIP\u8bbf\u95ee<\/strong>\uff1a\u60a8\u53ef\u4ee5\u4f7f\u7528ufw\u9650\u5236\u7279\u5b9aIP\u5730\u5740\u8bbf\u95ee\u60a8\u7684\u7cfb\u7edf\u4e0a\u7684\u7279\u5b9a\u7aef\u53e3\u3002<\/li>\n\n\n\n
  6. \u65e5\u5fd7\u8bb0\u5f55<\/strong>\uff1aufw\u53ef\u4ee5\u8bb0\u5f55\u9632\u706b\u5899\u6d3b\u52a8\uff0c\u8fd9\u5bf9\u4e8e\u76d1\u89c6\u60a8\u7684\u7cfb\u7edf\u5b89\u5168\u548c\u89e3\u51b3\u7f51\u7edc\u95ee\u9898\u975e\u5e38\u6709\u7528\u3002<\/li>\n\n\n\n
  7. \u6613\u4e8e\u542f\u7528\u548c\u7981\u7528<\/strong>\uff1aufw\u53ef\u4ee5\u8f7b\u677e\u542f\u7528\u548c\u7981\u7528\uff0c\u8ba9\u60a8\u5728\u9700\u8981\u65f6\u53ef\u4ee5\u8fc5\u901f\u542f\u7528\u9632\u706b\u5899\uff0c\u6216\u5728\u8fdb\u884c\u7cfb\u7edf\u7ef4\u62a4\u65f6\u6682\u65f6\u5173\u95ed\u9632\u706b\u5899\u3002<\/li>\n<\/ol>\n\n\n\n

    \u5b89\u88c5ufw<\/h3>\n\n\n\n

    \u5728 Debian\u3001Ubuntu \u6216\u5176\u884d\u751f\u7248\u672c\u4e0a\uff0c\u6253\u5f00\u7ec8\u7aef\u5e76\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u5b89\u88c5\uff1a<\/p>\n\n\n\n

    # \u5b89\u88c5ufw<\/em>\nsudo apt-get update\nsudo apt-get install ufw<\/code><\/pre>\n\n\n\n
    \u7136\u540e\u542f\u52a8ufw<\/code>:<\/p>\n\n\n\n
    # \u542f\u52a8ufw<\/em>\nsudo ufw enable\n# \u8bbe\u7f6e\u4e3a\u5f00\u673a\u81ea\u542f<\/em>\nsudo systemctl enable ufw<\/code><\/pre>\n\n\n\n
    \u6267\u884csudo ufw status<\/code>\u67e5\u770b\u5f53\u524d\u72b6\u6001\uff0c\u901a\u5e38\u67093\u79cd\u72b6\u6001\uff1a<\/p>\n\n\n\n
      \n
    • Status: inactive\uff08\u672a\u542f\u7528\uff09\uff1a\u8868\u793a UFW \u6ca1\u6709\u542f\u7528\uff0c\u9632\u706b\u5899\u5904\u4e8e\u5173\u95ed\u72b6\u6001\u3002<\/li>\n\n\n\n
    • Status: active\uff08\u5df2\u542f\u7528\uff09\uff1a\u8868\u793a UFW \u5df2\u7ecf\u542f\u7528\uff0c\u5e76\u4e14\u9632\u706b\u5899\u89c4\u5219\u6b63\u5728\u5e94\u7528\u4e8e\u7cfb\u7edf\u3002<\/li>\n\n\n\n
    • Status: inactive (dead)\uff08\u672a\u542f\u7528\u4e14\u672a\u8fd0\u884c\uff09\uff1a\u8868\u793a UFW \u5df2\u88ab\u7981\u7528\uff0c\u5e76\u4e14\u9632\u706b\u5899\u672a\u5728\u7cfb\u7edf\u4e2d\u8fd0\u884c\u3002<\/li>\n<\/ul>\n\n\n\n
      ufw\u653e\u884c\u7aef\u53e3<\/h3>\n\n\n\n
      ufw<\/code>\u7684\u547d\u4ee4\u6bd4firewalld<\/code>\u7b80\u6d01\u8bb8\u591a\uff0c\u6bd4\u5982\u4f60\u60f3\u653e\u884c\u5355\u4e2a\u7aef\u53e3\uff0c\u53ea\u9700\u8981\u6267\u884c\uff1a<\/strong><\/p>\n\n\n\n
      # \u5c06 <port> \u66ff\u6362\u4e3a\u4f60\u8981\u653e\u884c\u7684\u5177\u4f53\u7aef\u53e3\u53f7\u3002\u4f8b\u5982\uff0c\u8981\u653e\u884c TCP \u7aef\u53e3 80\uff0c\u53ef\u4ee5\u6267\u884c sudo ufw allow 80\u3002<\/em>\nsudo ufw allow <port><\/code><\/pre>\n\n\n\n
      \u5982\u679c\u9700\u8981\u653e\u884c\u7279\u5b9a\u534f\u8bae\u7684\u7aef\u53e3\uff0c\u6211\u4eec\u9700\u8981\u52a0\u4e0a\u534f\u8bae\uff1a<\/strong><\/p>\n\n\n\n
