介绍 (Introduction)

UFW, or Uncomplicated Firewall, is a simplified firewall management interface that hides the complexity of lower-level packet filtering technologies such as iptables and nftables. If you’re looking to get started securing your network, and you’re not sure which tool to use, UFW may be the right choice for you.

UFW或简单的防火墙是简化的防火墙管理界面，它隐藏了诸如iptables和nftables类的低级数据包过滤技术的复杂性。 如果您希望开始保护网络安全，并且不确定使用哪种工具，UFW可能是您的正确选择。

This tutorial will show you how to set up a firewall with UFW on Ubuntu 20.04.

本教程将向您展示如何在Ubuntu 20.04上使用UFW设置防火墙。

先决条件 (Prerequisites)

To follow this tutorial, you will need:

要遵循本教程，您将需要：

• One Ubuntu 20.04 server with a sudo non-root user, which you can set up by following our Initial Server Setup with Ubuntu 20.04 tutorial.

  一台具有sudo非root用户的Ubuntu 20.04服务器，您可以按照我们的《 Ubuntu 20.04初始服务器设置》教程进行设置 。

UFW is installed by default on Ubuntu. If it has been uninstalled for some reason, you can install it with sudo apt install ufw.

UFW默认安装在Ubuntu上。 如果由于某种原因已将其卸载，则可以使用sudo apt install ufw 。

第1步—将IPv6与UFW一起使用(可选) (Step 1 — Using IPv6 with UFW (Optional))

This tutorial is written with IPv4 in mind, but will work for IPv6 as well as long as you enable it. If your Ubuntu server has IPv6 enabled, ensure that UFW is configured to support IPv6 so that it will manage firewall rules for IPv6 in addition to IPv4. To do this, open the UFW configuration with nano or your favorite editor.

本教程是在考虑IPv4的前提下编写的，但是只要启用了IPv6，它就可以使用。 如果您的Ubuntu服务器启用了IPv6，请确保将UFW配置为支持IPv6，以便它除了管理IPv4外，还将管理IPv6的防火墙规则。 为此，请使用nano或您喜欢的编辑器打开UFW配置。

Then make sure the value of IPV6 is yes. It should look like this:

然后确保IPV6值为yes 。 它看起来应该像这样：

IPV6=yes

Save and close the file. Now, when UFW is enabled, it will be configured to write both IPv4 and IPv6 firewall rules. However, before enabling UFW, we will want to ensure that your firewall is configured to allow you to connect via SSH. Let’s start with setting the default policies.

保存并关闭文件。 现在，启用UFW后，它将被配置为写入IPv4和IPv6防火墙规则。 但是，在启用UFW之前，我们将要确保已将防火墙配置为允许您通过SSH连接。 让我们从设置默认策略开始。

步骤2 —设置默认策略 (Step 2 — Setting Up Default Policies)

If you’re just getting started with your firewall, the first rules to define are your default policies. These rules control how to handle traffic that does not explicitly match any other rules. By default, UFW is set to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your server would not be able to connect, while any application within the server would be able to reach the outside world.

如果您刚开始使用防火墙，则定义的第一条规则是默认策略。 这些规则控制如何处理与其他任何规则都不明确匹配的流量。 默认情况下，UFW设置为拒绝所有传入连接并允许所有传出连接。 这意味着尝试访问您的服务器的任何人都将无法连接，而服务器中的任何应用程序都将可以访问外部。

Let’s set your UFW rules back to the defaults so we can be sure that you’ll be able to follow along with this tutorial. To set the defaults used by UFW, use these commands:

让我们将UFW规则重新设置为默认值，这样我们就可以确保您能够按照本教程进行操作。 要设置UFW使用的默认值，请使用以下命令：

These commands set the defaults to deny incoming and allow outgoing connections. These firewall defaults alone might suffice for a personal computer, but servers typically need to respond to incoming requests from outside users. We’ll look into that next.

这些命令将默认设置设置为拒绝传入并允许传出连接。 这些防火墙默认值仅够一台个人计算机就足够了，但是服务器通常需要响应外部用户的传入请求。 接下来，我们将对其进行研究。

步骤3 —允许SSH连接 (Step 3 — Allowing SSH Connections)

If we enabled our UFW firewall now, it would deny all incoming connections. This means that we will need to create rules that explicitly allow legitimate incoming connections — SSH or HTTP connections, for example — if we want our server to respond to those types of requests. If you’re using a cloud server, you will probably want to allow incoming SSH connections so you can connect to and manage your server.

