Ubuntu UFW 防火牆（1）

LInux原始的防火牆工具iptables因爲過於繁瑣,因此ubuntu系統默認提供了一個基於iptable之上的防火牆工具ufw。而UFW支持圖形界面操做,只需在命令行運行ufw命令即能看到一系列的操做。接下來,就由專業運營香港服務器、美國服務器、韓國服務器等國外服務器的天下數據爲你們介紹ubuntu系統防火牆的開啓、關閉等常規操做命令。

啓用ufw

sudo ufw enable sudo ufw default deny 

運行以上兩條命令後,開啓了防火牆,並在系統啓動時自動開啓。關閉全部外部對本機的訪問,但本機訪問外部正常。

開啓和禁用

sudo ufw allow|deny [service]

打開或關閉某個端口,例如:

sudo ufw allow smtp 容許全部的外部IP訪問本機的25/tcp (smtp)端口 sudo ufw allow 22/tcp 容許全部的外部IP訪問本機的22/tcp (ssh)端口 sudo ufw allow 53 容許外部訪問53端口(tcp/udp) sudo ufw allow from 192.168.1.100 容許此IP訪問全部的本機端口 sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53 sudo ufw deny smtp 禁止外部訪問smtp服務 sudo ufw delete allow smtp 刪除上面創建的某條規則 

查看防火牆狀態

sudo ufw status

容許某特定 IP

sudo ufw allow from xxx.xxx.xx.xxx 

刪除 smtp 端口的許可

sudo ufw delete allow smtp 

USAGE用法

[--dry-run]選項，僅顯示運行結果而不實際運行 

啓動\關閉\重啓

ufw [--dry-run] enable|disable|reload 

默認策略 容許\拒絕\拒絕並提示 [進入\發出\路由 的數據]

ufw [--dry-run] default allow|deny|reject [incoming|outgoing|routed] 

日誌 啓動\關閉\級別

ufw [--dry-run] logging on|off|LEVEL 

重置

ufw [--dry-run] reset 

規則、狀態 [詳細\序號]

ufw [--dry-run] status [verbose|numbered] 

顯示「報告」

ufw [--dry-run] show REPORT 

[刪除][插入 第 行] 容許\拒絕\拒絕並提示\限制 [數據 進入\發出][記錄\全記錄] 端口[/協議]

ufw  [--dry-run]  [delete]   [insert   NUM]   allow|deny|reject|limit [in|out] [log|log-all] PORT[/PROTOCOL] 

[規則][刪除][插入 第 行] 容許\拒絕\拒絕並提示\限制 [數據 進入\發出[網絡接口]][記錄\全記錄] [協議 ][來自[端口 ]][指向[端口**]

ufw [--dry-run] [rule] [delete] [insert NUM] allow|deny|reject|limit [in|out [on INTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT]] [to ADDRESS [port PORT]] 

路由[刪除][插入 第 行] 容許\拒絕\拒絕並提示\限制 [數據 進入\發出[網絡接口]][記錄\全記錄] [協議 ][來自[端口 ]][指向[端口**]

ufw  [--dry-run]  route [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT]] [to ADDRESS [port PORT]] 

刪除第*行規則

ufw [--dry-run] delete NUM 

應用名 列表\信息\默認策略\更新

ufw [--dry-run] app list|info|default|update 

OPTIONS選項

--version
         show program's version number and exit 顯示程序版本並退出 -h, --help show help message and exit 顯示幫助並退出 --dry-run don't modify anything, just show the changes 不進行更改，僅顯示更改內容 enable reloads firewall and enables firewall on boot. 重啓防火牆，設置爲開機啓動 disable unloads firewall and disables firewall on boot 中止防火牆，禁止開機啓動 reload reloads firewall 重啓防火牆 default allow|deny|reject DIRECTION change the default policy for traffic going DIRECTION, where DIRECTION is one of incoming, outgoing or routed. Note that existing rules will have to be migrated manually when changing the default policy. See RULE SYNTAX for more on deny and reject. 改變傳入\傳出\路由的默認策略。已存在的規則可能須要進行手動修改。關於deny|reject的區別參見 SYNTAX logging on|off|LEVEL toggle logging. Logged packets use the LOG_KERN syslog facility. Systems configured for rsyslog support may also log to /var/log/ufw.log. Specify‐ ing a LEVEL turns logging on for the specified LEVEL. The default log level is 'low'. See LOGGING for details. 切換記錄。日誌記錄使用的是LOG_KERN系統設備。系統日誌保存於/var/log/ufw.log。LEVEL指定不一樣的級別 ，默認級別是‘低’。參見LOGGING reset Disables and resets firewall to installation defaults. Can also give the --force option to perform the reset without confirmation. 關閉並重置防火牆至默認安裝狀態。使用--force選項，無需等待確認。 status show status of firewall and ufw managed rules. Use status verbose for extra information. In the status output, 'Anywhere' is synonymous with 'any' and '0.0.0.0/0'. Note that when using status, there is a subtle difference when reporting interfaces. For example, if the following rules are added: 顯示防火牆狀態及規則。使用status verbose顯示額外信息。顯示信息中'Anywhere'等同於 'any'和'0.0.0.0/0'。 