      # \u5c06 <port> \u66ff\u6362\u4e3a\u7aef\u53e3\u53f7\uff0c<protocol> \u66ff\u6362\u4e3a\u534f\u8bae\u7c7b\u578b\uff08\u5982 tcp\u3001udp\uff09\u3002\u4f8b\u5982\uff0c\u8981\u653e\u884c UDP \u7aef\u53e3 53\uff0c\u53ef\u4ee5\u6267\u884c sudo ufw allow 53\/udp\u3002<\/em>\nsudo ufw allow <port>\/<protocol><\/code><\/pre>\n\n\n\n
      \u653e\u884c\u4e00\u4e2a\u7aef\u53e3\u8303\u56f4\uff1a<\/strong><\/p>\n\n\n\n
      sudo ufw allow <start-port>:<end-port>\/<protocol><\/code><\/pre>\n\n\n\n
      \u5c06 <start-port><\/code> \u66ff\u6362\u4e3a\u8d77\u59cb\u7aef\u53e3\u53f7\uff0c<end-port><\/code> \u66ff\u6362\u4e3a\u7ed3\u675f\u7aef\u53e3\u53f7,<protocol><\/code>\u4e3a\u534f\u8bae\u3002\u4f8b\u5982\uff0c\u8981\u653e\u884c TCP \u7aef\u53e3\u8303\u56f4 8000 \u5230 9000\uff0c\u53ef\u4ee5\u6267\u884csudo ufw allow 8000:9000\/tcp<\/code><\/p>\n\n\n\n
      ufw\u5220\u9664\u5df2\u7ecf\u653e\u884c\u7684\u89c4\u5219\u6216\u7aef\u53e3<\/h3>\n\n\n\n
      \u8981\u5728ufw\uff08Uncomplicated Firewall\uff09\u4e2d\u5220\u9664\u5df2\u6dfb\u52a0\u7684\u89c4\u5219\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7\u89c4\u5219\u53f7\u6216\u8005\u5177\u4f53\u7684\u653e\u884c\u6761\u4ef6\u6765\u5220\u9664\u3002\u4ee5\u4e0b\u662f\u4e24\u79cd\u65b9\u6cd5\uff1a<\/p>\n\n\n\n
      \u65b9\u6cd51\uff1a\u901a\u8fc7\u89c4\u5219\u53f7\u5220\u9664<\/strong><\/p>\n\n\n\n
      \u9996\u5148\uff0c\u8fd0\u884c\u4ee5\u4e0b\u547d\u4ee4\u4ee5\u67e5\u770b\u5f53\u524dufw\u7684\u72b6\u6001\u548c\u73b0\u6709\u89c4\u5219\uff1a<\/p>\n\n\n\n
      sudo ufw status numbered<\/code><\/pre>\n\n\n\n
      \u8fd9\u5c06\u663e\u793a\u5e26\u6709\u7f16\u53f7\u7684\u89c4\u5219\u5217\u8868\u3002<\/p>\n\n\n\n
      \u786e\u5b9a\u60a8\u8981\u5220\u9664\u7684\u89c4\u5219\u7684\u7f16\u53f7\uff0c\u7136\u540e\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5220\u9664\u5b83\uff0c\u5c06[rule_number]<\/code>\u66ff\u6362\u4e3a\u5b9e\u9645\u7684\u89c4\u5219\u7f16\u53f7\uff1a<\/p>\n\n\n\n
      sudo ufw delete [rule_number]<\/code><\/pre>\n\n\n\n
      \u4f8b\u5982\uff0c\u8981\u5220\u9664\u7f16\u53f7\u4e3a1\u7684\u89c4\u5219\uff0c\u8fd0\u884c\uff1a<\/p>\n\n\n\n
      sudo ufw delete 1<\/code><\/pre>\n\n\n\n
      \u65b9\u6cd52\uff1a\u901a\u8fc7\u653e\u884c\u6761\u4ef6\u5220\u9664<\/strong><\/p>\n\n\n\n
      \u60a8\u8fd8\u53ef\u4ee5\u901a\u8fc7\u6307\u5b9a\u653e\u884c\u6761\u4ef6\uff08\u4f8b\u5982\u7aef\u53e3\u548c\u534f\u8bae\uff09\u6765\u5220\u9664\u89c4\u5219\u3002\u4f8b\u5982\uff0c\u8981\u5220\u9664\u5141\u8bb8TCP\u7aef\u53e380\u7684\u89c4\u5219\uff0c\u60a8\u53ef\u4ee5\u8fd0\u884c\uff1a<\/p>\n\n\n\n
      sudo ufw delete allow 80\/tcp<\/code><\/pre>\n\n\n\n
      \u6216\u8005\uff0c\u5982\u679c\u8981\u5220\u9664\u5141\u8bb8UDP\u7aef\u53e35000\u7684\u89c4\u5219\uff0c\u60a8\u53ef\u4ee5\u8fd0\u884c\uff1a<\/p>\n\n\n\n
      sudo ufw delete allow 5000\/udp<\/code><\/pre>\n\n\n\n
      \u5220\u9664\u89c4\u5219\u540e\uff0c\u518d\u6b21\u8fd0\u884csudo ufw status<\/code>\u4ee5\u786e\u8ba4\u6240\u9009\u89c4\u5219\u5df2\u4eceufw\u4e2d\u5220\u9664\u3002<\/p>\n\n\n\n
      \u963b\u6b62\u67d0\u4e2a\u7279\u5b9a\u7684IP<\/h3>\n\n\n\n
