Ufw
둘러보기로 가기
검색하러 가기
Ubuntu용 방화벽 서비스를 제공하는 ufw(Uncomplicated Firewall)를 정리한다.
- 홈페이지 : https://launchpad.net/ufw
- 다운로드 : http://people.ubuntu.com/~jamie/ufw/
- 라이센스 : GPL 3.0
- 플랫폼 : Linux
설치 가이드
- ufw 설치
- Ubuntu에 root로 로그인한다.
- sudo apt-get install ufw
- 내부적으로 iptables 사용 (sudo apt-get install iptables)
- 방화벽에서 기본 서비스 포트 오픈 방법
ufw default deny ufw allow 22/tcp ufw allow 5901/tcp ufw allow 20/tcp ufw allow 21/tcp ufw allow 80/tcp ufw allow 443/tcp ufw allow 8080/tcp ufw allow 25/tcp ufw allow 110/tcp ufw allow 143/tcp ufw allow 3306/tcp ufw enable ufw status
- 설치 정보
- 설치 폴더 :
- 환경 폴더 : /var/lib/ufw/user.rules
- 데이터 폴더 :
- 기동 종료 :
- 서비스 확인 :
- 로그 정보 :
- 참고 문헌 : UbuntuFirewall
사용자 가이드
- 방화벽 사용 하기
- ufw default deny
- ufw allow 22/tcp
- ufw enable
- 방화벽 상태 및 로깅
- ufw status
- ufw app list
- ufw logging on|off
- 방화벽 열기
- Linux에서 사용하고 있는 서비스 명세는 /etc/services 파일에서 확인 한다.
- ufw allow 80/tcp : TCP protocol로 80 port를 허용 한다.
- ufw allow [proto <protocol>] [from <address> [port <port>]] [to <address> [port <port>]]
- ufw allow proto udp from 0.0.0.0 port 53
- ufw allow from 10.10.10.0/24
- ufw allow from any
- 특정 IP에 대해 접속 허용 또는 차단
- ufw deny from 61.247.209.81
- ufw allow from 61.247.209.81
- IP Search : IP 위치 검색
- 아이디(IP) 주소 확인/조회/추적
- 방화벽 차단
- ufw deny 80/tcp : TCP protocol로 80 port를 차단 한다.
- 방화벽 사용 않기
- ufw disable
관리자 가이드
Ubuntu Server Services
tcpmux 1/tcp # TCP port service multiplexer echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users daytime 13/tcp daytime 13/udp netstat 15/tcp qotd 17/tcp quote msp 18/tcp # message send protocol msp 18/udp chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp 21/tcp fsp 21/udp fspd ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp telnet 23/tcp smtp 25/tcp mail time 37/tcp timserver time 37/udp timserver rlp 39/udp resource # resource location nameserver 42/tcp name # IEN 116 whois 43/tcp nicname tacacs 49/tcp # Login Host Protocol (TACACS) tacacs 49/udp re-mail-ck 50/tcp # Remote Mail Checking Protocol re-mail-ck 50/udp domain 53/tcp # name-domain server domain 53/udp mtp 57/tcp # deprecated tacacs-ds 65/tcp # TACACS-Database Service tacacs-ds 65/udp bootps 67/tcp # BOOTP server bootps 67/udp bootpc 68/tcp # BOOTP client bootpc 68/udp tftp 69/udp gopher 70/tcp # Internet Gopher gopher 70/udp rje 77/tcp netrjs finger 79/tcp www 80/tcp http # WorldWideWeb HTTP www 80/udp # HyperText Transfer Protocol link 87/tcp ttylink kerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5 kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5 supdup 95/tcp hostnames 101/tcp hostname # usually from sri-nic iso-tsap 102/tcp tsap # part of ISODE acr-nema 104/tcp dicom # Digital Imag. & Comm. 300 acr-nema 104/udp dicom # Digital Imag. & Comm. 300 csnet-ns 105/tcp cso-ns # also used by CSO name server csnet-ns 105/udp cso-ns rtelnet 107/tcp # Remote Telnet rtelnet 107/udp pop2 109/tcp postoffice pop-2 # POP version 2 pop2 109/udp pop-2 pop3 110/tcp pop-3 # POP version 3 pop3 110/udp pop-3 sunrpc 111/tcp portmapper # RPC 4.0 portmapper sunrpc 111/udp portmapper auth 113/tcp authentication tap ident sftp 115/tcp uucp-path 117/tcp nntp 119/tcp readnews untp # USENET News Transfer Protocol ntp 123/tcp ntp 123/udp # Network Time Protocol pwdgen 129/tcp # PWDGEN service pwdgen 129/udp # PWDGEN service loc-srv 135/tcp epmap # Location Service loc-srv 135/udp epmap netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp netbios-ssn 139/tcp # NETBIOS session service netbios-ssn 139/udp imap2 143/tcp imap # Interim Mail Access P 2 and 4 imap2 143/udp imap snmp 161/tcp # Simple Net Mgmt Protocol snmp 161/udp # Simple Net Mgmt Protocol snmp-trap 162/tcp snmptrap # Traps for SNMP snmp-trap 162/udp snmptrap # Traps for SNMP cmip-man 163/tcp # ISO mgmt over IP (CMOT) cmip-man 163/udp cmip-agent 164/tcp cmip-agent 164/udp mailq 174/tcp # Mailer transport queue for Zmailer mailq 174/udp # Mailer transport queue for Zmailer xdmcp 177/tcp # X Display Mgr. Control Proto xdmcp 177/udp nextstep 178/tcp NeXTStep NextStep # NeXTStep window nextstep 178/udp NeXTStep NextStep # server bgp 179/tcp # Border Gateway Protocol bgp 179/udp prospero 191/tcp # Cliff Neuman's Prospero prospero 191/udp irc 194/tcp # Internet Relay Chat irc 194/udp smux 199/tcp # SNMP Unix Multiplexer smux 199/udp at-rtmp 201/tcp # AppleTalk routing at-rtmp 201/udp at-nbp 202/tcp # AppleTalk name binding at-nbp 202/udp at-echo 204/tcp # AppleTalk echo at-echo 204/udp at-zis 206/tcp # AppleTalk zone information at-zis 206/udp qmtp 209/tcp # Quick Mail Transfer Protocol qmtp 209/udp # Quick Mail Transfer Protocol z3950 210/tcp wais # NISO Z39.50 database z3950 210/udp wais ipx 213/tcp # IPX ipx 213/udp imap3 220/tcp # Interactive Mail Access imap3 220/udp # Protocol v3 pawserv 345/tcp # Perf Analysis Workbench pawserv 345/udp zserv 346/tcp # Zebra server zserv 346/udp fatserv 347/tcp # Fatmen Server fatserv 347/udp rpc2portmap 369/tcp rpc2portmap 369/udp # Coda portmapper codaauth2 370/tcp codaauth2 370/udp # Coda authentication server clearcase 371/tcp Clearcase clearcase 371/udp Clearcase ulistserv 372/tcp # UNIX Listserv ulistserv 372/udp ldap 389/tcp # Lightweight Directory Access Protocol ldap 389/udp imsp 406/tcp # Interactive Mail Support Protocol imsp 406/udp https 443/tcp # http protocol over TLS/SSL https 443/udp snpp 444/tcp # Simple Network Paging Protocol snpp 444/udp microsoft-ds 445/tcp # Microsoft Naked CIFS microsoft-ds 445/udp kpasswd 464/tcp kpasswd 464/udp saft 487/tcp # Simple Asynchronous File Transfer saft 487/udp isakmp 500/tcp # IPsec - Internet Security Association isakmp 500/udp # and Key Management Protocol rtsp 554/tcp # Real Time Stream Control Protocol rtsp 554/udp # Real Time Stream Control Protocol nqs 607/tcp # Network Queuing system nqs 607/udp npmp-local 610/tcp dqs313_qmaster # npmp-local / DQS npmp-local 610/udp dqs313_qmaster npmp-gui 611/tcp dqs313_execd # npmp-gui / DQS npmp-gui 611/udp dqs313_execd hmmp-ind 612/tcp dqs313_intercell # HMMP Indication / DQS hmmp-ind 612/udp dqs313_intercell qmqp 628/tcp qmqp 628/udp ipp 631/tcp # Internet Printing Protocol ipp 631/udp # # UNIX specific services # exec 512/tcp biff 512/udp comsat login 513/tcp who 513/udp whod shell 514/tcp cmd # no passwords used syslog 514/udp printer 515/tcp spooler # line printer spooler talk 517/udp ntalk 518/udp route 520/udp router routed # RIP timed 525/udp timeserver tempo 526/tcp newdate courier 530/tcp rpc conference 531/tcp chat netnews 532/tcp readnews netwall 533/udp # for emergency broadcasts gdomap 538/tcp # GNUstep distributed objects gdomap 538/udp uucp 540/tcp uucpd # uucp daemon klogin 543/tcp # Kerberized `rlogin' (v5) kshell 544/tcp krcmd # Kerberized `rsh' (v5) afpovertcp 548/tcp # AFP over TCP