我不断向内置的 Linux Mint“防火墙”程序(即“GUWF”重新标记为“防火墙”)添加 IP 地址,并且它工作了一段时间......但现在看起来它实际上不再阻止任何东西由于我无法辨别的原因。我已经检查过,我的大规则集在“防火墙”中设置为“活动”,我可以在命令行上使用 uwf (即“sudo uwf status”)检查它,它注册为“活动”并具有所有相同的规则。 ..但就像它刚刚停止阻止任何东西一样。
为了测试我刚刚添加了www.reddit.com主IP地址——151.101.117.140——将防火墙设置为拒绝进出信号、所有协议和所有端口,并记录所有。但我可以毫无问题地自由访问 reddit。使用 IPvFoo 扩展我可以证明www.reddit.com不会像某些站点在被阻止时那样重新路由到不同的 IP,而是直接连接到 IP 地址 - 151.101.117.140 - 即使 UFW 状态和 GUFW 规则列出了确切的 IP 设置为拒绝进出信号、所有协议和所有端口,并记录全部。也没有日志,计算机只是自由地访问该站点,就像防火墙根本没有注意到一样。同时,使用 IPvFoo 扩展,每次我点击 reddit 或刷新 reddit 页面时,我都可以确认 Brave 浏览器正在主动从 151.101.117.140 发送和接收数据。请参见下图,终端 ufw 状态打印输出位于左侧,“防火墙”(即 gufw)打印输出位于右上角,右下角显示 Brave 浏览器,其中 IPvFoo 显示连接。
奇怪的是,我通过 GUFW 输入每一条规则,但有许多规则我无法编辑,因为 GUFW 声称这些规则是通过 UFW 输入的,并且这些规则被锁定,因为 UFW 总是比 GUFW 优先。所以我通过 UFW 删除了所有规则,并通过 GUFW 将它们全部放回(手动),下次我检查某些规则时,某些规则被锁定且不可编辑,因为“不可变规则,您无法编辑从 ufw 添加的规则”这怎么可能?感觉 GUFW(即“防火墙”)出现了严重故障。我希望我只是在某个地方翻转了一个非常愚蠢的设置,因为这是最奇怪和令人担忧的,特别是防火墙一直工作得很好,直到大约一两周前,然后......似乎因为我无法做到的原因而完全停止了捉摸。
$ lsb_release -a
No LSB modules are available.
Distributor ID: Linuxmint
Description: Linux Mint 21.2
Release: 21.2
Codename: victoria
编辑: 使用sudo dmesg -w并将 GUFW 日志记录设置为高,看起来 UFW 不知何故秘密地设置为“允许”很多事情......也许是所有事情,但在 UFW 状态列表或 GUFW 中绝对有零“允许”规则。 UFW和GUFW有潜规则吗?有没有办法查看UFW和GUFW的所有隐藏规则?
编辑2:其他论坛上的一些人不喜欢我的 reddit 演示,因为 reddit 有大约 9 个可以路由的 IP。是的,所以下面是我阻止的 Reddit IP 的 ping 跟踪——所有端口、DENY IN、DENY OUT,并在 ufw 状态下列出:
$ ping 151.101.117.140
PING 151.101.117.140 (151.101.117.140) 56(84) bytes of data.
