sudo ufw version Firewall version:
ufw 0.29-4ubuntu1
Copyright 2008-2009 Canonical Ltd.
ubuntu system has installed ufw by default.
1. Installation
sudo apt-get install ufw
2. Enable
sudo ufw enable
sudo ufw default deny
After running the above two commands, the firewall is turned on and automatically turned on when the system starts. Close all external access to the machine, but the machine accesses external normally.
3. Enable/Disable
sudo ufw allow|deny [service]
Open or close a port, for example:
sudo ufw allow smtp allows all external IPs to access the 25/tcp (smtp) port of the machine
sudo ufw allow 22/tcp allows all external IPs to access this The 22/tcp (ssh) port of
the machine is very important. It is recommended to enable ssh remote login for software such as SecureCRT. Or do not open the firewall.
sudo ufw allow 53 allows external access to port 53 (tcp/udp)
sudo ufw allow from 192.168.1.100 allows this IP to access all local ports
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp Forbid external access to the smtp service
sudo ufw delete allow smtp delete a rule established above
4. Check the firewall status
sudo ufw status
general user, only need to set as follows:
sudo apt-get install ufw
sudo ufw enable
sudo ufw default deny
The above three commands are safe enough, if you need to open some services, then use sudo ufw allow to open.
Enable/disable firewall (default setting is 'disable')
sudo ufw enable|disable
switch log state
sudo ufw logging on|off
Set default policy (eg "mostly open" vs "mostly closed")
sudo ufw default allow|deny
permission or block Port (you can see the list of services in "status"). A service name that exists in /etc/services can be specified as "protocol:port", or through the package's meta-data. The 'allow' parameter will add the entry to /etc/ufw/maps, while 'deny' does the opposite. The basic syntax is as follows:
sudo ufw allow|deny [service]
Display the listening status of the firewall and port, see /var/lib/ufw/maps. Numbers in parentheses will not be displayed.
sudo ufw status
UFW usage example:
allow port 53
$ sudo ufw allow 53
disable port 53
$ sudo ufw delete allow 53
to allow port 80
$ sudo ufw allow 80/tcp to
disable port 80
$ sudo ufw delete allow 80/tcp
to allow smtp port
$ sudo ufw allow smtp
to delete the permission of smtp port
$ sudo ufw delete allow smtp
to allow a specific IP
$ sudo ufw allow from 192.168.254.254
to delete the above rules
$ sudo ufw delete allow from 192.168.254.254
After the linux 2.4 kernel, a very good firewall tool is provided: netfilter/iptables, which is free and powerful, and can monitor incoming and outgoing It can implement functions such as firewall, NAT (Network Address Translation) and packet segmentation. Netfilter works inside the kernel, while iptables is a table structure that allows users to define rulesets.
However, the rules of iptables are a little "complex", so ubuntu provides ufw, a setting tool, to simplify some settings of iptables, and its background is still iptables. ufw is the abbreviation of uncomplicated firewall, some complex settings still need to go to iptables.
ufw related files and folders are:
/etc/ufw/: There are some ufw environment setting files, such as before.rules, after.rules, sysctl.conf, ufw.conf, and before6.rule and after6.rules for ip6. These files are generally ok according to the default settings.
If you start ufw, /etc/ufw/sysctl.conf will overwrite the default /etc/sysctl.conf file. If you have modified the original /etc/sysctl.conf, after starting ufw, if /etc/ufw/sysctl If there is a new assignment in .conf, it will overwrite /etc/sysctl.conf, otherwise, /etc/sysctl.conf will prevail. Of course you can set which sysctrl.conf to use by modifying the "IPT_SYSCTL=" entry in /etc/default/ufw.
/var/lib/ufw/user.rules This file contains some firewall rules we set, which can be seen when you open it. Sometimes we can directly modify this file without using commands to set it. After modification, remember to ufw reload to restart ufw to make the new rules take effect.
Here are some examples of the ufw command line:
ufw enable/disable: turn on/off ufw
ufw status: view the defined ufw rules
ufw default allow/deny: allow/deny external access by default
ufw allow/deny 20: allow/deny access to port 20, 20 can be followed by /tcp or /udp, for tcp or udp packets.
ufw allow/deny servicename: ufw finds the port of the corresponding service from /etc/services and filters it.
ufw allow proto tcp from 10.0.1.0/10 to local ip port 25: Allow tcp packets from 10.0.1.0/10 to access local port 25.
ufw delete allow/deny 20: delete the previously defined "allow/deny access to port 20" rule