Solaris
Solaris上的bsd數據包過濾器,為什麼不允許ping?
我有兩個介面,一個是 net0 和 192.168.0.30 ip,另一個是 vnic0 和 10.2.0.1 ip
這是我的 pf.conf,solaris 是 11.4
ext_if="net0" int_if="vnic0" localnet="192.168.0.0/24" internalnet="10.2.0.0/24" int_tcp_services = "{www, https}" int_udp_services = "{domain}" set skip on lo set loginterface $ext_if block return in log all block out all antispoof quick for $ext_if # Block 'rapid-fire brute force attempts table <bruteforce> persist block quick from <bruteforce> #enable icmp for localnet pass inet proto icmp from $localnet to any keep state pass inet proto icmp from $internalnet to any keep state pass inet proto icmp from any to $ext_if keep state pass inet proto icmp from any to $int_if keep state # SSH is listening on port 22 pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global) # bind is listening on port 53 pass in quick proto tcp to $int_if port 53 keep state pass in quick proto udp to $int_if port 53 keep state # Allow essential outgoing traffic pass out quick on $ext_if proto tcp to any port $int_tcp_services pass out quick on $ext_if proto udp to any port $int_udp_services禁用防火牆的所有介面都接受 Ping 僅在啟用防火牆的情況下,net0 才接受 Ping。
有什麼解決辦法嗎?
找到解決方案,使用這個基本但工作的 .conf 從這裡複製並編輯
# Vars ext_if="net0" int_if="vnic0" webports="{443, 80}" ## make IP reassembly work set reassemble yes no-df ## ignore loopback traffic set skip on lo0 # block everything unless told otherwise # and send TCP-RST/ICMP unreachable # for every packet which gets blocked block return in log all pass out all # accept incoming SSH connections pass in proto tcp to $ext_if port 22 # accept webeservers connections pass in proto tcp to $ext_if port $webports # accept icmp pass in proto icmp all ## allow incoming messages from DHCP pass in inet proto udp from port 67 to port 68 pass in inet6 proto udp from port 547 to port 546 ## packet too big - needed for PMTUD pass in inet6 proto ipv6-icmp icmp6-type 2 ## router advertisement pass in inet6 proto ipv6-icmp icmp6-type 134 ## neighbor solicitation pass in inet6 proto ipv6-icmp icmp6-type 135 ## neighbor advertisement pass in inet6 proto ipv6-icmp icmp6-type 136 ## allow all connections initiated from this system, ## including DHCP requests pass out
我認為您想要在 lo 上設置跳過/在 lo0 上設置跳過的規則集中有一個錯字。這應該可以修復本地 ping 的防火牆不當行為。請注意,所有本地流量都綁定到 lo0,儘管您可能正在探測綁定到 NIC 的地址。反欺騙會針對此類 ping 進行處理。