Olá,
Eu tenho uma pergunta. Eu gostaria de usar o UFW Ubuntu Firewall para bloquear a Entrada e a Saída completamente do servidor para garantir que nenhum pacote seja enviado inicialmente como uma linha de base.
Eu habilitei o UFW e usei o GUFW para configurar SEND / RECV para DENY / DENY, MAS ao executar o tcpdump .... ainda vejo pacotes. Por que isso acontece?
root@ubuntu12:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN1MB (Ethernet), capture size 65535 bytes
00:18:13.546778 IP 13.14.3.22.https > 192.168.1.11.53742: Flags [P.], seq 61669:25111754, ack 55373, win 1334, length 60
00:18:13.583974 IP 192.168.1.11.53742 > 13.14.3.22.https: Flags [.], ack 60, win 330, length 0
00:18:16.368458 IP 192.168.1.11.37884 > 11.21.4.13.40029: Flags [P.], seq 1557077:1525079, ack 3451606, win 331, options [nop,nop,TS val 667792 ecr 4834388], length 2
00:18:16.476004 IP 16.1.4.13.4009 > 192.168.1.11.384: Flags [.], ack 2, win 83, options [nop,nop,TS val 483331 ecr 667752], length 0
A configuração do Firewall UFW:
$ sudo grep '^### tuple' /lib/ufw/user*.rules
/lib/ufw/user.rules:### tuple ### deny tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
/lib/ufw/user.rules:### tuple ### deny udp 4444 0.0.0.0/0 any 0.0.0.0/0 in
/lib/ufw/user.rules:### tuple ### deny tcp 6881:6891 0.0.0.0/0 any 0.0.0.0/0 in
/lib/ufw/user.rules:### tuple ### deny udp 6881:6891 0.0.0.0/0 any 0.0.0.0/0 in
in
/lib/ufw/user.rules:### tuple ### deny any 53 0.0.0.0/0 any 0.0.0.0/0 in
/lib/ufw/user.rules:### tuple ### deny any 631 0.0.0.0/0 any 0.0.0.0/0 CUPS - in
$ ufw status
status: active
To Action From
-- ------ ----
51413/tcp DENY Anywhere
51413/udp DENY Anywhere
443/tcp DENY Anywhere
6881/tcp DENY Anywhere
6881/udp DENY Anywhere
2234:2239/tcp DENY Anywhere
2242/tcp DENY Anywhere
2240/tcp DENY Anywhere
4444/udp DENY Anywhere
4662/tcp DENY Anywhere
4672/udp DENY Anywhere
53 DENY Anywhere
$ sudo ufw show raw
IPV4 (raw):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 40 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcpflags:! 0x17/0x02
205761 27027186 ACCEPT udp -- * * 127.0.0.1 0.0.0.0/0
2 141 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
77235 9359718 DROP all -- eth0 * 0.0.0.0/0 255.255.255.255
170607 17948324 DROP all -- * * 0.0.0.0/0 192.168.0.255
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
1564 289698 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
3759890 3187820179 INBOUND all -- eth0 * 0.0.0.0/0 0.0.0.0/0
18258 1735226 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
18258 1735226 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Unknown Input"
18258 1735226 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
18258 1735226 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
18258 1735226 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix "Outbound "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 0 level 4 prefix "[UFW AUDIT INVALID] "
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 539090 packets, 100712724 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 306 packets, 28746 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 372448 packets, 21597937 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 369100 packets, 21156985 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 4477889 packets, 3314295778 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4233318 packets, 3244180512 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3535682 packets, 419300008 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3553346 packets, 421249234 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 181 packets, 36795 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 167 packets, 31957 bytes)
pkts bytes target prot opt in out source destination
IPV6:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
145 10432 ufw6-before-logging-input all * * ::/0 ::/0
145 10432 ufw6-before-input all * * ::/0 ::/0
0 0 ufw6-after-input all * * ::/0 ::/0
0 0 ufw6-after-logging-input all * * ::/0 ::/0
0 0 ufw6-reject-input all * * ::/0 ::/0
0 0 ufw6-track-input all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw6-before-logging-forward all * * ::/0 ::/0
0 0 ufw6-before-forward all * * ::/0 ::/0
0 0 ufw6-after-forward all * * ::/0 ::/0
0 0 ufw6-after-logging-forward all * * ::/0 ::/0
0 0 ufw6-reject-forward all * * ::/0 ::/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
22 1432 ufw6-before-logging-output all * * ::/0 ::/0
22 1432 ufw6-before-output all * * ::/0 ::/0
15 960 ufw6-after-output all * * ::/0 ::/0
15 960 ufw6-after-logging-output all * * ::/0 ::/0
15 960 ufw6-reject-output all * * ::/0 ::/0
15 960 ufw6-track-output all * * ::/0 ::/0
Chain ufw6-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:137
0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:138
0 0 ufw6-skip-to-policy-input tcp * * ::/0 ::/0 tcp dpt:139
0 0 ufw6-skip-to-policy-input tcp * * ::/0 ::/0 tcp dpt:445
0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:67
0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:68
Chain ufw6-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0 rt type:0 segsleft:0
0 0 ufw6-user-forward all * * ::/0 ::/0
Chain ufw6-before-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all lo * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0 rt type:0 segsleft:0
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255
0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 129
0 0 ufw6-logging-deny all * * ::/0 ::/0 state INVALID
0 0 DROP all * * ::/0 ::/0 state INVALID
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT udp * * fe80::/10 fe80::/10 udp spt:547 dpt:546
0 0 ACCEPT udp * * ::/0 ff02::fb/128 udp dpt:5353
0 0 ACCEPT udp * * ::/0 ff02::f/128 udp dpt:1900
0 0 ufw6-user-input all * * ::/0 ::/0
Chain ufw6-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "
Chain ufw6-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "
Chain ufw6-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "
Chain ufw6-before-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * lo ::/0 ::/0
0 0 DROP all * * ::/0 ::/0 rt type:0 segsleft:0
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
0 0 ufw6-user-output all * * ::/0 ::/0
Chain ufw6-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw6-logging-deny (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 state INVALID LOG flags 0 level 4 prefix "[UFW AUDIT INVALID] "
0 0 LOG all * * ::/0 ::/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0
Chain ufw6-skip-to-policy-input (6 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0
Chain ufw6-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0
Chain ufw6-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-track-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-limit (0 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 17 packets, 1813 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Como faço para configurar o UFW para que, com DENY / DENY, GARANTIR QUE NO PACOTES sejam enviados pelo meu dispositivo ethernet? Não é UFW em DENY / DENY deve bloquear tudo, desde a placa de rede eth0 em ambas as direções?
Editar: Meu hack temporário para consertá-lo por meio de desconexão falsa o cabo de rede está sendo executado: sudo networking service stop