Domain-Name-System

啟用 ufw 時無法 ping 任何主機名/域

  • December 11, 2020

為什麼啟用 ufw 後我無法 ping 任何域/主機名?

[root@ip-172-31-23-37 ec2-user]# ping google.com
ping: google.com: Name or service not known
[root@ip-172-31-23-37 ec2-user]# ufw disable
Firewall stopped and disabled on system startup
[root@ip-172-31-23-37 ec2-user]# ping google.com
PING google.com (74.125.24.100) 56(84) bytes of data.
64 bytes from 74.125.24.100 (74.125.24.100): icmp_seq=1 ttl=100 time=2.14 ms
64 bytes from 74.125.24.100 (74.125.24.100): icmp_seq=2 ttl=100 time=2.19 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.149/2.170/2.192/0.051 ms
[root@ip-172-31-23-37 ec2-user]# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
[root@ip-172-31-23-37 ec2-user]# ping google.com
ping: google.com: Name or service not known

除了使用命令定義之外,我已禁用所有傳出流量ufw default deny outgoing。ufw狀態:

80                         ALLOW OUT   Anywhere
443                        ALLOW OUT   Anywhere
3306                       ALLOW OUT   Anywhere
2465                       ALLOW OUT   Anywhere
3306/tcp                   ALLOW OUT   Anywhere
3306/udp                   ALLOW OUT   Anywhere
127.0.0.1 3306             ALLOW OUT   Anywhere
80 (v6)                    ALLOW OUT   Anywhere (v6)
443 (v6)                   ALLOW OUT   Anywhere (v6)
3306 (v6)                  ALLOW OUT   Anywhere (v6)
2465 (v6)                  ALLOW OUT   Anywhere (v6)
3306/tcp (v6)              ALLOW OUT   Anywhere (v6)
3306/udp (v6)              ALLOW OUT   Anywhere (v6)

我已經設置接受 icmp 到/etc/ufw/before.rules文件

# allow outbound icmp
-A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

您尚未允許出站 DNS 流量,因此無法將名稱解析為 IP 地址。

引用自:https://serverfault.com/questions/1045773