在刚刚启动的 Amazon EC2 实例 (Amazon Linux 2) 上,无法启动防火墙。执行时会systemctl start firewalld出现几个警告和错误(详情如下),归结为:no icmptypes found和no such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'。
非常感谢您的任何建议。
# uname -r
4.14.173-137.229.amzn2.x86_64
# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Fri 2020-04-10 11:11:29 UTC; 17min ago
Docs: man:firewalld(1)
Process: 2736 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 2736 (code=exited, status=0/SUCCESS)
... firewalld[2736]: WARNING: unknown-header-type: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
... firewalld[2736]: WARNING: ICMP type 'unknown-option' is not supported by the kernel for ipv6.
... firewalld[2736]: WARNING: unknown-option: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
... firewalld[2736]: ERROR: No icmptypes found.
... firewalld[2736]: ERROR: Failed to read file "/proc/sys/net/netfilter/nf_conntrack_helper": [Errno 2] No such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'
... firewalld[2736]: WARNING: Failed to get and parse nf_conntrack_helper setting
... firewalld[2736]: WARNING: iptables not usable, disabling IPv4 firewall.
... firewalld[2736]: WARNING: ip6tables not usable, disabling IPv6 firewall.
... firewalld[2736]: FATAL ERROR: No IPv4 and IPv6 firewall.
... firewalld[2736]: ERROR: Raising SystemExit in run_server
更新:看来我的系统没有nf_conntrack:
# lsmod | grep nf_conntrack
(empty output)
答案1
检查 selinux 是否强制执行。如果是,则将其设置为允许,然后重新启动firewalld,再将 selinux 重新设置为强制执行。