firewalld 随附了一组默认的预定义ICMP类型,你可以直接使用:
# firewall-cmd --get-icmptypes destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded timestamp-reply timestamp-request
但是,解析器(/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.py)不限于这些类型,并且可以扩展为:
首先,按照man iptables-extensions(8)部分icmp:
icmp(特定于IPv4)如果指定了`–protocol icmp’,则可以使用此扩展名。它提供以下选项:
[!] --icmp-type {type[/code]|typename}
This allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by the command
iptables -p icmp -h
icmp6(特定于IPv6)如果–protocol ipv6-icmp’ or指定–protocol icmpv6’,则可以使用此扩展名。它提供以下选项:
[!] --icmpv6-type type[/code]|typename
This allows specification of the ICMPv6 type, which can be a numeric ICMPv6 type, type and code, or one of the ICMPv6 type names shown by the command
ip6tables -p ipv6-icmp -h
你所指的两种类型是特定于IPv4的,因此你应使用以下内容找出由识别的适当名称iptables:
# iptables -p icmp -h | grep timestamp timestamp-request timestamp-reply
现在,如果你检查firewalld软件包的内容,你将发现预定义的ICMP类型存储在哪里:
# rpm -ql firewalld | grep icmptype /etc/firewalld/icmptypes /usr/lib/firewalld/icmptypes/destination-unreachable.xml /usr/lib/firewalld/icmptypes/echo-reply.xml /usr/lib/firewalld/icmptypes/echo-request.xml /usr/lib/firewalld/icmptypes/parameter-problem.xml /usr/lib/firewalld/icmptypes/redirect.xml /usr/lib/firewalld/icmptypes/router-advertisement.xml /usr/lib/firewalld/icmptypes/router-solicitation.xml /usr/lib/firewalld/icmptypes/source-quench.xml /usr/lib/firewalld/icmptypes/time-exceeded.xml /usr/lib/firewalld/xmlschema/icmptype.xsd /usr/share/man/man5/firewalld.icmptype.5.gz
如果你检查上面引用的解析器,你会发现它在与进行对话时将XML文件名用作ICMP类型iptables,因此你需要使用上面找到的ICMP类型为要使用的ICMP类型编写两个新文件。用户创建的ICMP类型应存储在中/etc/firewalld/icmptypes。
# cat timestamp-request.xml# cat timestamp-reply.xml Timestamp Request This message is used for time synchronization. Timestamp Reply This message is used to reply to a timestamp message.
你最终将得到:
# ll -Z /etc/firewalld/icmptypes -rw-r--r--. root root system_u:object_r:firewalld_etc_rw_t:s0 timestamp-reply.xml -rw-r--r--. root root system_u:object_r:firewalld_etc_rw_t:s0 timestamp-request.xml
使用提供的XSD验证它们:
# xmllint --schema /usr/lib/firewalld/xmlschema/icmptype.xsd timestamp-request.xml timestamp-request.xml validates
# xmllint --noout --schema /usr/lib/firewalld/xmlschema/icmptype.xsd timestamp-reply.xml
timestamp-reply.xml validates
重新加载防火墙:
# firewall-cmd --reload
最后添加它们:
# firewall-cmd --add-icmp-block=timestamp-request # firewall-cmd --add-icmp-block=timestamp-reply # firewall-cmd --list-icmp-blocks
timestamp-reply timestamp-request
你可以iptables直接查看规则,检查是否已添加它们:
iptables -nvL | grep icmp 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13 reject-with icmp-host-prohibited 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 14 reject-with icmp-host-prohibited 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13 reject-with icmp-host-prohibited 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 14 reject-with icmp-host-prohibited
类型13和14是新添加的ICMP类型。
作为参考,你可以阅读firewalld.icmptypes(5)联机帮助页。
这些ICMP类型已包含在上游。
