Manjaro Difference between revisions of "Firewalls/zh-cn"

Difference between revisions of "Firewalls/zh-cn"

From Manjaro
(Created page with "{{warning|iptables.service 和 ufw.service 是冲突的,不要同时启用他们}}")
Tags: Mobile web edit Mobile edit
 
(One intermediate revision by one other user not shown)
Line 5: Line 5:


建议您运行本地防火墙,即使您已经处于网络防火墙的保护之下。本地防火墙将保护你免受内网中威胁的影响。
建议您运行本地防火墙,即使您已经处于网络防火墙的保护之下。本地防火墙将保护你免受内网中威胁的影响。


==不复杂的防火墙(Uncomplicated FireWall)==  
==不复杂的防火墙(Uncomplicated FireWall)==  


UFW表示简单的防火墙,作为一个对netfilter防火墙的的包装。它提供了一个命令行界面,旨在简单易用。UFW远比iptables更加简单;除非你有特殊需求,使用UFW是最佳选择。
UFW表示简单的防火墙,作为一个对netfilter防火墙的的包装。它提供了一个命令行界面,旨在简单易用。UFW远比iptables更加简单;除非你有特殊需求,使用UFW是最佳选择。


==安装UFW==
==安装UFW==


您可以使用任何包管理器安装UFW,如 pamac install ufw
您可以使用任何包管理器安装{{ic|ufw}},如 {{UserCmd|command=pamac install ufw}}
 


<div class="mw-translate-fuzzy">
一旦UFW安装好了,您需要使用一下命令启动您的防火墙:
一旦UFW安装好了,您需要使用一下命令启动您的防火墙:
sudo systemctl enable ufw.service
sudo systemctl enable ufw.service
sudo ufw enable
sudo ufw enable
 
</div>


{{warning|iptables.service 和 ufw.service 是冲突的,不要同时启用他们}}
{{warning|iptables.service 和 ufw.service 是冲突的,不要同时启用他们}}


==添加规则==
==添加规则==


<div class="mw-translate-fuzzy">
想要看见目前的设置,可以输入 {{ic|ufw status}}。 如果您是第一次安装,命令行中应当有如下输出:
想要看见目前的设置,可以输入 {{ic|ufw status}}。 如果您是第一次安装,命令行中应当有如下输出:
<pre>
<pre>
Line 35: Line 33:
New profiles: skip
New profiles: skip
</pre>
</pre>
</div>


{{UserCmdOutput|command=sudo ufw status verbose|result=
<pre>Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip</pre>
}}


<div class="mw-translate-fuzzy">
这表示它将阻止所有传入流量并允许所有传出流量。这在大多数情况下是一个很好的起点。但是,您通常希望允许一些传入的流量。这可以通过命令{{ic | UFW允许}}来完成。例如,如果您想要允许传入的SSH流量,所以您可以从网络上的其他机器连接到这台机器,您可以使用:
这表示它将阻止所有传入流量并允许所有传出流量。这在大多数情况下是一个很好的起点。但是,您通常希望允许一些传入的流量。这可以通过命令{{ic | UFW允许}}来完成。例如,如果您想要允许传入的SSH流量,所以您可以从网络上的其他机器连接到这台机器,您可以使用:
sudo ufw allow ssh
sudo ufw allow ssh
 
</div>


If we wanted to also tcp connections to a local webserver on a non-standard https port, 8443.  We could use the command:
If we wanted to also tcp connections to a local webserver on a non-standard https port, 8443.  We could use the command:
  sudo ufw allow in 8443/tcp
  {{UserCmd|command=sudo ufw allow in 8443/tcp}}
 


{{tip|When you don't specify "in" or "out", "in" is assumed}}
{{tip|When you don't specify "in" or "out", "in" is assumed}}


==UFW and Applications==
==UFW and Applications==


You may notice a difference in the above two commands.  When we built the rules for ssh we used the name and for https we used the port number, 8443.  This is because UFW has a small database of applications it knows the ports for.  You can see the list with the command:
You may notice a difference in the above two commands.  When we built the rules for ssh we used the name and for https we used the port number, 8443.  This is because UFW has a small database of applications it knows the ports for.  You can see the list with the command:
sudo ufw app list
{{UserCmd|command=sudo ufw app list}}


For applications on the list you can add them by name.  If you want to review the configuration for one of the applications, you can use the command {{ic|ufw app info}}.  For example, to the configuration for ssh:


For applications on the list you can add them by name. If you want to review the configuration for one of the applications, you can use the command {{ic|ufw app info}}.  For example, to the configuration for ssh:
  {{UserCmdOutput|command=sudo ufw app info SSH|result=
<pre>sudo ufw app info SSH
<pre>Profile: SSH
Profile: SSH
Title: SSH server
Title: SSH server
Description: SSH server
Description: SSH server
 