afpovertcp 548/udp remotefs 556/tcp rfs_server rfs # Brunhoff remote filesystem nntps 563/tcp snntp # NNTP over SSL nntps 563/udp snntp submission 587/tcp # Submission [RFC2476] submission 587/udp ldaps 636/tcp # LDAP over SSL ldaps 636/udp tinc 655/tcp # tinc control port tinc 655/udp silc 706/tcp silc 706/udp kerberos-adm 749/tcp # Kerberos `kadmin' (v5) # webster 765/tcp # Network dictionary webster 765/udp rsync 873/tcp rsync 873/udp ftps-data 989/tcp # FTP over SSL (data) ftps 990/tcp telnets 992/tcp # Telnet over SSL telnets 992/udp imaps 993/tcp # IMAP over SSL imaps 993/udp ircs 994/tcp # IRC over SSL ircs 994/udp pop3s 995/tcp # POP-3 over SSL pop3s 995/udp socks 1080/tcp # socks proxy server socks 1080/udp proofd 1093/tcp proofd 1093/udp rootd 1094/tcp rootd 1094/udp openvpn 1194/tcp openvpn 1194/udp rmiregistry 1099/tcp # Java RMI Registry rmiregistry 1099/udp kazaa 1214/tcp kazaa 1214/udp nessus 1241/tcp # Nessus vulnerability nessus 1241/udp # assessment scanner lotusnote 1352/tcp lotusnotes # Lotus Note lotusnote 1352/udp lotusnotes ms-sql-s 1433/tcp # Microsoft SQL Server ms-sql-s 1433/udp ms-sql-m 1434/tcp # Microsoft SQL Monitor ms-sql-m 1434/udp ingreslock 1524/tcp ingreslock 1524/udp prospero-np 1525/tcp # Prospero non-privileged prospero-np 1525/udp datametrics 1645/tcp old-radius datametrics 1645/udp old-radius sa-msg-port 1646/tcp old-radacct sa-msg-port 1646/udp old-radacct kermit 1649/tcp kermit 1649/udp l2f 1701/tcp l2tp l2f 1701/udp l2tp radius 1812/tcp radius 1812/udp radius-acct 1813/tcp radacct # Radius Accounting radius-acct 1813/udp radacct msnp 1863/tcp # MSN Messenger msnp 1863/udp unix-status 1957/tcp # remstats unix-status server log-server 1958/tcp # remstats log server remoteping 1959/tcp # remstats remoteping server search 2010/tcp ndtp pipe_server 2010/tcp nfs 2049/tcp # Network File System nfs 2049/udp # Network File System rtcm-sc104 2101/tcp # RTCM SC-104 IANA 1/29/99 rtcm-sc104 2101/udp cvspserver 2401/tcp # CVS client/server operations cvspserver 2401/udp venus 2430/tcp # codacon port venus 2430/udp # Venus callback/wbc interface venus-se 2431/tcp # tcp side effects venus-se 2431/udp # udp sftp side effect codasrv 2432/tcp # not used codasrv 2432/udp # server port codasrv-se 2433/tcp # tcp side effects codasrv-se 2433/udp # udp sftp side effect mon 2583/tcp # MON mon 2583/udp dict 2628/tcp # Dictionary server dict 2628/udp gpsd 2947/tcp gpsd 2947/udp gds_db 3050/tcp # InterBase server gds_db 3050/udp icpv2 3130/tcp icp # Internet Cache Protocol icpv2 3130/udp icp mysql 3306/tcp mysql 3306/udp nut 3493/tcp # Network UPS Tools nut 3493/udp distcc 3632/tcp # distributed compiler distcc 3632/udp daap 3689/tcp # Digital Audio Access Protocol daap 3689/udp svn 3690/tcp subversion # Subversion protocol svn 3690/udp subversion suucp 4031/tcp # UUCP over SSL suucp 4031/udp # UUCP over SSL sysrqd 4094/tcp # sysrq daemon sysrqd 4094/udp # sysrq daemon remctl 4373/tcp # Remote Authenticated Command Service remctl 4373/udp # Remote Authenticated Command Service iax 4569/tcp # Inter-Asterisk eXchange iax 4569/udp radmin-port 4899/tcp # RAdmin Port radmin-port 4899/udp rfe 5002/udp # Radio Free Ethernet rfe 5002/tcp mmcc 5050/tcp # multimedia conference control tool (Yahoo IM) mmcc 5050/udp sip 5060/tcp # Session Initiation Protocol sip 5060/udp sip-tls 5061/tcp sip-tls 5061/udp