Solaris 上的 bsd 数据包过滤器,为什么 ping 不允许?

tag-icon tag-icon solaris pf
Solaris 上的 bsd 数据包过滤器,为什么 ping 不允许?

我有两个接口,一个是 net0,ip 为 192.168.0.30,另一个是 vnic0,ip 为 10.2.0.1

这是我的pf.conf,solaris是11.4

ext_if="net0"
int_if="vnic0"
localnet="192.168.0.0/24"
internalnet="10.2.0.0/24"

int_tcp_services = "{www, https}"
int_udp_services = "{domain}"

set skip on lo
set loginterface $ext_if

block return in log all
block out all

antispoof quick for $ext_if

# Block 'rapid-fire brute force attempts
table <bruteforce> persist
block quick from <bruteforce>

#enable icmp for localnet
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from $internalnet to any keep state
pass inet proto icmp from any to $ext_if keep state
pass inet proto icmp from any to $int_if keep state

# SSH is listening on port 22
pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

# bind is listening on port 53
pass in quick proto tcp to $int_if port 53 keep state
pass in quick proto udp to $int_if port 53 keep state

# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services

禁用防火墙的所有接口都接受 Ping 仅在启用防火墙的情况下,net0 才接受 Ping。

有什么解决办法吗?

答案1

我认为规则集中有一个拼写错误,您想要在 lo 上执行 s/set Skip/在 lo0 上执行 set Skip。这应该可以修复防火墙对本地 ping 的错误行为。请注意,尽管您可能正在探测绑定到 NIC 的地址,但所有本地流量都绑定到 lo0。反欺骗会针对此类 ping 起作用。

答案2

找到解决方案,使用这个基本的,但工作的 .conf 复制自这里并编辑了

# Vars
ext_if="net0"
int_if="vnic0"
webports="{443, 80}"

##  make IP reassembly work
set reassemble yes no-df

## ignore loopback traffic
set skip on lo0

# block everything unless told otherwise
# and send TCP-RST/ICMP unreachable
# for every packet which gets blocked
block return in log all
pass out all

# accept incoming SSH connections
pass in proto tcp to $ext_if port 22

# accept webeservers connections
pass in proto tcp to $ext_if port $webports

# accept icmp
pass in proto icmp all

## allow incoming messages from DHCP
pass in inet proto udp from port 67 to port 68
pass in inet6 proto udp from port 547 to port 546

## packet too big - needed for PMTUD
pass in inet6 proto ipv6-icmp icmp6-type 2

## router advertisement
pass in inet6 proto ipv6-icmp icmp6-type 134

## neighbor solicitation
pass in inet6 proto ipv6-icmp icmp6-type 135

## neighbor advertisement
pass in inet6 proto ipv6-icmp icmp6-type 136

## allow all connections initiated from this system,
## including DHCP requests
pass out

相关内容