我在 Debian 12.1 服务器上设置了 ufw 防火墙。这是我的配置:
sudo ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
646 ALLOW IN Anywhere
7886 ALLOW IN 172.16.0.0/12
7886 DENY IN Anywhere
646 (v6) ALLOW IN Anywhere (v6)
7886 (v6) DENY IN Anywhere (v6)
如您所见,首先我允许所有传入和传出连接。然后我有选择地阻止特定端口(该端口只能从内部访问)。这工作正常。
但是,我的系统日志中充斥着类似这样的日志条目
[Fr Okt 20 20:32:51 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=185.11.61.222 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=14551 PROTO=TCP SPT=48993 DPT=62873 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:33:36 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=185.11.61.222 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=59605 PROTO=TCP SPT=48993 DPT=6148 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:33:37 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=77.90.185.189 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=7911 PROTO=TCP SPT=40738 DPT=1999 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:33:49 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=176.113.115.104 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=17273 PROTO=TCP SPT=57674 DPT=8532 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:34:14 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=79.124.62.130 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=35581 PROTO=TCP SPT=50976 DPT=41519 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:34:24 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=46.161.27.54 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=42873 PROTO=TCP SPT=42205 DPT=4477 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:34:55 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=194.26.135.157 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=28309 PROTO=TCP SPT=57742 DPT=9504 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:35:10 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=185.233.19.185 DST=46.127.133.1 LEN=44 TOS=0x00 PREC=0x00 TTL=241 ID=15502 PROTO=TCP SPT=58914 DPT=9376 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:35:36 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=185.11.61.212 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=31908 PROTO=TCP SPT=57640 DPT=50904 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:35:50 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=80.66.83.76 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=58996 PROTO=TCP SPT=44063 DPT=10749 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:36:04 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=78.128.113.250 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=8239 PROTO=TCP SPT=40186 DPT=35046 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:36:38 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=185.11.61.229 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=20645 PROTO=TCP SPT=49077 DPT=29163 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:36:41 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=62.233.50.217 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=17901 PROTO=TCP SPT=40917 DPT=42703 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:37:17 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=80.66.83.84 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=25857 PROTO=TCP SPT=43931 DPT=5370 WINDOW=1200 RES=0x00 RST URGP=0
日志记录设置为“低”,我读到 ufw 将
存储与与当前防火墙规则不匹配的阻止数据包相关的日志,并显示与已记录规则相关的日志条目。
由于我的默认规则是“允许所有传入”,为什么 ufw 会阻止这些传入的连接尝试? 为什么有这么多日志?
如果有帮助的话,这里是 iptables 的输出(但我没有接触过 iptables 的任何东西)
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain DOCKER (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.20.0.2 tcp dpt:1020
ACCEPT tcp -- anywhere 172.21.0.2 tcp dpt:25565
ACCEPT tcp -- anywhere 172.20.0.6 tcp dpt:https
ACCEPT tcp -- anywhere 172.20.0.6 tcp dpt:http
ACCEPT tcp -- anywhere 172.20.0.18 tcp dpt:22000
ACCEPT udp -- anywhere 172.20.0.18 udp dpt:22000
ACCEPT tcp -- anywhere 172.24.0.2 tcp dpt:2019
ACCEPT tcp -- anywhere 172.24.0.2 tcp dpt:2015
ACCEPT tcp -- anywhere 172.24.0.2 tcp dpt:https
ACCEPT udp -- anywhere 172.24.0.2 udp dpt:https
ACCEPT tcp -- anywhere 172.24.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere mdns.mcast.net udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:646
ACCEPT udp -- anywhere anywhere udp dpt:646
ACCEPT tcp -- 172.16.0.0/12 anywhere tcp dpt:7886
ACCEPT udp -- 172.16.0.0/12 anywhere udp dpt:7886
DROP tcp -- anywhere anywhere tcp dpt:7886
DROP udp -- anywhere anywhere udp dpt:7886
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination