1、ICMP漏洞修复

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP

2、允许Traceroute探测 漏洞修复

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 11 -m comment --comment "deny traceroute" -j DROP

重启防火墙使命令生效

firewall-cmd --reload

查看添加的规则

firewall-cmd --direct --get-all-rules

iptables修复

sudo iptables -A INPUT -p ICMP --icmp-type timestamp-request -j DROP

sudo iptables -A INPUT -p ICMP --icmp-type timestamp-reply -j DROP

sudo iptables -A INPUT -p ICMP --icmp-type time-exceeded -j DROP

sudo iptables -A OUTPUT -p ICMP --icmp-type time-exceeded -j DROP

systemctl enable iptables.service

执行以上如提示：Failed to execute operation: No such file or directory

需执行：yum install iptables-services

移除添加的规则

firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP

firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 11 -m comment --comment "deny traceroute" -j DROP