防火墙导致 nmap 返回主机似乎已关闭

我有两台机器，server1 和 server2。在 server2 上，我停止了防火墙。

[root@server2 ~]# systemctl stop firewalld

从 server1，nmap 返回Host is up。

[root@server1 ~]$ nmap -sn server2

Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 11:27 CDT
Nmap scan report for server2 (10.17.45.13)
Host is up (0.00045s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds

我在server2上启用了firewalld。

[root@server2 ~]# systemctl start firewalld

从 server1，nmap 返回Host seems down，因此某物在 server2 上使用 firewalld 导致 nmap 返回主机似乎已关闭。

[root@server1 ~]$ nmap -sn server2

Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 11:29 CDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.01 seconds

从 server1 开始，ping/echo/ICMP 可以工作。

[root@server1 ~]$ ping -c4 server2
PING server2 (10.17.45.13) 56(84) bytes of data.
64 bytes from server2 (10.17.45.13): icmp_seq=1 ttl=64 time=0.436 ms
64 bytes from server2 (10.17.45.13): icmp_seq=2 ttl=64 time=0.388 ms
64 bytes from server2 (10.17.45.13): icmp_seq=3 ttl=64 time=0.338 ms
64 bytes from server2 (10.17.45.13): icmp_seq=4 ttl=64 time=0.390 ms

--- server2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.338/0.388/0.436/0.034 ms

public以下是 server2 上和区域的Firewalld 设置drop。icmp-block 为空，表示未阻止任何 ICMP 类型，而 icmp-block-inversion 设置为no允许所有 IMCP 流量。

[root@server2 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno16777984
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[root@server2 ~]# firewall-cmd --zone=drop --list-all
drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

/var/log/firewalld当 nmap 返回时没有记录任何内容Host seems down。