Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use the firewall ufw in Linux. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

Ufw is a host-side iptables firewall configuration tool, which is easy to use. General desktop applications using ufw can already meet the requirements.

Ufw also has a GUI client (such as gufw), but the ufw command is usually executed on the command line. This article introduces some commands that use ufw and studies how it works.

First, a quick way to view the ufw configuration is to look at its configuration file-- / etc/default/ufw. Use the following command to view its configuration, using grep to suppress the display of blank lines and comments (lines that begin with #).

$grep-v'^ #\ | ^ $'/ etc/default/ufwIPV6=yesDEFAULT_INPUT_POLICY= "DROP" DEFAULT_OUTPUT_POLICY= "ACCEPT" DEFAULT_FORWARD_POLICY= "DROP" DEFAULT_APPLICATION_POLICY= "SKIP" MANAGE_BUILTINS=noIPT_SYSCTL=/etc/ufw/sysctl.confIPT_MODULES= "nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

As you can see, the default policy is to discard input but allow output. Other rules that allow you to accept specific connections need to be configured separately. The basic syntax of the ufw command is shown below, but this summary does not mean that you just need to type ufw, but it is a quick prompt to tell you which parameters you need.

Ufw [--dry-run] [options] [rule syntax]

The-dry-run option means that ufw will not run the command you specified, but will show you the results if executed. But it will show the entire rule set if it is changed, so you have to be prepared to have a lot of lines of output.

To check the status of ufw, run the following command. Note that even this command requires the use of sudo or root accounts.

$sudo ufw statusStatus: activeTo Action From---22 ALLOW 192.168.0 move 249090 ALLOW Anywhere9090 (V6) ALLOW Anywhere (V6)

Otherwise, you will see the following:

$ufw statusERROR: You need to be root to run this script

Add the verbose option to provide some other details:

$sudo ufw status verboseStatus: activeLogging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skipTo Action From-- 22 ALLOW IN 192.168.0 pound 249090 ALLOW IN Anywhere9090 (V6) ALLOW IN Anywhere (V6)

You can easily allow and deny connections through the port number using the following command:

$sudo ufw allow 80

You can check the / etc/services file to find the link between the port number and the service name.

$grep 80 / / etc/serviceshttp 80/tcp www # WorldWideWeb HTTPsocks 1080/tcp # socks proxy serversocks 1080/udphttp-alt 8080/tcp webcache # WWW caching servicehttp-alt 8080/udpamanda 10080/tcp # amanda backup servicesamanda 10080/udpcanna 5680/tcp # cannaserver

Or, you can use the name of the service directly in the command.

$sudo ufw allow httpRule addedRule added (V6) $sudo ufw allow httpsRule addedRule added (V6)

After making the changes, you should check the status again to see if it works:

$sudo ufw statusStatus: activeTo Action From-- 22 ALLOW 192.168.0.0Universe 249090 ALLOW Anywhere80/tcp ALLOW Anywhere

The rules that ufw follows are stored in the / etc/ufw directory. Note that you need root access to view these files, and each file contains a large number of rules.

$ls-ltr / etc/ufwtotal 48 RWMurray Rafael-1 root root 1391 Aug 15 2017 sysctl.conf-rw-r- 1 root root 1004 Aug 17 2017 after.rules-rw-r- 1 root root 915 Aug 17 2017 after6.rules-rw-r- 1 root root 1130 Jan 5 2018 before.init-rw-r- 1 root root 1126 Jan 5 2018 after.init-rw-r- 1 root root 2537 Mar 25 2019 Before.rules-rw-r- 1 root root 6700 Mar 25 2019 before6.rulesdrwxr-xr-x 3 root root 4096 Nov 12 08:21 applications.d-rw-r--r-- 1 root root 313 Mar 18 17:30 ufw.conf-rw-r- 1 root root 1711 Mar 19 10:42 user.rules-rw-r- 1 root root 1530 Mar 19 10:42 user6.rules

The changes made earlier in this article, adding port 80 for http access and port 443 for https access, look like this in the user.rules and user6.rules files:

# grep "80" user*.rulesuser6.rules:### tuple # allow tcp 80:: / 0 any:: / 0 inuser6.rules:-A ufw6-user-input-p tcp-- dport 80-j ACCEPTuser.rules:### tuple # allow tcp 80 0.0.0.0 any 0 inuser.rules:-A ufw-user-input-p tcp-- dport 80-j ACCEPTYou have new mail in / var/mail/root# grep 443 user* .rulesuser6.rules: # tuple # allow tcp 443:: / 0 any:: / 0 inuser6.rules:-A ufw6-user-input-p tcp-- dport 443-j ACCEPTuser.rules:### tuple # allow tcp 443 0.0.0.0 any 0 inuser.rules:-A ufw-user-input-p tcp-- dport 443-j ACCEPT

With ufw, you can also easily block connections from an IP address using the following command:

$sudo ufw deny from 208.176.0.50Rule added

The status command displays the changes:

$sudo ufw status verboseStatus: activeLogging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skipTo Action From-- 22 ALLOW IN 192.168.0 New profiles 249090 ALLOW IN Anywhere80/tcp ALLOW IN Anywhere443/tcp ALLOW IN AnywhereAnywhere DENY IN 208.176.0.50 this is the end of the article on "how to use firewall ufw in Linux". I hope the above content can be of some help to you. So that you can learn more knowledge, if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.