Уже нашел
ответ. По умолчанию ICMPv4 типа echo request разрешены в ufw:
Цитата:
Enabling ufw creates a ruleset that is intended to protect the host while
allowing some common traffic such as DHCP, ping and mDNS. These defaults are
setup in the before*.rules and after*.rules files (see 'man iptables' for
terminology):
- Default DROP on INPUT
- Default DROP on FORWARD
- Default ACCEPT on OUTPUT
- ACCEPT all on lo
- DROP packets with RH0 headers
- ACCEPT all RELATED and ESTABLISHED on INPUT and OUTPUT
- ACCEPT all RELATED and ESTABLISHED on FORWARD (ip forwarding must be enabled
via sysctl for this to be in effect)
- DROP INVALID packets (packets not associated with a known connection)
- ACCEPT certain icmp packets (INPUT and FORWARD):
- destination-unreachable, source-quench, time-exceeded, parameter-problem,
and echo-request for IPv4
- destination-unreachable, packet-too-big, time-exceeded, parameter-problem,
and echo-request
- ACCEPT certain icmpv6 packets for stateless autoconfiguration (INPUT):
neighbor-solicitation, neighbor-advertisement, router-solicitation
- ACCEPT mDNS (zeroconf/bonjour/avahi 224.0.0.251 for IPv4 and ff02::fb for
IPv6) for service discovery (INPUT)
- ACCEPT UPnP (239.255.255.250 for IPv4 and ff02::f for IPv6) for service
discovery (INPUT)
- ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses (INPUT)
- ACCEPT DHCP client traffic (INPUT)
- Log all blocked packets not matching the default policy with rate limiting
If you are using a packaged version of ufw supplied by your distribution, the
default ruleset may be different.
|
Не совсем это конечно удобно. Удобнее когда отключил абсолютно все, а потом нужные параметры включаешь. Понял так что этот функционал дает iptables, но он якобы сложнее в настройке. Почитаю.