須要注意的是報告有些微妙的差別。例如，加入如下規則：

容許來自192.168.0.0-192.168.255.255的數據經過eth0網卡進入主機

ufw allow in on eth0 from 192.168.0.0/16 

容許指向10.0.0.0-10.255.255.255的數據經過eth1網卡從本機發出

ufw allow out on eth1 to 10.0.0.0/8 

容許來自192.168.0.0-192.168.255.255經過eth0網卡收入的數據且指向10.0.0.0-10.255.255.255經過eth1網卡發出的數據經本機路由

ufw  route  allow  in on eth0 out on eth1 to 10.0.0.0/8 from 192.168.0.0/16 ufw status will output: 顯示信息爲： To Action From -- ------ ---- Anywhere on eth0 ALLOW 192.168.0.0/16 10.0.0.0/8 ALLOW OUT Anywhere on eth1 10.0.0.0/8 on eth1 ALLOW FWD 192.168.0.0/16 on eth0 指向 行爲 來自 ----- ------ ---- 任意地址，網絡接口eth0 容許 192.168.0.0/16 10.0.0.0/8 容許發出 任意地址，網絡接口eth1 10.0.0.0/8域，網絡接口eth1 容許路由 192.168.0.0/16域，網絡接口eth0 For the input and output rules, the interface is reported relative to the firewall system as an endpoint, whereas with route rules, the interface is reported relative to the direction packets flow through the firewall. 進入\發出 規則，（來自\指向）是以防火牆系統爲終點的；路由規則，（來自\指向）是相對於經過防火牆的流向。 show REPORT display information about the running firewall. See REPORTS 顯示運行中的防火牆信息。參見REPORTS allow ARGS add allow rule. See RULE SYNTAX 增長容許規則。參見 RULE SYNTAX deny ARGS add deny rule. See RULE SYNTAX 增長拒絕規則。參見 RULE SYNTAX reject ARGS add reject rule. See RULE SYNTAX 增長抵制規則。參見 RULE SYNTAX limit ARGS add limit rule. Currently only IPv4 is supported. See RULE SYNTAX 增長限制規則。目前僅適用於IPv4。參見 RULE SYNTAX delete RULE|NUM deletes the corresponding RULE 刪除對應RULE insert NUM RULE insert the corresponding RULE as rule number NUM 以規則號NUM插入對應RULE 

RULE SYNTAX規則語法

Users  can specify rules using either a simple syntax or a full syntax. The sim‐ ple syntax only specifies the port and optionally the protocol to be allowed or denied on the host. For example: 用戶可使用簡略或徹底語法指定規則。簡略語法僅指定端口、可選協議被主機容許\拒絕。例如： 

容許使用53端口

ufw allow 53 This rule will allow tcp and udp port 53 to any address on this host. To specify a protocol, append '/protocol' to the port. For example: 規則意爲，容許本機經過53端口使用tcp udp協議指向任意地址的信息（一個物理網卡能夠包含1或多個IP地址）。指定協議，在端口後加 / 便可。例如： 

容許使用經過tcp協議使用25端口

ufw allow 25/tcp This will allow tcp port 25 to any address on this host. ufw will also check /etc/services for the port and protocol if specifying a service by name. Eg: 規則意爲，容許本機經過25端口使用tcp協議指向任意地址（進入）的信息。若是指定服務名稱，ufw會經過檢查/etc/services文件得到端口、協議信息。例如： 