如果我们现在启用UFW防火墙，它将拒绝所有传入连接。 这意味着如果我们希望服务器响应那些类型的请求，我们将需要创建规则，以明确允许合法的传入连接(例如SSH或HTTP连接)。 如果使用的是云服务器，则可能需要允许传入的SSH连接，以便可以连接并管理服务器。

To configure your server to allow incoming SSH connections, you can use this command:

要将服务器配置为允许传入的SSH连接，可以使用以下命令：

This will create firewall rules that will allow all connections on port 22, which is the port that the SSH daemon listens on by default. UFW knows what port allow ssh means because it’s listed as a service in the /etc/services file.

这将创建防火墙规则，该规则将允许端口22上的所有连接，端口22是SSH守护程序默认监听的端口。 UFW知道allow ssh意味着什么端口，因为它在/etc/services文件中被列为/etc/services 。

However, we can actually write the equivalent rule by specifying the port instead of the service name. For example, this command works the same as the one above:

但是，我们实际上可以通过指定端口而不是服务名称来编写等效规则。 例如，此命令与上面的命令相同：

If you configured your SSH daemon to use a different port, you will have to specify the appropriate port. For example, if your SSH server is listening on port 2222, you can use this command to allow connections on that port:

如果将SSH守护程序配置为使用其他端口，则必须指定适当的端口。 例如，如果您的SSH服务器正在侦听端口2222 ，则可以使用以下命令来允许该端口上的连接：

Now that your firewall is configured to allow incoming SSH connections, we can enable it.

现在您的防火墙已配置为允许传入的SSH连接，我们可以启用它。

步骤4 —启用UFW (Step 4 — Enabling UFW)

To enable UFW, use this command:

要启用UFW，请使用以下命令：

You will receive a warning that says the command may disrupt existing SSH connections. We already set up a firewall rule that allows SSH connections, so it should be fine to continue. Respond to the prompt with y and hit ENTER.

您将收到一条警告，指出该命令可能会破坏现有的SSH连接。 我们已经设置了允许SSH连接的防火墙规则，因此可以继续。 用y响应提示，然后按ENTER 。

The firewall is now active. Run the sudo ufw status verbose command to see the rules that are set. The rest of this tutorial covers how to use UFW in more detail, like allowing or denying different kinds of connections.

防火墙现在处于活动状态。 运行sudo ufw status verbose命令以查看设置的规则。 本教程的其余部分详细介绍了如何使用UFW，例如允许或拒绝各种连接。

步骤5 —允许其他连接 (Step 5 — Allowing Other Connections)

At this point, you should allow all of the other connections that your server needs to respond to. The connections that you should allow depends on your specific needs. Luckily, you already know how to write rules that allow connections based on a service name or port; we already did this for SSH on port 22. You can also do this for:

此时，您应该允许服务器需要响应的所有其他连接。 您应允许的连接取决于您的特定需求。 幸运的是，您已经知道如何编写规则以允许基于服务名称或端口进行连接； 我们已经在端口22上针对SSH进行了此操作。 您也可以这样做：

• HTTP on port 80, which is what unencrypted web servers use, using sudo ufw allow http or sudo ufw allow 80

  端口80上的HTTP，这是未加密的Web服务器使用的sudo ufw allow http ，使用sudo ufw allow http或sudo ufw allow 80

• HTTPS on port 443, which is what encrypted web servers use, using sudo ufw allow https or sudo ufw allow 443

  加密的Web服务器使用的端口443上的HTTPS，使用sudo ufw allow https或sudo ufw allow 443

There are several others ways to allow other connections, aside from specifying a port or known service.

除了指定端口或已知服务之外，还有其他几种方式允许其他连接。

特定端口范围 (Specific Port Ranges)

You can specify port ranges with UFW. Some applications use multiple ports, instead of a single port.

您可以使用UFW指定端口范围。 某些应用程序使用多个端口，而不是单个端口。

For example, to allow X11 connections, which use ports 6000-6007, use these commands:

例如，为了允许X11连接，它使用端口6000 - 6007 ，使用这些命令：

When specifying port ranges with UFW, you must specify the protocol (tcp or udp) that the rules should apply to. We haven’t mentioned this before because not specifying the protocol automatically allows both protocols, which is OK in most cases.

