document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'LCTT/master'

Browse Source
This commit is contained in:
Xingyu Wang 2020-04-05 08:56:57 +08:00
commit 81374d9ab7
1 changed files with 28 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
sources/tech/20200325 Linux firewall basics with ufw.md → translated/tech/20200325 Linux firewall basics with ufw.md
View File

@ -7,19 +7,17 @@
[#]: via: (https://www.networkworld.com/article/3533551/linux-firewall-basics-with-ufw.html)
[#]: author: (Sandra Henry-Stocker https://www.networkworld.com/author/Sandra-Henry_Stocker/)
Linux firewall basics with ufw
Linux 防火墙 ufw 简介
======
We take a look at ufw - the uncomplicated firewall - on Linux, providing some insights and commands for making changes.
Vertigo3D / Getty Images
我们来研究下 ufw - linux 上一个简单的防火墙,它为防火墙更改提供了一些见解和命令。
The **ufw** (uncomplicated firewall) represents a serious simplification to [iptables][1] and, in the years that its been available, has become the default firewall on systems such as Ubuntu and Debian. And, yes, **ufw** is surprisingly uncomplicated a boon for newer admins who might otherwise have to invest a lot of time to get up to speed on firewall management.
![][0]
GUIs are available for **ufw** (like **gufw**), but **ufw** commands are generally issued on the command line. This post examines some commands for using **ufw** and looks into how it works.
First, one quick way to see how **ufw** is configured is to look at its configuration file **/etc/default/ufw**. In the command below, we display the settings, using **grep** to suppress the display of both blank lines and comments (line starting with #).
[RELATED: Linux hardening: a 15-step checklist for a secure Linux server][2]
**ufw** (简易防火墙)可以说是 [iptables][1] 的简化版,最近几年,它已经成为 Ubuntu 和 Debian 等系统上的默认防火墙。而且 **ufw** 出乎意料的简单,这对新管理员来说是一个福音,否则他们可能不得不投入大量时间来加快防火墙管理的速度。
**ufw** 也有 GUI 客户端(例如 **gufw**),但是 **ufw** 命令通常在命令行上发出。本文介绍了一些使用 **ufw** 的命令,并研究了它的工作方式。
首先,查看 **ufw** 如何配置的一个快速方法是查看其配置文件 -- **/etc/default/ufw**。使用下面的命令可以查看其配置,使用 **grep** 来禁止显示空白行和注释(以 # 开头的行)。
```
$ grep -v '^#\|^$' /etc/default/ufw
IPV6=yes
@ -32,20 +30,16 @@ IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
```
As you can see, the default policy is to drop input and allow output. Additional rules that allow the connections that you specifically want to be accept are configured separately.
The basic syntax for ufw commands might look like thee below, though this synopsis is not meant to imply that typing only “ufw” will get you further than a quick error telling you that arguments are required.
正如你所看到的,默认策略是丢弃输入但允许输出。如果你想接受专有连接,你需要单独配置。
ufw 命令的基本语法如下所示,但是这个概要并不意味着你只需要输入 "ufw" 就能熟悉它,而是通过一个个错误提示来告诉你需要哪些参数。
```
ufw [--dry-run] [options] [rule syntax]
```
The **\--dry-run** option means that **ufw** wont run the command you specify, but will show you the results that you would see if it did. It will, however, display the entire set of rules as they would exist if the change were made, so be prepared for more than a few lines of output.
To check the status of **ufw**, run a command like the following. Note that even this command requires use of **sudo** or use of the root account.
[][3]
**\--dry-run** 选项意味着 **ufw** 不会运行你指定的命令,但你会看到它是否执行了的结果。如果进行了更改,它将显示整个规则集,因此你要做好多行输出的准备。
运行以下命令来检查 **ufw** 的状态。注意,即使此命令也需要使用 **sudo** 或 root 账户。
```
$ sudo ufw status
Status: active
@ -57,15 +51,13 @@ To Action From
9090 (v6) ALLOW Anywhere (v6)
```
Otherwise, you will see something like this:
否则,你会看到以下内容:
```
$ ufw status
ERROR: You need to be root to run this script
```
Adding "verbose" provides a few additional details:
"verbose" 选项将提供一些其它细节:
```
$ sudo ufw status verbose
Status: active
@ -80,15 +72,13 @@ To Action From
9090 (v6) ALLOW IN Anywhere (v6)
```
You can easily allow and deny connections by port number with commands like these:
你可以使用以下命令轻松地通过端口号允许和拒绝连接:
```
$ sudo ufw allow 80 <== allow http access
$ sudo ufw deny 25 <== deny smtp access
$ sudo ufw allow 80 <== 允许 http 访问
$ sudo ufw deny 25 <== 拒绝 smtp 访问
```
You can check out the **/etc/services** file to find the connections between port numbers and service names.