Port:
Port:
   22/tcp
   22/tcp</pre>
</pre>
}}
 


{{tip|When using ufw app the commands are case sensitive but when adding rules they are not}}
{{tip|When using ufw app the commands are case sensitive but when adding rules they are not}}


Some additional preconfigured applications can be added by installing the package {{ic|ufw-extras}} with your favorite package manager or the command:
Some additional preconfigured applications can be added by installing the package {{ic|ufw-extras}} with your favorite package manager or the command:
  pamac install ufw-extras
  {{UserCmd|command=pamac install ufw-extras}}
 


==Removing Rules==
==Removing Rules==


Rules can be removed with the {{ic|ufw delete}} command.  For example, to delete our 8443 rules we could use the command:
Rules can be removed with the {{ic|ufw delete}} command.  For example, to delete our 8443 rules we could use the command:
  sudo ufw delete allow 8443/tcp
  {{UserCmd|command=sudo ufw delete allow 8443/tcp}}
 


You can also delete them by number.  This is easier if you have a numbered list which you can see with the command:
You can also delete them by number.  This is easier if you have a numbered list which you can see with the command:
<pre>
sudo ufw status numbered
Status: active


    To                        Action      From
{{UserCmdOutput|command=sudo ufw status numbered|result=
<pre>Status: active
To                        Action      From
     --                        ------      ----
     --                        ------      ----
[ 1] 22                        ALLOW IN    Anywhere                
[ 1] 22                        ALLOW IN    Anywhere
[ 2] 22 (v6)                    ALLOW IN    Anywhere (v6)</pre>
[ 2] 22 (v6)                    ALLOW IN    Anywhere (v6)
 
</pre>}}


Now if we wanted to stop allowing ssh on ipv6 we could use the command:
Now if we wanted to stop allowing ssh on ipv6 we could use the command:
  sudo ufw delete 2
  {{UserCmd|command=sudo ufw delete 2}}
 


==GUFW==
==GUFW==
[[File:gufw.jpg|thumb|left|240px]]
[[File:gufw.jpg|thumb|left|240px]]


Prefer to use GUI applications and still want to manage your firewall? No problem.  GUFW is a GTK front-end for UFW that aims to make managing a Linux firewall as accessible and easy as possible. It features pre-sets for common ports and p2p applications.
Prefer to use GUI applications and still want to manage your firewall? No problem.  GUFW is a GTK front-end for UFW that aims to make managing a Linux firewall as accessible and easy as possible. It features pre-sets for common ports and p2p applications.


If it is not installed already gufw can be installed from the repos:
If it is not installed already gufw can be installed from the repos:
  pamac install gufw
  {{UserCmd|command=pamac install gufw}}
 


It will now be available in the menu as '''Firewall Configuration''' or by running {{ic|gufw}} directly.
It will now be available in the menu as '''Firewall Configuration''' or by running {{ic|gufw}} directly.
<div style="clear: both"></div>
<div style="clear: both"></div>


=iptables=
=iptables=


iptables is included as part of the Linux kernel.  iptables is significantly more complicated than using a tool like UFW.  As a result, a full tutorial on iptables is beyond the scope of this wiki.  Using iptables on Manjaro should be the same for every distribution of Linux so there is plenty of available documentation.  Some of this is linked [[Firewalls#See_Also|below]].  Here are some basics to get you started.
iptables is included as part of the Linux kernel.  iptables is significantly more complicated than using a tool like UFW.  As a result, a full tutorial on iptables is beyond the scope of this wiki.  Using iptables on Manjaro should be the same for every distribution of Linux so there is plenty of available documentation.  Some of this is linked [[Firewalls#See_Also|below]].  Here are some basics to get you started.


To enable loading rules on startup you can use the command:
To enable loading rules on startup you can use the command:
  sudo systemctl enable iptables.service
  {{UserCmd|command=sudo systemctl enable iptables.service}}
 


This will load the rules from the file {{ic|/etc/iptables/iptables.rules}}.
This will load the rules from the file {{ic|/etc/iptables/iptables.rules}}.