aol 5190/tcp # AIM aol 5190/udp xmpp-client 5222/tcp jabber-client # Jabber Client Connection xmpp-client 5222/udp jabber-client xmpp-server 5269/tcp jabber-server # Jabber Server Connection xmpp-server 5269/udp jabber-server cfengine 5308/tcp cfengine 5308/udp mdns 5353/tcp # Multicast DNS mdns 5353/udp # Multicast DNS postgresql 5432/tcp postgres # PostgreSQL Database postgresql 5432/udp postgres freeciv 5556/tcp rptp # Freeciv gameplay freeciv 5556/udp ggz 5688/tcp # GGZ Gaming Zone ggz 5688/udp # GGZ Gaming Zone x11 6000/tcp x11-0 # X Window System x11 6000/udp x11-0 x11-1 6001/tcp x11-1 6001/udp x11-2 6002/tcp x11-2 6002/udp x11-3 6003/tcp x11-3 6003/udp x11-4 6004/tcp x11-4 6004/udp x11-5 6005/tcp x11-5 6005/udp x11-6 6006/tcp x11-6 6006/udp x11-7 6007/tcp x11-7 6007/udp gnutella-svc 6346/tcp # gnutella gnutella-svc 6346/udp gnutella-rtr 6347/tcp # gnutella gnutella-rtr 6347/udp sge_qmaster 6444/tcp # Grid Engine Qmaster Service sge_qmaster 6444/udp # Grid Engine Qmaster Service sge_execd 6445/tcp # Grid Engine Execution Service sge_execd 6445/udp # Grid Engine Execution Service afs3-fileserver 7000/tcp bbs # file server itself afs3-fileserver 7000/udp bbs afs3-callback 7001/tcp # callbacks to cache managers afs3-callback 7001/udp afs3-prserver 7002/tcp # users & groups database afs3-prserver 7002/udp afs3-vlserver 7003/tcp # volume location database afs3-vlserver 7003/udp afs3-kaserver 7004/tcp # AFS/Kerberos authentication afs3-kaserver 7004/udp afs3-volser 7005/tcp # volume managment server afs3-volser 7005/udp afs3-errors 7006/tcp # error interpretation service afs3-errors 7006/udp afs3-bos 7007/tcp # basic overseer process afs3-bos 7007/udp afs3-update 7008/tcp # server-to-server updater afs3-update 7008/udp afs3-rmtsys 7009/tcp # remote cache manager service afs3-rmtsys 7009/udp font-service 7100/tcp xfs # X Font Service font-service 7100/udp xfs http-alt 8080/tcp webcache # WWW caching service http-alt 8080/udp # WWW caching service bacula-dir 9101/tcp # Bacula Director bacula-dir 9101/udp bacula-fd 9102/tcp # Bacula File Daemon bacula-fd 9102/udp bacula-sd 9103/tcp # Bacula Storage Daemon bacula-sd 9103/udp amanda 10080/tcp # amanda backup services amanda 10080/udp hkp 11371/tcp # OpenPGP HTTP Keyserver hkp 11371/udp # OpenPGP HTTP Keyserver bprd 13720/tcp # VERITAS NetBackup bprd 13720/udp bpdbm 13721/tcp # VERITAS NetBackup bpdbm 13721/udp bpjava-msvc 13722/tcp # BP Java MSVC Protocol bpjava-msvc 13722/udp vnetd 13724/tcp # Veritas Network Utility vnetd 13724/udp bpcd 13782/tcp # VERITAS NetBackup bpcd 13782/udp vopied 13783/tcp # VERITAS NetBackup vopied 13783/udp wnn6 22273/tcp # wnn6 wnn6 22273/udp rtmp 1/ddp # Routing Table Maintenance Protocol nbp 2/ddp # Name Binding Protocol echo 4/ddp # AppleTalk Echo Protocol zip 6/ddp # Zone Information Protocol kerberos4 750/udp kerberos-iv kdc # Kerberos (server) kerberos4 750/tcp kerberos-iv kdc kerberos_master 751/udp # Kerberos authentication kerberos_master 751/tcp passwd_server 752/udp # Kerberos passwd server krb_prop 754/tcp krb5_prop hprop # Kerberos slave propagation krbupdate 760/tcp kreg # Kerberos registration swat 901/tcp # swat kpop 1109/tcp # Pop with Kerberos knetd 2053/tcp # Kerberos de-multiplexor zephyr-srv 2102/udp # Zephyr server zephyr-clt 2103/udp # Zephyr serv-hm connection zephyr-hm 2104/udp # Zephyr hostmanager eklogin 