当前时区为 UTC + 8 小时



发表新帖 回复这个主题  [ 1 篇帖子 ] 
作者 内容
1 楼 
 文章标题 : ufw - program for managing a netfilter firewall
帖子发表于 : 2008-11-11 10:12 

注册: 2008-10-09 21:41
帖子: 23
地址: 深圳
送出感谢: 0 次
接收感谢: 0 次
Netkiller Linux 手札
Debian/Ubuntu Cookbook
Neo Chan



中国广东省深圳市宝安区龙华镇
518109
+86 755 29812080
+86 755 29812080
<openunix@163.com>
文档出处
http://netkiller.8800.org/
http://netkiller.hikz.com/
http://netkiller.mefound.com

版权 © 2006, 2007, 2008 Netkiller(Neo Chan). All rights reserved.

版权声明

你可以任意转载,转载请与作者联系,转载时请务必标明文章原始出处和作者信息及本声明。

文档最近一次更新于 Fri Nov 7 09:03:48 UTC 2008



ufw - program for managing a netfilter firewall
上一页 第 18 章 Firewall 下一页
ufw - program for managing a netfilter firewall

1.

Installation

sudo apt-get install ufw
2.

Enable | Disable

sudo ufw enable | disable

neo@master:~$ sudo ufw enable
Firewall started and enabled on system startup


3.

Default Rule

sudo ufw default deny

sudo ufw default allow

neo@master:~$ sudo ufw default deny
Default policy changed to 'deny'
(be sure to update your rules accordingly)


4.

Rule Allow|Deny

sudo ufw allow|deny [service]

打开或关闭某个端口,例如:


sudo ufw allow smtp  允许所有的外部IP访问本机的25/tcp (smtp)端口
sudo ufw allow 22/tcp 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 53 允许外部访问53端口(tcp/udp)
sudo ufw allow from 172.16.1.100 允许此IP访问所有的本机端口
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp 禁止外部访问smtp服务
sudo ufw delete allow smtp 删除上面建立的某条规则

UFW 使用范例


UFW 使用范例:

允许 53 端口

$ sudo ufw allow 53

禁用 53 端口

$ sudo ufw delete allow 53

允许 80 端口

$ sudo ufw allow 80/tcp

禁用 80 端口

$ sudo ufw delete allow 80/tcp

允许 smtp 端口

$ sudo ufw allow smtp

删除 smtp 端口的许可

$ sudo ufw delete allow smtp

允许某特定 IP

$ sudo ufw allow from 192.168.254.254

删除上面的规则

$ sudo ufw delete allow from 192.168.254.254

$ sudo ufw allow ssh
$ sudo ufw allow www
$ sudo ufw allow smtp

neo@master:~$ sudo ufw allow ssh
Rule added


5.

Status

sudo ufw status

neo@master:~$ sudo ufw allow www
Rule added
neo@master:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
25:tcp ALLOW Anywhere
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere


6.

Rule Delete

sudo ufw delete allow|deny RULE

neo@master:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
25:tcp ALLOW Anywhere
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere

neo@master:~$ sudo ufw delete allow smtp
Rule deleted
neo@master:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere



7.

logging

sudo ufw logging on|off

neo@master:~$ sudo ufw logging ON
Logging enabled


8.

iptales

neo@master:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere

Chain ufw-after-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK FORWARD]: '
RETURN all -- anywhere anywhere

Chain ufw-after-input (1 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp dpt:netbios-ns
RETURN udp -- anywhere anywhere udp dpt:netbios-dgm
RETURN tcp -- anywhere anywhere tcp dpt:netbios-ssn
RETURN tcp -- anywhere anywhere tcp dpt:microsoft-ds
RETURN udp -- anywhere anywhere udp dpt:bootps
RETURN udp -- anywhere anywhere udp dpt:bootpc
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK INPUT]: '
RETURN all -- anywhere anywhere

Chain ufw-after-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- base-address.mcast.net/4 anywhere
ACCEPT all -- anywhere base-address.mcast.net/4
ufw-user-input all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK NOT-TO-ME]: '
DROP all -- anywhere anywhere

Chain ufw-user-forward (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
RETURN all -- anywhere anywhere

Chain ufw-user-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere



DHCP

neo@netkiller:~$ sudo ufw allow 67/udp
Rules updated
neo@netkiller:~$ sudo ufw allow 68/udp
Rules updated


Samba

neo@netkiller:~$ sudo ufw allow 137/tcp
Rule added
neo@netkiller:~$ sudo ufw allow 445/tcp
Rule added
neo@netkiller:~$ sudo ufw allow 138/udp
Rule added
neo@netkiller:~$ sudo ufw allow 139/udp
Rule added


上一页 上一级 下一页
ulogd - The Netfilter Userspace Logging Daemon 起始页 Firewall GUI Tools


_________________
http://netkiller.8800.org


页首
 用户资料  
 
显示帖子 :  排序  
发表新帖 回复这个主题  [ 1 篇帖子 ] 

当前时区为 UTC + 8 小时


在线用户

正在浏览此版面的用户:没有注册用户 和 4 位游客


不能 在这个版面发表主题
不能 在这个版面回复主题
不能 在这个版面编辑帖子
不能 在这个版面删除帖子
不能 在这个版面提交附件

前往 :  
本站点为公益性站点,用于推广开源自由软件,由 DiaHosting VPSBudgetVM VPS 提供服务。
我们认为:软件应可免费取得,软件工具在各种语言环境下皆可使用,且不会有任何功能上的差异;
人们应有定制和修改软件的自由,且方式不受限制,只要他们自认为合适。

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
简体中文语系由 王笑宇 翻译