| 143번째 줄: | 143번째 줄: | ||
OUT=MAC=00:15:5d:03:1e:57:00:04:96:34:b5:e9:08:00 SRC=192.168.0.100 DST=192.168.0.200... | OUT=MAC=00:15:5d:03:1e:57:00:04:96:34:b5:e9:08:00 SRC=192.168.0.100 DST=192.168.0.200... | ||
| − | ===== | + | ===== 필수 허용 규칙 ===== |
You must specify these rules to have all imRAD services work properly. You'd better copy all the following rules and then paste them. {{note|Note that if your system does not need to serve some services, you can ignore their rules. Please refer to the [[ImRAD port]] to verify what the port number means.}} | You must specify these rules to have all imRAD services work properly. You'd better copy all the following rules and then paste them. {{note|Note that if your system does not need to serve some services, you can ignore their rules. Please refer to the [[ImRAD port]] to verify what the port number means.}} | ||
LYSH@MyHostName# show ufw added | LYSH@MyHostName# show ufw added | ||
2021년 5월 17일 (월) 14:42 판
ufw (방화벽)
imRAD system은 방화벽 기능으로 "ufw"[1]를 사용합니다. ufw는 호스트 기반 방화벽에 적합하며 iptable을 사용합니다. 관리자는 특정 네트워크 트래픽(예, SSH or web server traffic)에 대한 흐름을 허용하거나 차단 할 수 있습니다.
configuration mode에서 ufw enable 또는 ufw disable 명령어를 사용해 ufw를 사용 혹은 중지 시킬 수 있습니다.
ufw의 초기상태는 미사용(disable) 상태이며 필요시 사용 상태로 변경하세요.
이 순서에서는 기본 적인 syntax와 예시를 설명하며 자세한 사용법은 https://help.ubuntu.com/community/UFW 또는 http://manpages.ubuntu.com/manpages/bionic/man8/ufw.8.html 페이지를 참고하세요.
ufw 확인
urw가 미사용 상태일때 아래 예시와 같이 표시됩니다.
LYSH@MyHostName# show ufw Status: inactive // ufw is in disable
아래 예시는 몇몇 규칙과 함께 ufw가 사용 상태일때의 일반적은 설정 형태입니다. 기본(default) incoming 규칙은 deny 인데 이는 허용된 규칙을 제외한 모든 트래픽은 차단됨을 의미합니다.
LYSH@MyHostName# show ufw Status: active // ufw is in enable Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- [ 1] 22 ALLOW IN 192.168.0.10 [ 2] 22 ALLOW IN 192.168.0.11 [ 3] 22 ALLOW IN 192.168.0.12 ...
show ufw added 명령어를 사용하면 등록된 규칙을 모두 출력합니다.(미사용 상태에서도 표시합니다.)
LYSH@MyHostName# show ufw added ufw allow from 192.168.0.10 to any port 22 ufw allow from 192.168.0.11 to any port 22 ufw allow from 192.168.0.12 to any port 22
사용(enable) / 미사용(Disable)
configuration mode에서 ufw를 사용 혹은 미사용 상태로 전환할 수 있습니다.
기본 incoming 규칙을 "allow"로 변경 후 ufw를 "사용(enable)" 상태로 변경하세요. 그렇지 않으면 현재 연결이 끊기고 및 일부 서비스의 통신이 차단 될 수 있습니다.
LYSH@MyHostName# configure
configure# ufw default allow
configure# ufw enable
configure# exit
LYSH@MyHostName# show ufw
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), disabled (routed)
New profiles: skip
미사용으로 변경하려면 ufw disable 명령을 실행하세요.
LYSH@MyHostName# configure configure# ufw disable configure# exit
기본 incoming 규칙을 "deny"로 설정하고 "allow" 규칙을 추가하는게 낫습니다. 만일 기본 규칙을 "allow"로 하면 수많은 "deny" 규칙을 추가해야 니다. 따라서 모든 "allow" 규칙을 추가 후 기본 incoming 규칙을 "deny"로 변경하세요.
ufw 사용 요약
| mode | 명령 | 설명 |
|---|---|---|
| configuration | ufw default allow |
기본 incoming 규칙을 "allow"으로 변경 |
| configuration | ufw enable |
ufw를 사용 상태로 변경 |
| user | show ufw |
ufw 상태 확인 |
| configuration | ufw allow {syntax} |
"allow" 규칙 추가. 아래 언급된 "필수 허용 규칙"은 모두 추가하세요. |
| user | show ufw added |
ufw 상태 및 추가된 규칙 확인 |
| configuration | ufw default deny |
기본 incoming 규칙을 "deny"로 변경 |
| user | show ufw added |
ufw 상태 및 추가된 규칙 확인 |
rules
You can add a rule at the end of existing rule and can insert a rule at the specific position.
Basic syntax
LYSH@MyHostName# configure configure# ufw allow 22 // To allow incoming tcp and udp packet on port 22. configure# ufw allow 23/tcp // To allow incoming tcp packet on port 23. configure# ufw allow 24/udp // To allow incoming udp packet on port 24. configure# ufw allow ssh // To allow ssh by name. configure# ufw allow from 192.168.0.1 // To allow packets from 192.168.0.1. configure# ufw allow from 192.168.0.1/24 // To allow packets from 192.168.0.1/24.