容許smtp應用

ufw allow smtp

  ufw  supports both ingress and egress filtering and users may optionally specify a direction of either in or out for either incoming or outgoing traffic. If no direction is supplied, the rule applies to incoming traffic. Eg: ufw同時支持出、入過濾。用戶可使用in\out規定任意方向進出的數據。若是未指定方向，規則將應用於進入的數據。如： 

容許http應用數據進入本機

ufw allow in http 

拒絕並告知：拒絕從本機發出smtp應用數據

ufw reject out smtp

  Users  can  also  use  a  fuller  syntax,  specifying the source and destination addresses and ports. This syntax is loosely based on OpenBSD's PF syntax. For example: 用戶也可使用完整語法，指明來源\目標，地址，端口。該語法是OpenBSD PF語法的簡約版。例如： 

拒絕指向任意地址使用80端口tcp協議的數據進入本機

ufw deny proto tcp to any port 80 This will deny all traffic to tcp port 80 on this host. Another example: 該規則：本機拒絕80端口使用tcp協議指向任意地址（進入）的信息。再如： 

拒絕來自10.0.0.0/8域tcp協議指向192.168.0.1端口25的數據進入本機

ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25 This will deny all traffic from the RFC1918 Class A network to tcp port 25 with the address 192.168.0.1. 該規則將阻斷（拒絕）全部來自RFC1918 A級網絡（10.0.0.0-10.255.255.255）經過25端口使用tcp協議發送到192.168.0.1的信息。 

拒絕來自 2001:db8::/32域指向任意地址端口25的數據進入本機

ufw deny proto tcp from 2001:db8::/32 to any port 25 This will deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host. IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work. 該規則將拒絕本機接收全部來自IPv6 2001:db8::/32 經過25端口使用tcp（進入）的信息。/etc/default/ufw配置文件需開通IPv6功能。 

容許來自任意地址使用tcp協議指向任意地址使用端口80、44三、8080-8090的數據進入本機

ufw allow proto tcp from any to any port 80,443,8080:8090 The above will allow all traffic to tcp ports 80, 443 and 8080-8090 inclusive. When specifying multiple ports, the ports list must be numeric, cannot contain spaces and must be modified as a whole. Eg, in the above example you cannot later try to delete just the '443' port. You cannot specify more than 15 ports (ranges count as 2 ports, so the port count in the above example is 4). 該規則容許本機經過80、443，8080至8090端口使用tcp協議（進入）的信息。指定多個端口時，只能使用數字，且不能含空格。修改規則時需整條規則修改。在上面的例子中，你不能僅僅刪除443端口。每次指定不能超過15個端口（端口區間視爲2個端口，上面例子視爲4個端口） Rules for traffic not destined for the host itself but instead for traffic that should be routed/forwarded through the firewall should specify the route keyword before the rule (routing rules differ significantly from PF syntax and instead take into account netfilter FORWARD chain conventions). For example: 規則中數據目標不是本機，是經本機防火牆路由\轉發，規則前需加關鍵字route（路由規則與PF語法有明顯的不一樣，替之以FORWARD鏈轉換）。 

容許經eth1進入，eth2發出的數據經本機路由

ufw route allow in on eth1 out on eth2 This will allow all traffic routed to eth2 and coming in on eth1 to traverse the firewall. 該規則容許數據由eth1網卡進入路由至eth2網卡發出。 

容許經eth0進入eth1發出指向 12.34.45.67使用80端口tcp的數據經本機路由

ufw route allow in on eth0 out on eth1 to 12.34.45.67 port 80 proto tcp This rule allows any packets coming in on eth0 to traverse the firewall out on eth1 to tcp port 80 on 12.34.45.67. 該規則容許數據經eth0網卡進入路由至eth1網卡經過80端口使用tcp協議發送至IP12.34.45.56？ In addition to routing rules and policy, you must also setup IP forwarding. This may be done by setting the following in /etc/ufw/sysctl.conf: 增長路由規則前必需設置IP轉發。該配置文件/etc/ufw/sysctl.conf，配置內容應以下： net/ipv4/ip_forward=1 net/ipv6/conf/default/forwarding=1 net/ipv6/conf/all/forwarding=1 then restarting the firewall: 再使用如下命令重啓防火牆： ufw disable ufw enable Be aware that setting kernel tunables is operating system specific and ufw sysctl settings may be overridden. See the sysctl manual page for details. 請當心，該操做系統內核可調參數設置會覆蓋ufw內核（sysctl）設置。參見sysctl手冊。 ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. When a limit rule is used, ufw will normally allow the connection but will deny connections if an IP address attempts to initiate 6 or more connections within 30 seconds. See http://www.debian-administra‐ tion.org/articles/187 for details. Typical usage is: ufw支持鏈接次數限制。可用於對抗暴力登陸攻擊。啓用限制規則後，ufw容許鏈接，但30秒內鏈接次數高於6次時拒絕該IP訪問。參見http://www.debian-administration.org/articles/187。典型用法以下： 