      \u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u963b\u6b62\u6765\u81ea\u7279\u5b9aIP\uff08\u4f8b\u5982123.57.22.204\uff09\u7684\u8fde\u63a5\uff1a<\/p>\n\n\n\n
      sudo ufw deny from 123.57.22.204<\/code><\/pre>\n\n\n\n
      \u5141\u8bb8\u7279\u5b9aIP\u8bbf\u95ee\u7279\u5b9a\u7aef\u53e3<\/h3>\n\n\n\n
      \u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5141\u8bb8\u7279\u5b9aIP\u8bbf\u95ee\u7279\u5b9a\u7aef\u53e3\u3002\u5c06[ip_address]<\/code>\u66ff\u6362\u4e3a\u8981\u5141\u8bb8\u7684\u5b9e\u9645IP\u5730\u5740\uff0c\u5c06[port_number]<\/code>\u66ff\u6362\u4e3a\u8981\u5141\u8bb8\u8bbf\u95ee\u7684\u5b9e\u9645\u7aef\u53e3\u53f7\uff0c\u5c06[protocol]<\/code>\u66ff\u6362\u4e3atcp<\/code>\u6216udp<\/code>\uff0c\u5177\u4f53\u53d6\u51b3\u4e8e\u60a8\u8981\u653e\u884c\u7684\u534f\u8bae\uff1a<\/p>\n\n\n\n
      sudo ufw allow from [ip_address] to any port [port_number]\/[protocol]<\/code><\/pre>\n\n\n\n
      \u4f8b\u5982\uff0c\u8981\u5141\u8bb8IP\u5730\u5740192.168.1.10<\/code>\u8bbf\u95eeTCP\u7aef\u53e322<\/code>\uff0c\u60a8\u53ef\u4ee5\u8fd0\u884c\uff1a<\/p>\n\n\n\n
      sudo ufw allow from 192.168.1.10 to any port 22\/tcp<\/code><\/pre>\n\n\n\n
      \u7ed3\u8bed<\/h3>\n\n\n\n
      ufw\u662f\u4e00\u4e2a\u6613\u4e8e\u4f7f\u7528\u4e14\u529f\u80fd\u5f3a\u5927\u7684\u9632\u706b\u5899\u7ba1\u7406\u5de5\u5177\uff0c\u5b83\u4f7f\u5f97\u5728Linux\u7cfb\u7edf\u4e0a\u914d\u7f6e\u9632\u706b\u5899\u89c4\u5219\u53d8\u5f97\u66f4\u52a0\u7b80\u5355\u3002\u65e0\u8bba\u60a8\u662fLinux\u65b0\u624b\u8fd8\u662f\u6709\u7ecf\u9a8c\u7684\u7ba1\u7406\u5458\uff0cufw\u90fd\u662f\u4e00\u4e2a\u503c\u5f97\u5c1d\u8bd5\u7684\u5de5\u5177\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
      \u5173\u4e8eufw ufw\uff08Uncomplicated Firewall\uff09\u662f\u4e00\u4e2a\u7b80\u5316\u7684\u3001\u6613\u4e8e\u4f7f\u7528\u7684Linux\u9632\u706b\u5899\u5de5\u5177 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[35,122],"class_list":["post-4086","post","type-post","status-publish","format-standard","hentry","category-2","tag-linux","tag-122"],"_links":{"self":[{"href":"https:\/\/www.fatesky.com\/index.php?rest_route=\/wp\/v2\/posts\/4086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.fatesky.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fatesky.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fatesky.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fatesky.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4086"}],"version-history":[{"count":1,"href":"https:\/\/www.fatesky.com\/index.php?rest_route=\/wp\/v2\/posts\/4086\/revisions"}],"predecessor-version":[{"id":4088,"href":"https:\/\/www.fatesky.com\/index.php?rest_route=\/wp\/v2\/posts\/4086\/revisions\/4088"}],"wp:attachment":[{"href":"https:\/\/www.fatesky.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fatesky.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fatesky.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}