64 bytes from 151.101.117.140: icmp_seq=1 ttl=52 time=75.1 ms
64 bytes from 151.101.117.140: icmp_seq=2 ttl=52 time=81.1 ms
64 bytes from 151.101.117.140: icmp_seq=3 ttl=52 time=90.0 ms
64 bytes from 151.101.117.140: icmp_seq=4 ttl=52 time=221 ms
64 bytes from 151.101.117.140: icmp_seq=5 ttl=52 time=117 ms
64 bytes from 151.101.117.140: icmp_seq=6 ttl=52 time=68.5 ms
64 bytes from 151.101.117.140: icmp_seq=7 ttl=52 time=61.2 ms
64 bytes from 151.101.117.140: icmp_seq=8 ttl=52 time=87.3 ms
64 bytes from 151.101.117.140: icmp_seq=9 ttl=52 time=267 ms
64 bytes from 151.101.117.140: icmp_seq=10 ttl=52 time=81.6 ms
64 bytes from 151.101.117.140: icmp_seq=11 ttl=52 time=91.6 ms
64 bytes from 151.101.117.140: icmp_seq=12 ttl=52 time=60.2 ms
64 bytes from 151.101.117.140: icmp_seq=13 ttl=52 time=82.4 ms
64 bytes from 151.101.117.140: icmp_seq=14 ttl=52 time=239 ms
64 bytes from 151.101.117.140: icmp_seq=15 ttl=52 time=130 ms
64 bytes from 151.101.117.140: icmp_seq=16 ttl=52 time=183 ms
编辑3:另一个论坛上的某人希望我用干净的配置文件演示 ufw 行为,所以这是该测试:
~$ sudo ufw status
Status: active
~$ sudo ufw deny from 151.101.117.140
Rule added
~$ sudo ufw status
Status: active
To Action From
-- ------ ----
Anywhere DENY 151.101.117.140
~$ ping 151.101.117.140
PING 151.101.117.140 (151.101.117.140) 56(84) bytes of data.
64 bytes from 151.101.117.140: icmp_seq=1 ttl=52 time=51.3 ms
64 bytes from 151.101.117.140: icmp_seq=2 ttl=52 time=95.5 ms
64 bytes from 151.101.117.140: icmp_seq=3 ttl=52 time=147 ms
64 bytes from 151.101.117.140: icmp_seq=4 ttl=52 time=240 ms
64 bytes from 151.101.117.140: icmp_seq=5 ttl=52 time=50.9 ms
64 bytes from 151.101.117.140: icmp_seq=6 ttl=52 time=38.4 ms
64 bytes from 151.101.117.140: icmp_seq=7 ttl=52 time=38.1 ms
64 bytes from 151.101.117.140: icmp_seq=8 ttl=52 time=46.0 ms
64 bytes from 151.101.117.140: icmp_seq=9 ttl=52 time=79.0 ms
64 bytes from 151.101.117.140: icmp_seq=10 ttl=52 time=44.3 ms
编辑4:同样的人希望我显示其他块选项方向和组合,涉及从干净的配置文件开始的 ping,所以这里是:
~$ sudo ufw status
Status: active
~$ sudo ufw deny to 151.101.117.140
Rule added
~$ sudo ufw status
Status: active
To Action From
-- ------ ----
151.101.117.140 DENY Anywhere
~$ ping 151.101.117.140
PING 151.101.117.140 (151.101.117.140) 56(84) bytes of data.
64 bytes from 151.101.117.140: icmp_seq=1 ttl=52 time=91.5 ms
64 bytes from 151.101.117.140: icmp_seq=2 ttl=52 time=99.3 ms
64 bytes from 151.101.117.140: icmp_seq=3 ttl=52 time=141 ms
64 bytes from 151.101.117.140: icmp_seq=4 ttl=52 time=50.6 ms
64 bytes from 151.101.117.140: icmp_seq=5 ttl=52 time=74.6 ms
64 bytes from 151.101.117.140: icmp_seq=6 ttl=52 time=118 ms
64 bytes from 151.101.117.140: icmp_seq=7 ttl=52 time=216 ms
64 bytes from 151.101.117.140: icmp_seq=8 ttl=52 time=49.5 ms
^Z
[1]+ Stopped ping 151.101.117.140
~$ sudo ufw deny from 151.101.117.140
Rule added
~$ sudo ufw status
Status: active
To Action From
-- ------ ----
151.101.117.140 DENY Anywhere
Anywhere DENY 151.101.117.140
~$ ping 151.101.117.140
PING 151.101.117.140 (151.101.117.140) 56(84) bytes of data.
64 bytes from 151.101.117.140: icmp_seq=1 ttl=52 time=245 ms
64 bytes from 151.101.117.140: icmp_seq=2 ttl=52 time=180 ms
64 bytes from 151.101.117.140: icmp_seq=3 ttl=52 time=288 ms
64 bytes from 151.101.117.140: icmp_seq=4 ttl=52 time=210 ms
64 bytes from 151.101.117.140: icmp_seq=5 ttl=52 time=74.5 ms
64 bytes from 151.101.117.140: icmp_seq=6 ttl=52 time=82.7 ms