默认情况下设置UFW deny outgoing后如何使ping和traceroute工作?
这是我的UFWconfiguration:
sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), deny (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 123/udp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 443/tcp ALLOW IN Anywhere 123/udp (v6) ALLOW IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 443/tcp (v6) ALLOW IN Anywhere (v6) 53 ALLOW OUT Anywhere 80/tcp ALLOW OUT Anywhere 443/tcp ALLOW OUT Anywhere 587/tcp ALLOW OUT Anywhere 123/udp ALLOW OUT Anywhere 53 (v6) ALLOW OUT Anywhere (v6) 80/tcp (v6) ALLOW OUT Anywhere (v6) 443/tcp (v6) ALLOW OUT Anywhere (v6) 587/tcp (v6) ALLOW OUT Anywhere (v6) 123/udp (v6) ALLOW OUT Anywhere (v6)
这里是ping和traceroute结果:
ping google.com PING google.com (173.194.121.34) 56(84) bytes of data. ping: sendmsg: Operation not permitted traceroute google.com traceroute to google.com (173.194.121.34), 30 hops max, 60 byte packets send: Operation not permitted
我发现这个post( http://www.kelvinism.com/2010/09/enable-icmp-through-ufw_461.html ),build议将这些行添加到/etc/ufw/before.rules :
# allow outbound icmp -A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
它似乎工作的平,但没有traceroute。 任何想法?
谢谢
build议您允许更广泛的ICMP响应。
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
对于traceroute,您需要允许在33434:33524范围内的传出UDP数据包。 有些工具也允许你使用ICMP回应请求。 正如您有PING工作,您必须已启用ICMP回应请求数据包。
返回的数据包大部分是ICMP超时数据包。 如果您启用了所需的ICMPtypes,则不需要进行任何configuration。
我不得不使用sudo作为traceroute和-I选项( Use ICMP ECHO for tracerouting ):
sudo traceroute google.com -I