限制ssh tcp協議鏈接本機次數

ufw limit ssh/tcp




  Sometimes it is desirable to let the sender know when traffic is being denied, rather than simply ignoring it. In these cases, use reject instead of deny. For example: 有時須要讓發送數據者知道數據被拒絕而不是失蹤。在下面例子中，用戶使用reject替換deny。例如： ufw reject auth By default, ufw will apply rules to all available interfaces. To limit this, specify DIRECTION on INTERFACE, where DIRECTION is one of in or out (interface aliases are not supported). For example, to allow all new incoming http connec‐ tions on eth0, use: 默認狀況下，ufw將規則應用於全部可用網絡接口。也可把規則指定到特定的網絡接口，包括網絡接口數據進出方向（不支持網絡接口別名）。例如容許數據經過eth0網卡使用http協議進入主機，寫法以下： 

容許經過eth0指向任意地址端口80協議tcp的數據進入本機

ufw allow in on eth0 to any port 80 proto tcp To delete a rule, simply prefix the original rule with delete. For example, if the original rule was: 要刪除一條規則，在原規則前加delete就能夠了。例如：原規則是這樣的 ufw deny 80/tcp Use this to delete it: 刪除時就這樣寫： ufw delete deny 80/tcp You may also specify the rule by NUM, as seen in the status numbered output. For example, if you want to delete rule number '3', use: 你也可使用status numbered參數查看規則序號。好比你想刪除第3條規則，這樣寫就好了： ufw delete 3 If you have IPv6 enabled and are deleting a generic rule that applies to both IPv4 and IPv6 (eg 'ufw allow 22/tcp'), deleting by rule number will delete only the specified rule. To delete both with one command, prefix the original rule with delete. 若是IPv6啓用，你想刪除一條同時適用於IPv四、IPv6的規則（如ufw allow 22/tcp），使用序號刪除規則只會刪除其中一條。一次性刪 

除乾淨就只能使用原規則前加delete的辦法。

To insert a rule, specify the new rule as normal, but prefix the rule with the rule number to insert. For example, if you have four rules, and you want to insert a new rule as rule number three, use: 爲使用規則正常，你可使用序號的方式插入新規則。例如，你有4條規則了，但你想把新規則放到第3的位置，能夠這樣寫：把 拒絕來自 10.0.0.135協議tcp指向任意地址端口22的數據進入本機 指條命令插入到第3的位置 ufw insert 3 deny to any port 22 from 10.0.0.135 proto tcp To see a list of numbered rules, use: 查詢規則序號，使用命令： ufw status numbered ufw supports per rule logging. By default, no logging is performed when a packet matches a rule. Specifying log will log all new connections matching the rule, and log-all will log all packets matching the rule. For example, to allow and log all new ssh connections, use: ufw支持規則運行狀態日誌。默認狀況下符合規則的數據日誌不顯示。指定日誌會記錄下全部符合規則的數據、新鏈接。例如：容許並 

記錄全部新ssh鏈接。命令以下

ufw allow log 22/tcp See LOGGING for more information on logging. 參見LOGGING 

EXAMPLES例子

Deny all access to port 53:

拒絕全部經過53端口的數據

ufw deny 53




  Allow all access to tcp port 80:

容許全部經過80端口使用tcp的數據

ufw allow 80/tcp Allow all access from RFC1918 networks to this host: 

容許全部來自RFC1918網絡的數據進入本機

ufw allow from 10.0.0.0/8 ufw allow from 172.16.0.0/12 ufw allow from 192.168.0.0/16 Deny access to udp port 514 from host 1.2.3.4: 