To allow IP address 192.168.0.4 access to port 22 for all protocols.
configure# ufw allow from 192.168.0.4 to any port 22
To allow IP address 192.168.0.4 access to port 22 for all protocols using TCP.
configure# ufw allow from 192.168.0.4 to any port 22 proto tcp
To allow IP address 192.168.0.4/24 access to port 22 for all protocols using TCP.
configure# ufw allow from 192.168.0.4/24 to any port 22 proto tcp
Adding rules
You can add a "allow" rule at the end by type the command ufw allow {syntax}.
If you want to insert a rule before existing rule. enter the ufw insert {number} allow {syntax}.
LYSH@MyHostName# configure configure# ufw allow from 192.168.0.10 to any port 22 configure# ufw allow from 192.168.0.20 to any port 22 configure# exit
You can see the "ALLOW" rules that entered later has a higher number. In other words, If you add a rule, the rule is located at the end.
LYSH@MyHostName# show ufw Status: active Logging: on (low) Default: allow (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- [ 1] 22 ALLOW IN 192.168.0.10 [ 2] 22 ALLOW IN 192.168.0.20
If you want to add a rule at the specific number, enter the ufw insert {number} allow {syntax}. This will shift down the rules whose number is equal to or greater than the {number}.
LYSH@MyHostName# configure
configure# ufw insert 2 allow from 192.168.0.15 to any port 22
configure# exit
LYSH@MyHostName# show ufw Status: active Logging: on (low) Default: allow (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- [ 1] 22 ALLOW IN 192.168.0.10 [ 2] 22 ALLOW IN 192.168.0.15 [ 3] 22 ALLOW IN 192.168.0.20 // shift down
By default, no logging is performed when a packet matches a rule. Specifying log will log all new connections matching the rule, and log-all will log all packets matching the rule. For example, to deny and log the specific rules
LYSH@MyHostName# configure configure# ufw deny log from 192.168.0.100 to any port 22 proto tcp configure# exit
Now if the host(i.e. 192.168.0.100) connects to the device via ssh, you can see the "BLOCK" log.
LYSH@MyHostName# show log ufw 2021-04-26 14:55:27 4 0 MyHostName kernel: [7282110.099052] [UFW BLOCK] IN=eth0 OUT=MAC=00:15:5d:03:1e:57:00:04:96:34:b5:e9:08:00 SRC=192.168.0.100 DST=192.168.0.200...
필수 허용 규칙
You must specify these rules to have all imRAD services work properly. You'd better copy all the following rules and then paste them.
Note that if your system does not need to serve some services, you can ignore their rules. Please refer to the ImRAD port to verify what the port number means.
LYSH@MyHostName# show ufw added ufw allow 80/tcp ufw allow 443/tcp ufw allow 6710/tcp ufw allow 1812/udp ufw allow 1813/udp ufw allow 1813/tcp ufw allow 1812/tcp ufw allow 18123/udp ufw allow 67/udp ufw allow 68/udp ufw allow 77/tcp ufw allow 647/tcp ufw allow 547/udp ufw allow 546/udp ufw allow 6010/udp
Specify your IP address to access via SSH.
configure# ufw allow from {your ip address} to any port 22 proto tcp
Deny/Reject
You can block from a host using by the "deny" or "reject" rule.
LYSH@MyHostName# configure configure# ufw deny log from 192.168.0.50 to any port 22 proto tcp configure# ufw reject log from 192.168.0.60 to any port 22 proto tcp
Note that If you use "deny", the ufw silently discards incoming packets. If you use "reject", the ufw sends back an error packet to the sender of the rejected packet. You'd better using the deny rule because the client must not know why the connection is not established.
Deleting rules
To delete a rule, simply prefix the original rule with delete or specify the rule number.
LYSH@MyHostName# show ufw
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
[ 1] 22 ALLOW IN 192.168.0.10
[ 2] 22 ALLOW IN 192.168.0.15
[ 3] 22 ALLOW IN 192.168.0.20 // shift down
LYSH@MyHostName# configure
configure# ufw delete 2
configure# exit
LYSH@MyHostName# show ufw
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
[ 1] 22 ALLOW IN 192.168.0.10
[ 2] 22 ALLOW IN 192.168.0.20
You can also delete a rule using added rule.
LYSH@MyHostName# show ufw added ufw allow from 192.168.0.10 to any port 22 ufw allow from 192.168.0.20 to any port 22 LYSH@MyHostName# configure configure# ufw delete allow from 192.168.0.20 to any port 22 configure# exit LYSH@MyHostName# show ufw Status: active Logging: on (low) Default: allow (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- [ 1] 22 ALLOW IN 192.168.0.10
default rule TO "deny"
If you definitely added all rules including the Required rules, change the default incoming rule to "deny". Be sure that there is a rule to access the SSH from your IP address before changing the default rule to "deny".
LYSH@MyHostName# configure configure# ufw default deny configure# exit
LYSH@MyHostName# show ufw
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
[ 1] 22 ALLOW IN 192.168.0.10
[ 2] 22 ALLOW IN 192.168.0.20
reset
If you reset the ufw, all rules are deleting, default incoming rule is changed to "allow", and the ufw status is change to "disable".
LYSH@MyHostName# configure configure# ufw reset configure# exit LYSH@MyHostName# show ufw Status: inactive LYSH@MyHostName# show ufw added (None)
log
The ufw logs all blocked packets not matching the defined policy and you can see them by the show log ufw in the user mode.