deny outgoing默认设置 UFW 后如何使 ping 和 traceroute 工作?
这是我的 UFW 配置:
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
123/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
123/udp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
53 ALLOW OUT Anywhere
80/tcp ALLOW OUT Anywhere
443/tcp ALLOW OUT Anywhere
587/tcp ALLOW OUT Anywhere
123/udp ALLOW OUT Anywhere
53 (v6) ALLOW OUT Anywhere (v6)
80/tcp (v6) ALLOW OUT Anywhere (v6)
443/tcp (v6) ALLOW OUT Anywhere (v6)
587/tcp (v6) ALLOW OUT Anywhere (v6)
123/udp (v6) ALLOW OUT Anywhere (v6)
以下是 ping 和 traceroute 结果:
ping google.com
PING google.com (173.194.121.34) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
traceroute google.com
traceroute to google.com (173.194.121.34), 30 hops max, 60 byte packets
send: Operation not permitted
我找到了这个帖子(http://www.kelvinism.com/2010/09/enable-icmp-through-ufw_461.html) 建议将这些行添加到/etc/ufw/before.rules:
# allow outbound icmp
-A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
它似乎适用于 ping,但不适用于 traceroute。有什么想法吗?
谢谢
答案1
这对我有用:
ufw allow out to any port 33434:33524 proto udp
答案2
我必须使用 sudotraceroute和-I选项 ( Use ICMP ECHO for tracerouting):
sudo traceroute google.com -I
答案3
对于 traceroute,您需要允许 33434:33524 范围内的传出 UDP 数据包。某些工具还允许您使用 ICMP 回显请求。由于 PING 正在运行,因此您必须启用 ICMP 回显请求数据包。
返回的数据包大部分是 ICMP 超时数据包。如果您已启用所需的 ICMP 类型,则无需配置任何内容。
答案4
建议您允许更广泛的 ICMP 响应。
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT