我已经从 Linux 内核中删除了所有不需要的东西,现在防火墙无法正常工作。防火墙已启动但内部没有规则,无法添加规则。我需要选择/启用/模块什么才能使防火墙正常工作?
这是我的 Linux 内核设置制作菜单配置:
--- Networking support ---
Networking options --->
[ ] Amateur Radio support ----
< > CAN bus subsystem support ----
<*> Bluetooth subsystem support --->
< > RxRPC session sockets
< > KCM sockets
-*- Wireless --->
< > WiMAX Wireless Broadband support ----
<*> RF switch subsystem support --->
< > Plan 9 Resource Sharing Support (9P2000) ----
< > CAIF support ----
< > Ceph core library
< > NFC subsystem support ----
< > Packet-sampling netlink channel ----
< > Inter-FE based on IETF ForCES InterFE LFB ----
[ ] Network light weight tunnels
< > Network physical/parent device Netlink interface
< > Generic failover module
--- Networking options ---
<*> Packet socket
<M> Packet: sockets monitoring interface
<*> Unix domain sockets
<M> UNIX: socket monitoring interface
< > Transport Layer Security support
< > Transformation user configuration interface
< > PF_KEY sockets
[ ] XDP sockets
[*] TCP/IP networking
[ ] IP: multicasting
[ ] IP: advanced router
[ ] IP: kernel level autoconfiguration
< > IP: tunneling
< > IP: GRE demultiplexer
[*] IP: TCP syncookie support
< > IP: Foo (IP protocols) over UDP
< > IP: AH transformation
< > IP: ESP transformation
< > IP: IPComp transformation
< > IP: IPsec transport mode
< > IP: IPsec tunnel mode
< > IP: IPsec BEET mode
< > INET: socket monitoring interface
[ ] TCP: advanced congestion control ----
[ ] TCP: MD5 Signature Option support (RFC2385)
< > The IPv6 protocol ----
[ ] NetLabel subsystem support
-*- Security Marking
[ ] Timestamping in PHY devices
[*] Network packet filtering framework (Netfilter) --->
[*] BPF based packet filtering framework (BPFILTER) --->
< > The DCCP Protocol ----
< > The SCTP Protocol ----
< > The Reliable Datagram Sockets Protocol
< > The TIPC Protocol ----
< > Asynchronous Transfer Mode (ATM)
< > Layer Two Tunneling Protocol (L2TP) ----
< > 802.1d Ethernet Bridging
< > Distributed Switch Architecture
< > 802.1Q/802.1ad VLAN Support
< > DECnet Support
< > ANSI/IEEE 802.2 LLC type 2 Support
< > Appletalk protocol support
< > CCITT X.25 Packet Layer
< > LAPB Data Link Driver
< > Phonet protocols family
< > IEEE Std 802.15.4 Low-Rate Wireless Personal Area Networks support ----
[ ] QoS and/or fair queueing ----
[ ] Data Center Bridging support
< > DNS Resolver support
< > B.A.T.M.A.N. Advanced Meshing Protocol
< > Open vSwitch
< > Virtual Socket protocol
< > NETLINK: socket monitoring interface
[ ] MultiProtocol Label Switching ----
< > Network Service Header (NSH) protocol ----
< > High-availability Seamless Redundancy (HSR)
[ ] Switch (and switch-ish) device support
[ ] L3 Master device support
[ ] NCSI interface support
[ ] Network priority cgroup
[ ] Network classid cgroup
[ ] enable BPF Just In Time compiler
[ ] enable BPF STREAM_PARSER
Network testing --->
答案1
名单网络过滤器模块非常棒,我只做了部分列表。
#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_FAMILY_BRIDGE=y
CONFIG_NETFILTER_FAMILY_ARP=y
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_OSF=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_LOG_COMMON=m
CONFIG_NF_LOG_NETDEV=m
CONFIG_NETFILTER_CONNCOUNT=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
CONFIG_NF_CT_PROTO_DCCP=y
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_CT_PROTO_UDPLITE=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_SNMP=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CONNTRACK_SLP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CT_NETLINK_TIMEOUT=m
CONFIG_NF_CT_NETLINK_HELPER=m
我不知道你正在使用哪些防火墙模块,但你将需要一些、大多数、全部等网络过滤那些。
以下是我要做的。
使用默认配置并使用它启动。
确保所有硬件和防火墙都已正确加载。
然后
进行本地修改配置
重新编译内核。
完毕。