我有两台机器,server1 和 server2。在 server2 上,我停止了防火墙。
[root@server2 ~]# systemctl stop firewalld
从 server1,nmap 返回Host is up
。
[root@server1 ~]$ nmap -sn server2
Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 11:27 CDT
Nmap scan report for server2 (10.17.45.13)
Host is up (0.00045s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds
我在server2上启用了firewalld。
[root@server2 ~]# systemctl start firewalld
从 server1,nmap 返回Host seems down
,因此某物在 server2 上使用 firewalld 导致 nmap 返回主机似乎已关闭。
[root@server1 ~]$ nmap -sn server2
Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 11:29 CDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.01 seconds
从 server1 开始,ping/echo/ICMP 可以工作。
[root@server1 ~]$ ping -c4 server2
PING server2 (10.17.45.13) 56(84) bytes of data.
64 bytes from server2 (10.17.45.13): icmp_seq=1 ttl=64 time=0.436 ms
64 bytes from server2 (10.17.45.13): icmp_seq=2 ttl=64 time=0.388 ms
64 bytes from server2 (10.17.45.13): icmp_seq=3 ttl=64 time=0.338 ms
64 bytes from server2 (10.17.45.13): icmp_seq=4 ttl=64 time=0.390 ms
--- server2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.338/0.388/0.436/0.034 ms
public
以下是 server2 上和区域的Firewalld 设置drop
。icmp-block 为空,表示未阻止任何 ICMP 类型,而 icmp-block-inversion 设置为no
允许所有 IMCP 流量。
[root@server2 ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno16777984
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@server2 ~]# firewall-cmd --zone=drop --list-all
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
/var/log/firewalld
当 nmap 返回时没有记录任何内容Host seems down
。
答案1
我不知道firewallcmd,但Linux中的所有过滤都是由iptables完成的。因此,firewallcmd(与ufw和其他类似程序一样)是iptables的前端。
即使您完全禁用 iptables 服务(因为防火墙由firewallcmd 管理) ,您也可以通过以下命令检查内核中的活动规则:。iptables -L -nv
如果您不禁用 iptables 服务(或 Debian 上的 netfilter-persistent),则两个管理器之间可能会发生冲突。