Port
我 ufw 拒絕 53,但 nc 掃描報告連接成功
當我通過 ufw 拒絕時,為什麼 nc 掃描能夠成功連接到埠 53?
我注意到埠 53 正在監聽:
$ sudo ss -tulpne Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0: users:(("avahi-daemon",pid=514,fd=12)) uid:115 ino:18620 sk:1 <-> udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0: users:(("systemd-resolve",pid=356,fd=12)) uid:102 ino:15766 sk:2 <-> udp UNCONN 0 0 10.0.2.15%ens3:68 0.0.0.0: users:(("NetworkManager",pid=538,fd=19)) ino:21287 sk:3 <-> udp UNCONN 0 0 0.0.0.0:51675 0.0.0.0: users:(("avahi-daemon",pid=514,fd=14)) uid:115 ino:18622 sk:4 <-> udp UNCONN 0 0 0.0.0.0:631 0.0.0.0: users:(("cups-browsed",pid=571,fd=7)) ino:18922 sk:5 <-> udp UNCONN 0 0 0.0.0.0:43745 0.0.0.0: users:(("systemd-timesyn",pid=355,fd=16)) uid:100 ino:41918 sk:6 <-> udp UNCONN 0 0 [::]:5353 [::]: users:(("avahi-daemon",pid=514,fd=13)) uid:115 ino:18621 sk:7 v6only:1 <-> udp UNCONN 0 0 [::]:38831 [::]: users:(("avahi-daemon",pid=514,fd=15)) uid:115 ino:18623 sk:8 v6only:1 <-> tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0: users:(("systemd-resolve",pid=356,fd=13)) uid:102 ino:15767 sk:9 <-> tcp LISTEN 0 5 127.0.0.1:631 0.0.0.0: users:(("cupsd",pid=487,fd=7)) ino:18380 sk:a <-> tcp LISTEN 0 5 [::1]:631 [::]:* users:(("cupsd",pid=487,fd=6)) ino:18379 sk:b v6only:1 <->所以我通過ufw關閉了那個埠:
$ sudo ufw deny 53 $ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From 53 DENY IN Anywhere 53 (v6) DENY IN Anywhere (v6)當我進行 nc 掃描時,我看到與埠的連接成功:
$ sudo nc -zv 127.0.0.53 50-53 nc: connect to 127.0.0.53 port 50 (tcp) failed: Connection refused nc: connect to 127.0.0.53 port 51 (tcp) failed: Connection refused nc: connect to 127.0.0.53 port 52 (tcp) failed: Connection refused Connection to 127.0.0.53 53 port [tcp/domain] succeeded!我希望防火牆阻止此連接
為什麼防火牆不阻止連接?請幫助我糾正我的想法
旁注:我知道 dnsmasqd 使用埠 53,並且有很多充分的理由保持埠開放。但在這個問題中,我只關心通過防火牆有效關閉埠。我也知道我可以通過編輯 /etc/systemd/resolved.conf 來阻止這個埠監聽
ufw 不會阻止任何本地主機連接。這些總是被允許的。