Port

我 ufw 拒絕 53,但 nc 掃描報告連接成功

  • October 16, 2020

當我通過 ufw 拒絕時,為什麼 nc 掃描能夠成功連接到埠 53?

我注意到埠 53 正在監聽:

$ sudo ss -tulpne 

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0: users:(("avahi-daemon",pid=514,fd=12)) uid:115 ino:18620 sk:1 <->
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0: users:(("systemd-resolve",pid=356,fd=12)) uid:102 ino:15766 sk:2 <->
udp UNCONN 0 0 10.0.2.15%ens3:68 0.0.0.0: users:(("NetworkManager",pid=538,fd=19)) ino:21287 sk:3 <->
udp UNCONN 0 0 0.0.0.0:51675 0.0.0.0: users:(("avahi-daemon",pid=514,fd=14)) uid:115 ino:18622 sk:4 <->
udp UNCONN 0 0 0.0.0.0:631 0.0.0.0: users:(("cups-browsed",pid=571,fd=7)) ino:18922 sk:5 <->
udp UNCONN 0 0 0.0.0.0:43745 0.0.0.0: users:(("systemd-timesyn",pid=355,fd=16)) uid:100 ino:41918 sk:6 <->
udp UNCONN 0 0 [::]:5353 [::]: users:(("avahi-daemon",pid=514,fd=13)) uid:115 ino:18621 sk:7 v6only:1 <->
udp UNCONN 0 0 [::]:38831 [::]: users:(("avahi-daemon",pid=514,fd=15)) uid:115 ino:18623 sk:8 v6only:1 <->
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0: users:(("systemd-resolve",pid=356,fd=13)) uid:102 ino:15767 sk:9 <->
tcp LISTEN 0 5 127.0.0.1:631 0.0.0.0: users:(("cupsd",pid=487,fd=7)) ino:18380 sk:a <->
tcp LISTEN 0 5 [::1]:631 [::]:* users:(("cupsd",pid=487,fd=6)) ino:18379 sk:b v6only:1 <->

所以我通過ufw關閉了那個埠:

$ sudo ufw deny 53
       
$ sudo ufw status verbose
       
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip
   
To Action From
   
53 DENY IN Anywhere
53 (v6) DENY IN Anywhere (v6)

當我進行 nc 掃描時,我看到與埠的連接成功:

$ sudo nc -zv 127.0.0.53 50-53
   
nc: connect to 127.0.0.53 port 50 (tcp) failed: Connection refused 
nc: connect to 127.0.0.53 port 51 (tcp) failed: Connection refused 
nc: connect to 127.0.0.53 port 52 (tcp) failed: Connection refused 
Connection to 127.0.0.53 53 port [tcp/domain] succeeded!

我希望防火牆阻止此連接

為什麼防火牆不阻止連接?請幫助我糾正我的想法

旁注:我知道 dnsmasqd 使用埠 53,並且有很多充分的理由保持埠開放。但在這個問題中,我只關心通過防火牆有效關閉埠。我也知道我可以通過編輯 /etc/systemd/resolved.conf 來阻止這個埠監聽

ufw 不會阻止任何本地主機連接。這些總是被允許的。

引用自:https://serverfault.com/questions/1038910