I am operating under root, ordinary users need sudo permission
ufw disable to close
ufw enable Open
this file to close ipv6
/etc/default/ufw
View rules
ufw status
Add rules example:
ufw default allow outgoing
ufw default deny incoming
ufw default deny 关闭所有外部访问端口
ufw allow ssh ufw allow 22
ufw allow 80/tcp
ufw allow http/tcp
ufw allow 1725/udp
ufw allow 25:29/udp
ufw allow from 123.45.67.89
ufw allow from 123.45.67.89/24
ufw allow from 123.45.67.89 to any port 22 proto tcp
sudo ufw allow from 192.168.1.1 允许此IP访问所有的本机端口
sudo ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 22 要拒绝所有的TCP流量从10.0.0.0/8 到192.168.0.1地址的22端口
=========================================
Log directory: vim /var/log/ufw .log
sudo ufw logging on enable log
sudo ufw logging off disable log
sudo ufw logging low|medium|high
- Sep 16 15:08:14 <hostname> kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=0.0.0.0 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=8475 PROTO=TCP SPT=485 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0
The previous values listed The date, time, and hostname of your server. The remaining important information includes:- [UFW BLOCK]: This is where the description of the recorded event begins. In this case, it means that the connection is blocked.
- IN: If it contains a value, then the event is an incoming event
- OUT: If it contains a value, then the event is an outgoing event
- MAC: Combination of destination and source MAC addresses
- SRC: IP of the packet source
- DST: IP of packet destination
- LEN: packet length
- TTL: Packet TTL, or time to live. It will hop between routers until it expires before finding its destination.
- PROTO: The protocol of the packet
- SPT: The source port of the packet
- DPT: destination port of the packet
- WINDOW: The size of the packet that the sender can receive
- SYN URGP: Indicates whether a three-way handshake is required. 0 means not required.
=========================================
The following three items can check the operating system port monitoring
netstat -an | grep LISTEN | grep -v ^unix”
netstat -ntulp
lsof -i -n -P