網路與防火牆(Linux、Windows、macOS)
- UtilsnetplanufwnmcliWindowsmacOSLinux網路防火牆作者:VincentCorgi約 1 分鐘閱讀
功能
整理 Linux(含 Ubuntu netplan、ufw、nmcli)、Windows、macOS 的 IP/路由/DNS/防火牆設定與常用網路排查指令,方便跨平台對照。
情境
- 新機、VM 或搬機後要接網、改靜態 IP、開關連接埠,或暫時調整防火牆做連線除錯時查指令。
- 與 本機 hosts 與主機名 搭配:先確認名稱解析,再查介面與防火牆規則。
本機 hosts 與主機名見 本機 hosts 與主機名(Linux、Windows、macOS)。
Linux
Ubuntu:netplan
Code
sudo ls /etc/netplan
# 常見檔名如 50-cloud-init.yaml
sudo cp /etc/netplan/<config>.yaml /etc/netplan/<config>.yaml.backup
sudo vi /etc/netplan/<config>.yaml
設定內容範例(YAML):
Code
network:
version: 2
renderer: networkd
ethernets:
<interface>:
dhcp4: false
dhcp6: false
addresses:
- <ip>/<cidr>
routes:
- to: default
via: <gateway>
nameservers:
addresses: [<dns1>, <dns2>]
Code
sudo netplan apply
ip addr show <interface>
其他發行版(NetworkManager:nmcli,選讀)
Code
nmcli connection show
nmcli con mod "<connection_name>" ipv4.addresses <ip>/<cidr> ipv4.gateway <gateway> ipv4.dns "<dns1> <dns2>" ipv4.method manual
nmcli con up "<connection_name>"
防火牆:ufw
Code
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow in on lo
sudo ufw allow out on lo
sudo ufw allow from <subnet> to any port <port> proto tcp
sudo ufw status verbose
sudo ufw enable
sudo ufw status numbered
開啟/重載/檢查:
Code
sudo ufw enable
sudo ufw allow from <subnet> to any port <port> proto tcp
sudo ufw reload
sudo ufw status
sudo ufw status numbered
刪除規則:
Code
sudo ufw status numbered
sudo ufw delete [規則編號]
# 或
sudo ufw delete allow from <subnet> to any port <port>
Windows
網路(靜態 IP 範例,PowerShell)
先確認介面別名(InterfaceAlias):
Code
Get-NetAdapter | Where-Object Status -eq "Up"
Get-NetIPConfiguration
若介面原為 DHCP,改靜態前通常要先拿掉既有 IPv4 設定(請先記下原 IP/閘道/DNS):
Code
Remove-NetIPAddress -InterfaceAlias "<InterfaceAlias>" -Confirm:$false
Remove-NetRoute -InterfaceAlias "<InterfaceAlias>" -Confirm:$false -ErrorAction SilentlyContinue
寫入靜態位址、閘道、DNS:
Code
New-NetIPAddress -InterfaceAlias "<InterfaceAlias>" -IPAddress <ip> -PrefixLength <cidr_bits> -DefaultGateway <gateway>
Set-DnsClientServerAddress -InterfaceAlias "<InterfaceAlias>" -ServerAddresses <dns1>,<dns2>
改回 DHCP(依環境調整;若介面上仍有靜態 IPv4,可先移除再啟用 DHCP):
Code
Get-NetIPAddress -InterfaceAlias "<InterfaceAlias>" -AddressFamily IPv4 -ErrorAction SilentlyContinue | Remove-NetIPAddress -Confirm:$false
Set-NetIPInterface -InterfaceAlias "<InterfaceAlias>" -AddressFamily IPv4 -Dhcp Enabled
ipconfig /renew
防火牆(Windows Defender 防火牆)
Code
Get-NetFirewallProfile
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
允許本機 TCP 埠(由外向內):
Code
New-NetFirewallRule -DisplayName "Allow TCP <port>" -Direction Inbound -Protocol TCP -LocalPort <port> -Action Allow
僅允許特定來源(例:子網路或單一 IP):
Code
New-NetFirewallRule -DisplayName "Allow TCP <port> from <source>" -Direction Inbound -Protocol TCP -LocalPort <port> -RemoteAddress <subnet_or_ip> -Action Allow
列出/移除規則:
Code
Get-NetFirewallRule -Direction Inbound | Where-Object DisplayName -like "*<keyword>*"
Remove-NetFirewallRule -DisplayName "Allow TCP <port>"
macOS
網路(networksetup)
列出網路服務名稱(之後指令都要用完全一致的名稱,常見如 Wi-Fi、Ethernet):
Code
networksetup -listallnetworkservices
networksetup -listallhardwareports
靜態 IP(子網路遮罩用點分十進位,例如 255.255.255.0,非 CIDR 前綴):
Code
sudo networksetup -setmanual "<service>" <ip> <netmask> <router>
sudo networksetup -setdnsservers "<service>" <dns1> <dns2>
改回 DHCP:
Code
sudo networksetup -setdhcp "<service>"
sudo networksetup -setdnsservers "<service>" Empty
防火牆(內建應用程式防火牆)
Code
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
內建機制以允許/阻擋應用程式為主。若要像 Linux ufw 那樣依通訊埠、來源 IP 做細部規則,需使用 pf(pfctl、/etc/pf.conf),設定步驟較長,此處不展開。