在 OpenBSD 中使用 rsync 打开套接字/连接的权限被拒绝

在 OpenBSD 中使用 rsync 打开套接字/连接的权限被拒绝

我最近尝试使用 rsync 从 uceprotect.net 检索 UCE(垃圾邮件)发件人 IP 的副本,但遇到以下错误:

[user@host ucedata]$ rsync -rzv rsync-mirrors.uceprotect.net::RBLDNSD-ALL/ ./                                                                                                                                                            
rsync: failed to connect to rsync-mirrors.uceprotect.net (67.58.96.162): Permission denied (13)                                                                                                                                             
rsync: failed to connect to rsync-mirrors.uceprotect.net (69.30.193.210): Permission denied (13)                                                                                                                                            
rsync: failed to connect to rsync-mirrors.uceprotect.net (72.13.86.154): Permission denied (13)                                                                                                                                             
rsync: failed to connect to rsync-mirrors.uceprotect.net (88.198.110.110): Permission denied (13)                                                                                                                                           
rsync: failed to connect to rsync-mirrors.uceprotect.net (96.31.84.20): Permission denied (13)                                                                                                                                              
rsync: failed to connect to rsync-mirrors.uceprotect.net (185.248.148.6): Permission denied (13)                                                                                                                                            
rsync: failed to connect to rsync-mirrors.uceprotect.net (193.138.29.11): Permission denied (13)                                                                                                                                            
rsync: failed to connect to rsync-mirrors.uceprotect.net (199.48.69.42): Permission denied (13)                                                                                                                                             
rsync: failed to connect to rsync-mirrors.uceprotect.net (199.187.241.194): Permission denied (13)                                                                                                                                          
rsync: failed to connect to rsync-mirrors.uceprotect.net (209.44.102.199): Permission denied (13)                                                                                                                                           
rsync: failed to connect to rsync-mirrors.uceprotect.net (209.126.213.95): Permission denied (13)                                                                                                                                           
rsync: failed to connect to rsync-mirrors.uceprotect.net (217.23.49.207): Permission denied (13)                                                                                                                                            
rsync: failed to connect to rsync-mirrors.uceprotect.net (41.208.71.58): Permission denied (13)                                                                                                                                             
rsync: failed to connect to rsync-mirrors.uceprotect.net (66.240.236.50): Permission denied (13)                                                                                                                                            
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]                                                                                                                                                           

我能够写入当前目录;为什么“权限被拒绝(13)”?

答案1

起初,我认为这可能是由于其他一些用户权限或用户限制造成的。然而,在我的特定系统上,这个特定问题的答案很简单——OpenBSD PF 被配置为阻止所有不是发往端口 53、80、123 或 443 的传出流量。由于加载了 PF 规则,OpenBSD 没有首先允许创建 TCP 套接字。

使用 netcat 进行测试表明,用户和 root 都无法创建具有 PF 禁止目标的套接字:

[user@host ucedata]$ nc -v 67.58.96.162 873
nc: connect to 67.58.96.162 port 873 (tcp) failed: Permission denied
[root@host ucedata]# nc -v 67.58.96.162 873
nc: connect to 67.58.96.162 port 873 (tcp) failed: Permission denied

以下内核跟踪摘录显示权限被拒绝是由于尝试连接造成的:

 70602 rsync    CALL  connect(3,0xccece01e770,16)
 70602 rsync    STRU  struct sockaddr { AF_INET, 69.30.193.210:873 }
 70602 rsync    RET   connect -1 errno 13 Permission denied

通过添加pass out log on $ext_if proto tcp to any port 873/etc/pf.conf重新加载防火墙规则 ( pfctl -f /etc/pf.conf),我就能够连接了。

相关内容