一,默认情况允许ping
[lhdop@blog ~]$ ping 8.14.7.5
PING 8.14.7.5 (8.14.7.5) 56(84) bytes of data.
64 bytes from 8.14.7.5: icmp_seq=1 ttl=58 time=2.69 ms
64 bytes from 8.14.7.5: icmp_seq=2 ttl=58 time=2.59 ms
...二,禁止ping
[root@iZ2zejc9t0hf6pnw6sewrxZ ~]# firewall-cmd --permanent --add-icmp-block=echo-reply
success
[root@iZ2zejc9t0hf6pnw6sewrxZ ~]# firewall-cmd --permanent --add-icmp-block=echo-request
success
[root@iZ2zejc9t0hf6pnw6sewrxZ ~]# firewall-cmd --reload
success已生效:
[lhdop@blog ~]$ ping 8.14.7.5
PING 8.14.7.5 (8.14.7.5) 56(84) bytes of data.
From 8.14.7.5 icmp_seq=1 Packet filtered
From 8.14.7.5 icmp_seq=2 Packet filtered
...查看zone配置文件中写入的规则
[root@blog ~]# more /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer.
Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<port port="80" protocol="tcp"/>
<port port="443" protocol="tcp"/>
<icmp-block name="echo-reply"/>
<icmp-block name="echo-request"/>
...三,禁止ping后无任何响应
注意我们上面的命令,禁止ping后仍然会回应Packet filtered
如果想不做任何回应,可以直接对icmp包做drop
[root@blog ~]# firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'
success查看zone配置文件中写入的规则:
[root@blog ~]# more /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer.
Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<port port="80" protocol="tcp"/>
<port port="443" protocol="tcp"/>
<rule>
<protocol value="icmp"/>
<drop/>
</rule>
...测试效果:
[lhdop@blog ~]$ ping 8.14.7.5
PING 8.14.7.5 (8.14.7.5) 56(84) bytes of data.
^C
--- 8.14.7.5 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 203ms可以看到目标机器没有再响应
标签:禁止,--,ping,firewalld,blog,7.5,8.14,icmp From: https://www.cnblogs.com/architectforest/p/18356237