使用UFW指定端口范围时，必须指定规则应适用的协议( tcp或udp )。 我们之前没有提到这一点，因为未指定协议会自动允许这两种协议，这在大多数情况下是可以的。

特定的IP地址 (Specific IP Addresses)

When working with UFW, you can also specify IP addresses. For example, if you want to allow connections from a specific IP address, such as a work or home IP address of 203.0.113.4, you need to specify from, then the IP address:

使用UFW时，您还可以指定IP地址。 例如，如果要允许来自特定IP地址的连接(例如203.0.113.4的工作或家庭IP地址)， 203.0.113.4需要指定from ，然后指定IP地址：

You can also specify a specific port that the IP address is allowed to connect to by adding to any port followed by the port number. For example, If you want to allow 203.0.113.4 to connect to port 22 (SSH), use this command:

您还可以通过添加to any port后跟端口号to any port指定允许IP地址连接的特定端口。 例如，如果要允许203.0.113.4连接到端口22 (SSH)，请使用以下命令：

子网路 (Subnets)

If you want to allow a subnet of IP addresses, you can do so using CIDR notation to specify a netmask. For example, if you want to allow all of the IP addresses ranging from 203.0.113.1 to 203.0.113.254 you could use this command:

如果要允许IP地址的子网，可以使用CIDR表示法指定网络掩码。 例如，如果要允许所有IP地址从203.0.113.1到203.0.113.254 ，可以使用以下命令：

Likewise, you may also specify the destination port that the subnet 203.0.113.0/24 is allowed to connect to. Again, we’ll use port 22 (SSH) as an example:

同样，您也可以指定允许子网203.0.113.0/24连接到的目标端口。 同样，我们将使用端口22 (SSH)作为示例：

与特定网络接口的连接 (Connections to a Specific Network Interface)

If you want to create a firewall rule that only applies to a specific network interface, you can do so by specifying “allow in on” followed by the name of the network interface.

如果要创建仅适用于特定网络接口的防火墙规则，可以通过指定“ allow in on”和网络接口的名称来实现。

You may want to look up your network interfaces before continuing. To do so, use this command:

您可能需要先查找网络接口，然后再继续。 为此，请使用以下命令：

   

    Output Excerpt
   
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
. . .
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
. . .

The highlighted output indicates the network interface names. They are typically named something like eth0 or enp3s2.

突出显示的输出指示网络接口名称。 它们通常被命名为eth0或enp3s2 。

So, if your server has a public network interface called eth0, you could allow HTTP traffic (port 80) to it with this command:

因此，如果您的服务器具有名为eth0的公共网络接口，则可以使用以下命令允许HTTP流量(端口80 )通过：

Doing so would allow your server to receive HTTP requests from the public internet.

这样做将允许您的服务器从公共互联网接收HTTP请求。

Or, if you want your MySQL database server (port 3306) to listen for connections on the private network interface eth1, for example, you could use this command:

或者，例如，如果您希望您MySQL数据库服务器(端口3306 )侦听专用网络接口eth1上的连接，则可以使用以下命令：

This would allow other servers on your private network to connect to your MySQL database.

这将允许您专用网络上的其他服务器连接到MySQL数据库。

第6步-拒绝连接 (Step 6 — Denying Connections)

If you haven’t changed the default policy for incoming connections, UFW is configured to deny all incoming connections. Generally, this simplifies the process of creating a secure firewall policy by requiring you to create rules that explicitly allow specific ports and IP addresses through.

如果您尚未更改传入连接的默认策略，则UFW被配置为拒绝所有传入连接。 通常，这要求您创建明确允许特定端口和IP地址通过的规则，从而简化了创建安全防火墙策略的过程。

However, sometimes you will want to deny specific connections based on the source IP address or subnet, perhaps because you know that your server is being attacked from there. Also, if you want to change your default incoming policy to allow (which is not recommended), you would need to create deny rules for any services or IP addresses that you don’t want to allow connections for.

但是，有时您可能希望基于源IP地址或子网拒绝特定的连接，这也许是因为您知道服务器正受到来自那里的攻击。 另外，如果要将默认传入策略更改为允许 (不建议这样做)，则需要为不想允许连接的任何服务或IP地址创建拒绝规则。

To write deny rules, you can use the commands described above, replacing allow with deny.

要编写拒绝规则，您可以使用上述命令，将allow替换为deny 。

For example, to deny HTTP connections, you could use this command:

例如，要拒绝HTTP连接，可以使用以下命令：

Or if you want to deny all connections from 203.0.113.4 you could use this command:

或者，如果您要拒绝203.0.113.4所有连接， 203.0.113.4可以使用以下命令：

Now let’s take a look at how to delete rules.

现在让我们看一下如何删除规则。

第7步-删除规则 (Step 7 — Deleting Rules)

Knowing how to delete firewall rules is just as important as knowing how to create them. There are two different ways to specify which rules to delete: by rule number or by the actual rule (similar to how the rules were specified when they were created). We’ll start with the delete by rule number method because it is easier.

