ufw 日志中的奇怪条目

tag-icon tag-icon networking server firewall ufw deluge
ufw 日志中的奇怪条目

我有一个非常宽松的防火墙配置,其中几乎所有端口都打开了:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW IN    127.0.0.1
Anywhere                   ALLOW IN    10.0.0.0/16
53                         DENY IN     Anywhere
27017                      DENY IN     Anywhere
5335                       DENY IN     Anywhere

我不明白为什么我会在我的日志中看到这些 UFW BLOCK 条目:

Apr 16 21:28:04 hostname kernel: [20920.490239] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=60369 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:09 hostname kernel: [20925.495136] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=45545 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:11 hostname kernel: [20927.479072] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=58433 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:12 hostname kernel: [20928.481887] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=44041 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:12 hostname kernel: [20928.489277] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=55645 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:13 hostname kernel: [20929.493087] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=50245 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:13 hostname kernel: [20929.493358] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=56409 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0

它们都以我的公共 IP 作为源,以我的私有 IP 作为目标。目标端口始终是 58946(已淹没)。即使我明确允许此端口(这应该不需要),我仍然会在日志中收到这些条目。

知道为什么会发生这种情况以及这意味着什么吗?

编辑:

添加完整的 iptables 规则:

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N monitorix_IN_0
-N monitorix_IN_1
-N monitorix_IN_2
-N monitorix_IN_3
-N monitorix_OUT_0
-N monitorix_OUT_1
-N monitorix_OUT_2
-N monitorix_OUT_3
-N ts-forward
-N ts-input
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -j ts-input
-A INPUT -p tcp -m tcp --sport 32400 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_OUT_3
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 32400 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_3
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_OUT_2
-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_2
-A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_OUT_1
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_1
-A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_OUT_0
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_0
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-b1f439913694 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b1f439913694 -j DOCKER
-A FORWARD -i br-b1f439913694 ! -o br-b1f439913694 -j ACCEPT
-A FORWARD -i br-b1f439913694 -o br-b1f439913694 -j ACCEPT
-A FORWARD -o br-8c2ef18e8cce -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-8c2ef18e8cce -j DOCKER
-A FORWARD -i br-8c2ef18e8cce ! -o br-8c2ef18e8cce -j ACCEPT
-A FORWARD -i br-8c2ef18e8cce -o br-8c2ef18e8cce -j ACCEPT
-A FORWARD -o br-13f24cfcf7be -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-13f24cfcf7be -j DOCKER
-A FORWARD -i br-13f24cfcf7be ! -o br-13f24cfcf7be -j ACCEPT
-A FORWARD -i br-13f24cfcf7be -o br-13f24cfcf7be -j ACCEPT
-A FORWARD -o br-cd92e6b2b4c4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-cd92e6b2b4c4 -j DOCKER
-A FORWARD -i br-cd92e6b2b4c4 ! -o br-cd92e6b2b4c4 -j ACCEPT
-A FORWARD -i br-cd92e6b2b4c4 -o br-cd92e6b2b4c4 -j ACCEPT
-A FORWARD -j ts-forward
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 32400 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_OUT_3
-A OUTPUT -p tcp -m tcp --sport 32400 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_3
-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_OUT_2
-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_2
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_OUT_1
-A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_1
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_OUT_0
-A OUTPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_0
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 58946 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 58846 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8112 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8181 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.20.0.3/32 ! -i br-13f24cfcf7be -o br-13f24cfcf7be -p tcp -m tcp --dport 8081 -j ACCEPT
-A DOCKER -d 172.20.0.4/32 ! -i br-13f24cfcf7be -o br-13f24cfcf7be -p tcp -m tcp --dport 7777 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-b1f439913694 ! -o br-b1f439913694 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-8c2ef18e8cce ! -o br-8c2ef18e8cce -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-13f24cfcf7be ! -o br-13f24cfcf7be -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-cd92e6b2b4c4 ! -o br-cd92e6b2b4c4 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b1f439913694 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-8c2ef18e8cce -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-13f24cfcf7be -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-cd92e6b2b4c4 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000
-A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
-A ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP
-A ts-forward -o tailscale0 -j ACCEPT
-A ts-input -s 100.106.250.67/32 -i lo -j ACCEPT
-A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN
-A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j ACCEPT
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -s 127.0.0.1/32 -j ACCEPT
-A ufw-user-input -s 10.0.0.0/16 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 53 -j DROP
-A ufw-user-input -p udp -m udp --dport 53 -j DROP
-A ufw-user-input -p tcp -m tcp --dport 27017 -j DROP
-A ufw-user-input -p udp -m udp --dport 27017 -j DROP
-A ufw-user-input -p tcp -m tcp --dport 5335 -j DROP
-A ufw-user-input -p udp -m udp --dport 5335 -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

答案1

ufw 只是 iptables 的一个前端。我们必须查看 iptables 规则集才能做出权威评论。请注意,ufw 生成的 iptables 规则集难以阅读和理解。(我不喜欢它们)。

但是,请注意,您列出的 BLOCK 日志条目针对的是已置位 Reset 位的 TCP 数据包。对于 TCP 连接,Linux 倾向于使用“半双工”关闭序列,其中会话的任何一方都可以通过单个双向 FIN-ACK 握手(将连接置于 CLOSE_WAIT 状态)来启动连接终止,而不是完整的 4 向 FIN-ACK 握手。这可能会导致两端对 TCP 会话的确切状态的理解产生混淆。在您的​​情况下,另一端认为它仍然需要重置连接,但与此同时,您的一端已经终止并忘记了连接,并且它不再位于连接跟踪表中。可能从一开始就没有建立 ESTABLISHED 连接。该数据包被 UFW 阻止,因为它被视为试图使用不正确的 TCP 标志设置启动新的 TCP 会话。该数据包必须设置 SYN 位,并且取消设置 ACK、FIN 和 RST 标志。其他标志位无关紧要。

相关内容