Ping
firewalld 導致 nmap 返回主機似乎已關閉
我有兩台機器,server1 和 server2。在 server2 上,我停止了 firewalld。
[root@server2 ~]# systemctl stop firewalld
從 server1,nmap 返回
Host is up
.[root@server1 ~]$ nmap -sn server2 Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 11:27 CDT Nmap scan report for server2 (10.17.45.13) Host is up (0.00045s latency). Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds
我在 server2 上啟用了 firewalld。
[root@server2 ~]# systemctl start firewalld
從 server1,nmap 返回
Host seems down
,因此server2上的 firewalld 導致 nmap 返回 Host 似乎已關閉。[root@server1 ~]$ nmap -sn server2 Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 11:29 CDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.01 seconds
在 server1 上,ping/echo/ICMP 有效。
[root@server1 ~]$ ping -c4 server2 PING server2 (10.17.45.13) 56(84) bytes of data. 64 bytes from server2 (10.17.45.13): icmp_seq=1 ttl=64 time=0.436 ms 64 bytes from server2 (10.17.45.13): icmp_seq=2 ttl=64 time=0.388 ms 64 bytes from server2 (10.17.45.13): icmp_seq=3 ttl=64 time=0.338 ms 64 bytes from server2 (10.17.45.13): icmp_seq=4 ttl=64 time=0.390 ms --- server2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.338/0.388/0.436/0.034 ms
以下是server2 上
public
和區域的防火牆設置。drop
icmp-block 為空意味著沒有 ICMP 類型被阻止,並且 icmp-block-inversion 設置no
為允許所有 IMCP 流量。[root@server2 ~]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: eno16777984 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@server2 ~]# firewall-cmd --zone=drop --list-all drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
/var/log/firewalld
當 nmap 返回時沒有記錄任何內容Host seems down
。
我不知道firewallcmd,但是Linux中的所有過濾都是由iptables完成的。因此,firewallcmd(如 ufw 等)是 iptables 的前端。
您始終可以通過命令 : 檢查核心中的活動規則
iptables -L -nv
,即使您完全禁用 iptables 服務(因為防火牆由 firewallcmd 管理)。如果您不禁用 iptables 服務(或 Debian 上的 netfilter-persistent),您可能會在兩個管理器之間發生衝突。