知道如何删除防火墙规则与知道如何创建防火墙规则一样重要。 有两种不同的方法可以指定要删除的规则：按规则编号或按实际规则(类似于创建规则时如何指定规则)。 我们将从按规则编号删除方法开始，因为它比较容易。

按规则编号 (By Rule Number)

If you’re using the rule number to delete firewall rules, the first thing you’ll want to do is get a list of your firewall rules. The UFW status command has an option to display numbers next to each rule, as demonstrated here:

如果您使用规则号删除防火墙规则，则要做的第一件事就是获取防火墙规则列表。 UFW status命令可以选择在每个规则旁边显示数字，如下所示：

   

    Numbered Output:
   
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    15.15.15.0/24
[ 2] 80                         ALLOW IN    Anywhere

If we decide that we want to delete rule 2, the one that allows port 80 (HTTP) connections, we can specify it in a UFW delete command like this:

如果我们决定要删除规则2(该规则允许端口80(HTTP)连接)，则可以在UFW delete命令中指定它，如下所示：

This would show a confirmation prompt then delete rule 2, which allows HTTP connections. Note that if you have IPv6 enabled, you would want to delete the corresponding IPv6 rule as well.

这将显示确认提示，然后删除允许HTTP连接的规则2。 请注意，如果启用了IPv6，则也要删除相应的IPv6规则。

按实际规则 (By Actual Rule)

The alternative to rule numbers is to specify the actual rule to delete. For example, if you want to remove the allow http rule, you could write it like this:

规则编号的替代方法是指定要删除的实际规则。 例如，如果要删除allow http规则，则可以这样编写：

You could also specify the rule by allow 80, instead of by service name:

您还可以通过allow 80而不是服务名称来指定规则：

This method will delete both IPv4 and IPv6 rules, if they exist.

此方法将删除IPv4和IPv6规则(如果存在)。

步骤8 —检查UFW状态和规则 (Step 8 — Checking UFW Status and Rules)

At any time, you can check the status of UFW with this command:

您可以随时使用以下命令检查UFW的状态：

If UFW is disabled, which it is by default, you’ll see something like this:

如果UFW被禁用(默认情况下为UFW)，您将看到类似以下内容：

   

    Output
   
Status: inactive

If UFW is active, which it should be if you followed Step 3, the output will say that it’s active and it will list any rules that are set. For example, if the firewall is set to allow SSH (port 22) connections from anywhere, the output might look something like this:

如果UFW处于活动状态(如果遵循步骤3，则应该是活动状态)，输出将显示该状态为活动状态，并将列出所有设置的规则。 例如，如果防火墙设置为允许从任何地方进行SSH(端口22 )连接，则输出可能类似于以下内容：

   

    Output
   
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere

Use the status command if you want to check how UFW has configured the firewall.

如果要检查UFW如何配置防火墙，请使用status命令。

步骤9 —禁用或重置UFW(可选) (Step 9 — Disabling or Resetting UFW (optional))

If you decide you don’t want to use UFW, you can disable it with this command:

如果您决定不想使用UFW，则可以使用以下命令将其禁用：

Any rules that you created with UFW will no longer be active. You can always run sudo ufw enable if you need to activate it later.

您用UFW创建的任何规则将不再有效。 如果以后需要激活它，可以始终运行sudo ufw enable 。

If you already have UFW rules configured but you decide that you want to start over, you can use the reset command:

如果已经配置了UFW规则，但是您决定要重新开始，则可以使用reset命令：

This will disable UFW and delete any rules that were previously defined. Keep in mind that the default policies won’t change to their original settings, if you modified them at any point. This should give you a fresh start with UFW.

这将禁用UFW并删除以前定义的任何规则。 请记住，如果您随时修改默认策略，它们将不会更改为其原始设置。 这应该使您从UFW重新开始。

结论 (Conclusion)

Your firewall is now configured to allow (at least) SSH connections. Be sure to allow any other incoming connections that your server needs, while limiting any unnecessary connections, so your server will be functional and secure.

现在，您的防火墙已配置为允许(至少)SSH连接。 确保允许服务器需要的任何其他传入连接，同时限制任何不必要的连接，以便服务器正常运行且安全。

To learn about more common UFW configurations, check out the UFW Essentials: Common Firewall Rules and Commands tutorial.

要了解更多常见的UFW配置，请查看UFW Essentials：通用防火墙规则和命令教程。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04