Ping
firewalld 導致 nmap 返回主機似乎已關閉
我有兩台機器,server1 和 server2。在 server2 上,我停止了 firewalld。
[root@server2 ~]# systemctl stop firewalld從 server1,nmap 返回
Host is up.[root@server1 ~]$ nmap -sn server2 Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 11:27 CDT Nmap scan report for server2 (10.17.45.13) Host is up (0.00045s latency). Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds我在 server2 上啟用了 firewalld。
[root@server2 ~]# systemctl start firewalld從 server1,nmap 返回
Host seems down,因此server2上的 firewalld 導致 nmap 返回 Host 似乎已關閉。[root@server1 ~]$ nmap -sn server2 Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 11:29 CDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.01 seconds在 server1 上,ping/echo/ICMP 有效。
[root@server1 ~]$ ping -c4 server2 PING server2 (10.17.45.13) 56(84) bytes of data. 64 bytes from server2 (10.17.45.13): icmp_seq=1 ttl=64 time=0.436 ms 64 bytes from server2 (10.17.45.13): icmp_seq=2 ttl=64 time=0.388 ms 64 bytes from server2 (10.17.45.13): icmp_seq=3 ttl=64 time=0.338 ms 64 bytes from server2 (10.17.45.13): icmp_seq=4 ttl=64 time=0.390 ms --- server2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.338/0.388/0.436/0.034 ms以下是server2 上
public和區域的防火牆設置。dropicmp-block 為空意味著沒有 ICMP 類型被阻止,並且 icmp-block-inversion 設置no為允許所有 IMCP 流量。[root@server2 ~]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: eno16777984 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@server2 ~]# firewall-cmd --zone=drop --list-all drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
/var/log/firewalld當 nmap 返回時沒有記錄任何內容Host seems down。
我不知道firewallcmd,但是Linux中的所有過濾都是由iptables完成的。因此,firewallcmd(如 ufw 等)是 iptables 的前端。
您始終可以通過命令 : 檢查核心中的活動規則
iptables -L -nv,即使您完全禁用 iptables 服務(因為防火牆由 firewallcmd 管理)。如果您不禁用 iptables 服務(或 Debian 上的 netfilter-persistent),您可能會在兩個管理器之間發生衝突。