Postgresql

即使 UFW 允許,也無法在本地連接到埠 5432

  • December 4, 2020

我正在嘗試設置我的伺服器,以便只能從 localhost 訪問埠 5432(Postgres)。所以我拒絕了一切,並添加了埠 5432,但是我無法連接到它。

這是我的 UFW 配置:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
127.0.0.1 5432             ALLOW IN    127.0.0.1
22 (v6)                    ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)

80                         ALLOW OUT   Anywhere
22                         ALLOW OUT   Anywhere
443                        ALLOW OUT   Anywhere
53                         ALLOW OUT   Anywhere
33434:33524/udp            ALLOW OUT   Anywhere
127.0.0.1 5432             ALLOW OUT   127.0.0.1
80 (v6)                    ALLOW OUT   Anywhere (v6)
22 (v6)                    ALLOW OUT   Anywhere (v6)
443 (v6)                   ALLOW OUT   Anywhere (v6)
53 (v6)                    ALLOW OUT   Anywhere (v6)
33434:33524/udp (v6)       ALLOW OUT   Anywhere (v6)

和 netstat:

$ netstat -an | grep "LISTEN "
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN
tcp6       0      0 :::55056                :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::5432                 :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN

只是為了確認確實是 ufw 阻止了連接,因為如果我禁用它,它就可以正常工作。知道我缺少什麼嗎?

從您的 netstat 中,我們可以看到只提到了 5432 埠(即 tcp6 線路正在偵聽:::5432。這表明您的程序僅在偵聽IPv6。您的防火牆只允許IPv4。有兩種選擇,一種是您允許 IPv6 地址::1IPv6相當於 localhost)連接到防火牆中的該服務,另一個是讓您的程序監聽IPv4. 最好的可能是兩者都做。

引用自:https://serverfault.com/questions/1044977