你可以查看 **/etc/services** 文件来找到端口号和服务名称之间的联系。
```
$ grep 80/ /etc/services
http 80/tcp www # WorldWideWeb HTTP
@ -101,7 +91,7 @@ amanda 10080/udp
canna 5680/tcp # cannaserver
```
Alternately, you can use service names like in these commands.
或者,你可以命令中直接使用服务的名称。
```
$ sudo ufw allow http
@ -112,7 +102,7 @@ Rule added
Rule added (v6)
```
After making changes, you should check the status again to see that those changes have been made:
进行更改后,你应该再次检查状态来查看是否生效:
```
$ sudo ufw status
@ -129,7 +119,7 @@ To Action From
443/tcp (v6) ALLOW Anywhere (v6) <==
```
The rules that **ufw** follows are stored in the **/etc/ufw** directory. Note that you need root access to view these files and that each contains a large number of rules.
**ufw** 遵循的规则存储在 **/etc/ufw** 目录中,注意,你需要 root 用户访问权限才能查看这些文件,每个文件都包含大量规则。
```
$ ls -ltr /etc/ufw
@ -147,8 +137,7 @@ drwxr-xr-x 3 root root 4096 Nov 12 08:21 applications.d
-rw-r----- 1 root root 1530 Mar 19 10:42 user6.rules
```
The changes made earlier in this post (the addition of port **80** for **http** access and **443** for **https** (encrypted http) access will look like this in the **user.rules** and **user6.rules** files:
本文前面所作的更改,为 **http** 访问添加了端口 **80** 和为 **https** 访问添加了端口 **443**,在 **user.rules****user6.rules** 文件中看起来像这样:
```
# grep " 80 " user*.rules
user6.rules:### tuple ### allow tcp 80 ::/0 any ::/0 in
@ -163,15 +152,13 @@ user.rules:### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
user.rules:-A ufw-user-input -p tcp --dport 443 -j ACCEPT
```
With **ufw**, you can also easily block connections from a system using a command like this:
使用 **ufw**,你还可以使用以下命令轻松地阻止来自一个系统的连接:
```
$ sudo ufw deny from 208.176.0.50
Rule added
```
The status command will show the change:
status 命令将显示更改:
```
$ sudo ufw status verbose
Status: active
@ -191,9 +178,9 @@ Anywhere DENY IN 208.176.0.50 <== new
443/tcp (v6) ALLOW IN Anywhere (v6)
```
All in all, **ufw** is both easy to configure and easy to understand.
总而言之,**ufw** 不仅容易配置,而且且容易理解。
Join the Network World communities on [Facebook][4] and [LinkedIn][5] to comment on topics that are top of mind.
加入 [Facebook][4] 和 [LinkedIn][5] 上的网络世界社区,评论最火的主题。
--------------------------------------------------------------------------------
@ -201,13 +188,15 @@ via: https://www.networkworld.com/article/3533551/linux-firewall-basics-with-ufw
作者:[Sandra Henry-Stocker][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
译者:[MjSeven](https://github.com/MjSeven)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.networkworld.com/author/Sandra-Henry_Stocker/
[b]: https://github.com/lujun9972
[0]: https://images.idgesg.net/images/article/2019/06/cso_network_security_encryption_automation_by_vertigo3d_gettyimages-597931354_2400x1600-100798880-large.jpg
[1]: https://www.networkworld.com/article/2716098/working-with-iptables.html
[2]: https://www.networkworld.com/article/3143050/linux/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.html#tk.nww-fsb
[3]: https://www.networkworld.com/blog/itaas-and-the-corporate-storage-technology/?utm_source=IDG&utm_medium=promotions&utm_campaign=HPE22140&utm_content=sidebar (ITAAS and Corporate Storage Strategy)