To display the currently loaded rules:
To display the currently loaded rules:
  sudo iptables -L
  {{UserCmd|command=sudo iptables -L}}
 


To save the current rules to a file
To save the current rules to a file
  sudo sh -c "iptables-save > /etc/iptables/iptables.rules"
  {{UserCmd|command=sudo sh -c "iptables-save > /etc/iptables/iptables.rules"}}
 


To load the rules from a file
To load the rules from a file
  sudo sh -c "iptables-restore > /etc/iptables/iptables.rules"
{{UserCmd|command=sudo sh -c "iptables-restore > /etc/iptables/iptables.rules"}}
 


To allow ssh connections
To allow ssh connections
  sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  {{UserCmd|command=sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT}}
  sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  {{UserCmd|command=sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT}}
 


=See Also=
=See Also=

Latest revision as of 05:00, 25 May 2022

Other languages:
English • ‎Türkçe • ‎русский • ‎فارسی • ‎中文(中国大陆)‎

绪论

建议您运行本地防火墙,即使您已经处于网络防火墙的保护之下。本地防火墙将保护你免受内网中威胁的影响。

不复杂的防火墙(Uncomplicated FireWall)

UFW表示简单的防火墙,作为一个对netfilter防火墙的的包装。它提供了一个命令行界面,旨在简单易用。UFW远比iptables更加简单;除非你有特殊需求,使用UFW是最佳选择。

安装UFW

您可以使用任何包管理器安装ufw,如

user $ pamac install ufw COPY TO CLIPBOARD


一旦UFW安装好了,您需要使用一下命令启动您的防火墙: sudo systemctl enable ufw.service sudo ufw enable


Warning
iptables.service 和 ufw.service 是冲突的,不要同时启用他们

添加规则

想要看见目前的设置,可以输入 ufw status。 如果您是第一次安装,命令行中应当有如下输出:

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip


$ sudo ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip


这表示它将阻止所有传入流量并允许所有传出流量。这在大多数情况下是一个很好的起点。但是,您通常希望允许一些传入的流量。这可以通过命令 UFW允许来完成。例如,如果您想要允许传入的SSH流量,所以您可以从网络上的其他机器连接到这台机器,您可以使用: sudo ufw allow ssh

If we wanted to also tcp connections to a local webserver on a non-standard https port, 8443. We could use the command:

user $ sudo ufw allow in 8443/tcp COPY TO CLIPBOARD




Tip
When you don't specify "in" or "out", "in" is assumed

UFW and Applications

You may notice a difference in the above two commands. When we built the rules for ssh we used the name and for https we used the port number, 8443. This is because UFW has a small database of applications it knows the ports for. You can see the list with the command:

user $ sudo ufw app list COPY TO CLIPBOARD


For applications on the list you can add them by name. If you want to review the configuration for one of the applications, you can use the command ufw app info. For example, to the configuration for ssh:


$ sudo ufw app info SSH

Profile: SSH
Title: SSH server
Description: SSH server
 
 
Port:
  22/tcp



Tip
When using ufw app the commands are case sensitive but when adding rules they are not

Some additional preconfigured applications can be added by installing the package ufw-extras with your favorite package manager or the command:

user $ pamac install ufw-extras COPY TO CLIPBOARD


Removing Rules

Rules can be removed with the ufw delete command. For example, to delete our 8443 rules we could use the command:

user $ sudo ufw delete allow 8443/tcp COPY TO CLIPBOARD


You can also delete them by number. This is easier if you have a numbered list which you can see with the command:


$ sudo ufw status numbered

Status: active
To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] 22 (v6)                    ALLOW IN    Anywhere (v6)


Now if we wanted to stop allowing ssh on ipv6 we could use the command:

user $ sudo ufw delete 2 COPY TO CLIPBOARD


GUFW

Gufw.jpg

Prefer to use GUI applications and still want to manage your firewall? No problem. GUFW is a GTK front-end for UFW that aims to make managing a Linux firewall as accessible and easy as possible. It features pre-sets for common ports and p2p applications.

If it is not installed already gufw can be installed from the repos:

user $ pamac install gufw COPY TO CLIPBOARD


It will now be available in the menu as Firewall Configuration or by running gufw directly.

iptables

iptables is included as part of the Linux kernel. iptables is significantly more complicated than using a tool like UFW. As a result, a full tutorial on iptables is beyond the scope of this wiki. Using iptables on Manjaro should be the same for every distribution of Linux so there is plenty of available documentation. Some of this is linked below. Here are some basics to get you started.

To enable loading rules on startup you can use the command:

user $ sudo systemctl enable iptables.service COPY TO CLIPBOARD


This will load the rules from the file /etc/iptables/iptables.rules.

To display the currently loaded rules:

user $ sudo iptables -L COPY TO CLIPBOARD


To save the current rules to a file

user $ sudo sh -c "iptables-save > /etc/iptables/iptables.rules" /etc/iptables/iptables.rules" " aria-disabled="false">COPY TO CLIPBOARD


To load the rules from a file

user $ sudo sh -c "iptables-restore > /etc/iptables/iptables.rules" /etc/iptables/iptables.rules" " aria-disabled="false">COPY TO CLIPBOARD


To allow ssh connections

user $ sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT COPY TO CLIPBOARD


user $ sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT COPY TO CLIPBOARD


See Also

Cookies help us deliver our services. By using our services, you agree to our use of cookies.