2105/tcp # Kerberos encrypted rlogin kx 2111/tcp # X over Kerberos iprop 2121/tcp # incremental propagation supfilesrv 871/tcp # SUP server supfiledbg 1127/tcp # SUP debugging linuxconf 98/tcp # LinuxConf poppassd 106/tcp # Eudora poppassd 106/udp ssmtp 465/tcp smtps # SMTP over SSL moira_db 775/tcp # Moira database moira_update 777/tcp # Moira update protocol moira_ureg 779/udp # Moira user registration spamd 783/tcp # spamassassin daemon omirr 808/tcp omirrd # online mirror omirr 808/udp omirrd customs 1001/tcp # pmake customs server customs 1001/udp skkserv 1178/tcp # skk jisho server port predict 1210/udp # predict -- satellite tracking rmtcfg 1236/tcp # Gracilis Packeten remote config server wipld 1300/tcp # Wipl network monitor xtel 1313/tcp # french minitel xtelw 1314/tcp # french minitel support 1529/tcp # GNATS sieve 2000/tcp # Sieve mail filter daemon cfinger 2003/tcp # GNU Finger frox 2121/tcp # frox: caching ftp proxy ninstall 2150/tcp # ninstall service ninstall 2150/udp zebrasrv 2600/tcp # zebra service zebra 2601/tcp # zebra vty ripd 2602/tcp # ripd vty (zebra) ripngd 2603/tcp # ripngd vty (zebra) ospfd 2604/tcp # ospfd vty (zebra) bgpd 2605/tcp # bgpd vty (zebra) ospf6d 2606/tcp # ospf6d vty (zebra) ospfapi 2607/tcp # OSPF-API isisd 2608/tcp # ISISd vty (zebra) afbackup 2988/tcp # Afbackup system afbackup 2988/udp afmbackup 2989/tcp # Afmbackup system afmbackup 2989/udp xtell 4224/tcp # xtell server fax 4557/tcp # FAX transmission service (old) hylafax 4559/tcp # HylaFAX client-server protocol (new) distmp3 4600/tcp # distmp3host daemon munin 4949/tcp lrrd # Munin enbd-cstatd 5051/tcp # ENBD client statd enbd-sstatd 5052/tcp # ENBD server statd noclog 5354/tcp # noclogd with TCP (nocol) noclog 5354/udp # noclogd with UDP (nocol) hostmon 5355/tcp # hostmon uses TCP (nocol) hostmon 5355/udp # hostmon uses UDP (nocol) rplay 5555/udp # RPlay audio service nsca 5667/tcp # Nagios Agent - NSCA mrtd 5674/tcp # MRT Routing Daemon bgpsim 5675/tcp # MRT Routing Simulator canna 5680/tcp # cannaserver sane-port 6566/tcp sane saned # SANE network scanner daemon ircd 6667/tcp # Internet Relay Chat zope-ftp 8021/tcp # zope management by ftp tproxy 8081/tcp # Transparent Proxy omniorb 8088/tcp # OmniORB omniorb 8088/udp clc-build-daemon 8990/tcp # Common lisp build daemon xinetd 9098/tcp mandelspawn 9359/udp mandelbrot # network mandelbrot git 9418/tcp # Git Version Control System zope 9673/tcp # zope server webmin 10000/tcp kamanda 10081/tcp # amanda backup services (Kerberos) kamanda 10081/udp amandaidx 10082/tcp # amanda backup services amidxtape 10083/tcp # amanda backup services smsqp 11201/tcp # Alamin SMS gateway smsqp 11201/udp xpilot 15345/tcp # XPilot Contact Port xpilot 15345/udp sgi-cmsd 17001/udp # Cluster membership services daemon sgi-crsd 17002/udp sgi-gcd 17003/udp # SGI Group membership daemon sgi-cad 17004/tcp # Cluster Admin daemon isdnlog 20011/tcp # isdn logging system isdnlog 20011/udp vboxd 20012/tcp # voice box system vboxd 20012/udp binkp 24554/tcp # binkp fidonet protocol asp 27374/tcp # Address Search Protocol asp 27374/udp csync2 30865/tcp # cluster synchronization tool dircproxy 57000/tcp # Detachable IRC Proxy tfido 60177/tcp # fidonet EMSI over telnet fido 60179/tcp # fidonet EMSI over TCP
참고 문헌
- Ubuntu Firewall
- gufw : GTK interface to the Uncomplicated Firewall (ufw)