拒絕來自1.2.3.4主機經過514端口使用udp協議的數據

ufw deny proto udp from 1.2.3.4 to any port 514 Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469: 

容許來自主機1.2.3.5端口5469的數據到達本機1.2.3.4使用端口5469協議udp

ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 

REMOTE MANAGEMENT遠程管理

When  running  ufw enable or starting ufw via its initscript, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections (eg ssh). ufw does support adding rules before enabling the firewall, so administrators can do: 經過初始化腳本或命令啓動ufw後，ufw將刷新鏈接。這是爲了讓ufw運行正常。但可能致使現有鏈接中斷（如ssh）。ufw支持在啓動前增長規則，在運行「ufw enable」命令前，管理者能夠增長這個規則來進行遠程管理： ufw allow proto tcp from any to any port 22 before running 'ufw enable'. The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is 'enabled', ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy). By default, ufw will prompt when enabling the firewall while running under ssh. This can be disabled by using 'ufw --force enable'. 

全部規則將被激活，ssh鏈接在啓用防火牆時依然開通。請注意只要ufw處於'enabled'狀態，增長或刪除規則，都不進行鏈接刷新（改變默認策略或修改規則時除外）。默認狀況，ufw若是處於ssh遠程鏈接下，規則影響到ssh鏈接時都須要確認。使用ufw --force enable命令時，就不須要確認了。

APPLICATION INTEGRATION應用集成(強烈推薦此方法)

ufw   supports   application   integration   by   reading  profiles  located  in /etc/ufw/applications.d. To list the names of application profiles known to ufw, use: 

ufw支持查詢/etc/ufw/applications.d文件完成應用集成。查看ufw已知應用集成（其它端口，由ubuntu在安裝軟件時自動定義，通常不須要本身新建。具體端口參見/etc/services），命令：
ufw app list

Users  can  specify  an application name when adding a rule (quoting any profile
  names with spaces). For example, when using the simple syntax, users can use: 

用戶在增長規則時能使用應用名（引用帶有空格的任何配置文件名稱）。例如，使用以下簡單語法：

ufw allow <name>

  Or for the extended syntax: 

或完整語法:

ufw allow from 192.168.0.0/16 to any app <name> You should not specify the protocol with either syntax, and with the extended syntax, use app in place of the port clause. 

使用應用名代替端口時，語法中不能指定協議

Details on the firewall profile for a given application can be seen with: 

查看關於應用名的具體內容，使用以下命令。

ufw app info <name>

  where  '<name>' is one of the applications seen with the app list command. User's may also specify all to see the profiles for all known applications. app list命令能夠顯示有哪些應用名。使用all代替應用名時，上面的命令會例出全部已知程序詳細狀況。 After creating or editing an application profile, user's can run: 

增長或編輯了應用名相關內容，請使用下面命刷新：

ufw app update <name>

  This command will automatically update the firewall with updated profile  infor‐
  mation.  If specify 'all' for name, then all the profiles will be updated. To update a profile and add a new rule to the firewall automatically, user's can run: 

該命令將自動更新配置應用名。應用名爲all時，會更新全部應用名。若是須要更新應用名配置且做爲新規則加入防火牆，請使用下面的命令。

ufw app update --add-new <name> The behavior of the update --add-new command can be configured using: --add-new 命令參數進行更新時，其行爲方式可由下面的命令指定 ufw app default <policy> The default application policy is skip, which means that the update --add-new command will do nothing. Users may also specify a policy of allow or deny so the update --add-new command may automatically update the firewall. WARNING: it may be a security to risk to use a default allow policy for application profiles. Carefully consider the security ramifications before using a default allow pol‐ icy. 默認應用策略是跳過，也就意味着 --add-new 命令參數實際上沒設定策略。用戶能指定策略爲allow或deny, 那以後--add-new 參數將自動更新防火牆。警告：使用allow策略做爲應用策略將有安全風險。使用默認容許的政策以前，要仔細考慮的安全後果。 

LOGGING日誌

ufw supports multiple logging levels. ufw defaults to a loglevel of 'low' when a loglevel is not specified. Users may specify a loglevel with: 

ufw支持多種日誌級別。默認爲「低」。用戶可以使用下面的命令指定日誌級別：

ufw logging LEVEL

  LEVEL  may  be 'off', 'low', 'medium', 'high' and 'full'. Log levels are defined as: 級別分爲 關閉\低\中\高\徹底。區別以下： off disables ufw managed logging 

