Назад | Перейти на главную страницу

firewalld на EC2 Amazon Linux 2 - icmptypes не найдены

На недавно загруженном инстансе Amazon EC2 (Amazon Linux 2) не удалось запустить firewalld. Выполнение systemctl start firewalld выдает несколько предупреждений и ошибок (подробности ниже), в том числе: no icmptypes found и no such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'.

Любые советы приветствуются.

# uname -r
4.14.173-137.229.amzn2.x86_64

# cat /etc/os-release

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"


# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Fri 2020-04-10 11:11:29 UTC; 17min ago
     Docs: man:firewalld(1)
  Process: 2736 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 2736 (code=exited, status=0/SUCCESS)

... firewalld[2736]: WARNING: unknown-header-type: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
... firewalld[2736]: WARNING: ICMP type 'unknown-option' is not supported by the kernel for ipv6.
... firewalld[2736]: WARNING: unknown-option: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
... firewalld[2736]: ERROR: No icmptypes found.
... firewalld[2736]: ERROR: Failed to read file "/proc/sys/net/netfilter/nf_conntrack_helper": [Errno 2] No such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'
... firewalld[2736]: WARNING: Failed to get and parse nf_conntrack_helper setting
... firewalld[2736]: WARNING: iptables not usable, disabling IPv4 firewall.
... firewalld[2736]: WARNING: ip6tables not usable, disabling IPv6 firewall.
... firewalld[2736]: FATAL ERROR: No IPv4 and IPv6 firewall.
... firewalld[2736]: ERROR: Raising SystemExit in run_server

ОБНОВЛЕНИЕ: похоже, что в моей системе нет nf_conntrack:

# lsmod | grep nf_conntrack
(empty output)