我想设置一个默认拒绝传出连接的策略。
- 应该允许 DNS 查询
- 应允许特定 IP 用于传出连接
所以我设置了以下规则:
sudo ufw default deny outgoing
sudo ufw allow out 53
sudo ufw allow out from any to 123.123.123.123
查看:
sudo ufw status numbered
输出:
Status: active
To Action From
-- ------ ----
[ 1] 123.123.123.123 ALLOW OUT Anywhere (out)
[ 2] 53 ALLOW OUT Anywhere (out)
[ 3] 53 (v6) ALLOW OUT Anywhere (v6) (out)
当我 ping google.com 时,我希望 DNS 解析能够正常工作,但实际 ping 会失败。但是整个 ping 功能都在工作。我注意到它使用 IPv6 进行 ping。在禁用防火墙的情况下,它使用 IPv4。
PING google.com(fra15s12-in-x0e.1e100.net (2a00:1450:4001:815::200e)) 56 data bytes
64 bytes from fra15s12-in-x0e.1e100.net (2a00:1450:4001:815::200e): icmp_seq=1 ttl=115 time=3.90 ms
64 bytes from fra15s12-in-x0e.1e100.net (2a00:1450:4001:815::200e): icmp_seq=2 ttl=115 time=3.96 ms
64 bytes from fra15s12-in-x0e.1e100.net (2a00:1450:4001:815::200e): icmp_seq=3 ttl=115 time=3.94 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 3.903/3.936/3.965/0.025 ms
防火墙似乎成功阻止了 IPv4,因此 ping 命令尝试使用 IPv6 并成功。防火墙以某种方式不阻止 IPv6。