關閉 關閉日誌記錄

low    logs all blocked packets not matching the default policy (with rate lim‐ iting), as well as packets matching logged rules 低 記錄全部被默認策略阻止的數據（速率限制），以及符合規則的數據。 medium log level low, plus all allowed packets not matching the default policy, all INVALID packets, and all new connections. All logging is done with rate limiting. 中 低級別+不符合默認策略是數據+無效數據+全部新鏈接。全部記錄在速率限制下進行。 high log level medium (without rate limiting), plus all packets with rate lim‐ iting 高 中級（取消速率限制）+速率限制下的全部數據包 full log level high without rate limiting 徹底 高級無速率限制。 Loglevels above medium generate a lot of logging output, and may quickly fill up your disk. Loglevel medium may generate a lot of logging output on a busy sys‐ tem. 中級別以可能產生大量日誌，有可能快速填滿硬盤。對繁忙的系統而言，中級別就會有大量日誌產生。 Specifying 'on' simply enables logging at log level 'low' if logging is cur‐ rently not enabled. on參數在沒啓用日誌時，默認指定爲低級別。 

REPORTS報告

The  following  reports are supported. Each is based on the live system and with the exception of the listening report, is in raw iptables format: 

支持以下報告。它們均基於活動系統排外的監聽報告，屬於原始的iptable形式。

raw
    builtins
    before-rules
    user-rules
    after-rules
    logging-rules
    listening
    added

  The raw report shows the complete firewall, while the others show a subset of what is in the raw report. raw顯示完整報告。其它級別在此基礎上精簡。 The listening report will display the ports on the live system in the listening state for tcp and the open state for udp, along with the address of the inter‐ face and the executable listening on the port. An '*' is used in place of the address of the interface when the executable is bound to all interfaces on that port. Following this information is a list of rules which may affect connections on this port. The rules are listed in the order they are evaluated by the ker‐ nel, and the first match wins. Please note that the default policy is not listed and tcp6 and udp6 are shown only if IPV6 is enabled. 報告顯示活動系統監聽下的tcp upd狀態及地址 網絡接口，以及可監聽的端口。*號表明該端口綁定到網絡接口。該信息之下是全部能影響到該端口鏈接的規則。規則的監聽由內核、第1匹配wins排序。注意默認策略未被監聽，tcp6 udp6只有在IPv6啓用的狀況下有效。 The added report displays the list of rules as they were added on the com‐ mand-line. This report does not show the status of the running firewall (use 'ufw status' instead). Because rules are normalized by ufw, rules may look dif‐ ferent than the originally added rule. Also, ufw does not record command order‐ ing, so an equivalent ordering is used which lists IPv6-only rules after other rules. 新增報告將顯示規則加入時的命令列表。報告不顯示防火牆此時的運行狀態（請使用ufw status命查詢）。由於規則已被ufw標準化，看起來與加入時原規則不一樣了。此外，UFW不記錄命令排序，因此等效排序，僅IPv6的規則位於其餘規則後。 

NOTES注意

On  installation,  ufw  is  disabled  with a default incoming policy of deny, a default forward policy of deny, and a default outgoing policy of allow, with stateful tracking for NEW connections for incoming and forwarded connections. In addition to the above, a default ruleset is put in place that does the fol‐ lowing: 

安裝後，ufw不啓動，默認策略：進入數據拒絕，轉發拒絕，發出數據容許。默認策略跟蹤進入\轉發的新鏈接。除此外還增長了下列默認規則集：

- DROP packets with RH0 headers 

丟棄含RH0頭的數據

- DROP INVALID packets

丟棄無效數據

-  ACCEPT  certain  icmp  packets  (INPUT and FORWARD): destination-unreachable, source-quench, time-exceeded, parameter-problem, and echo-request for IPv4. des‐ tination-unreachable, packet-too-big, time-exceeded, parameter-problem, and echo-request for IPv6. 

