linux icmp 时间戳过滤,centos – 使用firewalld阻止ICMP时间戳和时间戳回复

firewalld附带一组默认的预定义ICMP类型,您可以使用它们：

# firewall-cmd --get-icmptypes

destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded timestamp-reply timestamp-request

解析器(/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.py)不仅限于这些类型,并且允许扩展：

首先,根据man iptables-extensions(8),部分icmp：

icmp (IPv4-specific)

This extension can be used if `–protocol icmp’ is specified. It provides the following option:

06001

icmp6 (IPv6-specific)

This extension can be used if --protocol ipv6-icmp' or–protocol icmpv6′ is specified. It provides the following option:

06002

您引用的两种类型是IPv4特定的,因此您应该使用以下内容找出iptables识别的相应名称：

# iptables -p icmp -h | grep timestamp

timestamp-request

timestamp-reply

现在,如果您检查firewalld包的内容,您将找到存储预定义ICMP类型的位置：

# rpm -ql firewalld | grep icmptype

/etc/firewalld/icmptypes

/usr/lib/firewalld/icmptypes/destination-unreachable.xml

/usr/lib/firewalld/icmptypes/echo-reply.xml

/usr/lib/firewalld/icmptypes/echo-request.xml

/usr/lib/firewalld/icmptypes/parameter-problem.xml

/usr/lib/firewalld/icmptypes/redirect.xml

/usr/lib/firewalld/icmptypes/router-advertisement.xml

/usr/lib/firewalld/icmptypes/router-solicitation.xml

/usr/lib/firewalld/icmptypes/source-quench.xml

/usr/lib/firewalld/icmptypes/time-exceeded.xml

/usr/lib/firewalld/xmlschema/icmptype.xsd

/usr/share/man/man5/firewalld.icmptype.5.gz

如果检查上面引用的解析器,在与iptables交谈时,您会看到它使用XML文件名作为ICMP类型,因此您需要使用上面找到的ICMP类型为要使用的ICMP类型编写两个新文件.用户创建的ICMP类型应存储在/ etc / firewalld / icmptypes中.

# cat timestamp-request.xml

Timestamp Request

This message is used for time synchronization.

# cat timestamp-reply.xml

Timestamp Reply

This message is used to reply to a timestamp message.

你最终得到：

# ll -Z /etc/firewalld/icmptypes

-rw-r--r--. root root system_u:object_r:firewalld_etc_rw_t:s0 timestamp-reply.xml

-rw-r--r--. root root system_u:object_r:firewalld_etc_rw_t:s0 timestamp-request.xml

使用提供的XSD验证它们：

# xmllint --schema /usr/lib/firewalld/xmlschema/icmptype.xsd timestamp-request.xml

timestamp-request.xml validates

# xmllint --noout --schema /usr/lib/firewalld/xmlschema/icmptype.xsd timestamp-reply.xml

timestamp-reply.xml validates

重新加载防火墙：

# firewall-cmd --reload

最后添加它们：

# firewall-cmd --add-icmp-block=timestamp-request

# firewall-cmd --add-icmp-block=timestamp-reply

# firewall-cmd --list-icmp-blocks

timestamp-reply timestamp-request

您可以检查它们是否已添加直接查看iptables规则：

iptables -nvL | grep icmp

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13 reject-with icmp-host-prohibited

0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 14 reject-with icmp-host-prohibited

0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13 reject-with icmp-host-prohibited

0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 14 reject-with icmp-host-prohibited

类型13和14是新添加的ICMP types.

作为参考,您可以阅读firewalld.icmptypes(5)联机帮助页.

这些ICMP类型已包含在upstream中.