接受部分ICMP數據包（進入\轉發）：IPv4：目的地不可達，源結束，超過期間，參數問題，回聲請求。IPv6：目的地不可達，分組太大而，超過期間，參數問題，回聲請求。

- ACCEPT icmpv6 packets for stateless autoconfiguration (INPUT) 

接受ICMPv6報文的無狀態自動配置（進入）

- ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses (INPUT) 

接受IPv6鏈路本地地址（ffe8::/10）ping應答（進入）

- ACCEPT DHCP client traffic (INPUT)

接受DHCP客戶端數據（進入）

- DROP non-local traffic (INPUT)

丟棄非本地通信（進入）

- ACCEPT mDNS (zeroconf/bonjour/avahi 224.0.0.251 for IPv4 and ff02::fb for IPv6) for service discovery (INPUT) 

接受mDNS服務（zeroconf/bonjour/avahi 等協議使用，IPv4 224.0.0.251,IPv6 ff02::fb）（進入）

-  ACCEPT  UPnP (239.255.255.250 for IPv4 and ff02::f for IPv6) for service dis‐ covery (INPUT) 

接受UPnP服務(IPv4：239.255.255.250 ，IPv6：ff02::f ) （進入）

Rule ordering is important and the first match wins. Therefore when adding rules, add the more specific rules first with more general rules later. 

規則的順序很重要，依次匹配執行。所以先添加針對性強的規則，再添加影響普遍的規則。

ufw  is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules. 

UFW不打算經過自身命令提供完整的防火牆功能，而是提供了一種簡單的方法來添加或刪除簡單的規則。

The status command shows basic information about the state of the firewall, as well as rules managed via the ufw command. It does not show rules from the rules files in /etc/ufw. To see the complete state of the firewall, users can ufw show raw. This displays the filter, nat, mangle and raw tables using: 

status命令顯示防火牆的狀態及經過UFW命令管理的基本信息規則。它不顯示/ etc/ UFW文件的規則。要查看防火牆的完整狀態，用戶能夠UFW顯示原料。這將顯示過濾，NAT，損壞和原始表，命令以下：

iptables -n -L -v -x -t <table>
ip6tables -n -L -v -x -t <table>
  See the iptables and ip6tables documentation for more details. 

更多信息查看iptables ip6tables

If  the default policy is set to REJECT, ufw may interfere with rules added out‐ side of the ufw framework. See README for details. 

若是默認策略設置爲REJECT，UFW可能會干擾UFW框架以外添加的規則。

IPV6 is allowed by default. To change this behavior to only accept IPv6 traffic on the loopback interface, set IPV6 to 'no' in /etc/default/ufw and reload ufw. When IPv6 is enabled, you may specify rules in the same way as for IPv4 rules, and they will be displayed with ufw status. Rules that match both IPv4 and IPv6 addresses apply to both IP versions. For example, when IPv6 is enabled, the fol‐ lowing rule will allow access to port 22 for both IPv4 and IPv6 traffic: 

IPv6是默認容許。改變這種行爲，只接受在迴環接口上的IPv6數據，在/ etc/default/ UFW將IPv6設置爲「no」，並從新加載UFW。

當啓用IPv6，則能夠以相同的方式針對IPv4規則指定的規則，它們將在ufw status命令下被顯示。同時匹配IPv4和IPv6地址的規則適用於兩個IP版本。

例如，當啓用IPv6，下面的規則將同時容許IPv4和IPv6訪問端口22爲：

ufw allow 22 IPv6 over IPv4 tunnels and 6to4 are supported by using the 'ipv6' protocol ('41'). This protocol can only be used with the full syntax. For example: 

IPv4借用IPv6進行封裝時，需使用第41號協議。書寫時使用proto ipv6，而且使用完整語法。例如：

ufw allow to 10.0.0.1 proto ipv6 ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ipv6 IPSec is supported by using the 'esp' ('50') and 'ah' ('51') protocols. These protocols can only be used with the full syntax. For example: 

支持使用「Internet 協議安全性 (IPSec)」協議，協議書寫爲esp \ ah（分別是50號\51號協議）。語法必需使用完整結構。例如：

ufw allow to 10.0.0.1 proto esp ufw allow to 10.0.0.1 from 10.4.0.0/16 proto esp ufw allow to 10.0.0.1 proto ah ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ah In addition to the command-line interface, ufw also provides a framework which allows administrators to modify default behavior as well as take full advantage of netfilter. See the ufw-framework manual page for more information.

做者：功夫貓星人
連接：https://www.jianshu.com/p/6dc966f48b1f
來源：簡書