当前位置:网站首页>Why should there be a firewall? This time xiaowai has something to say!!!
Why should there be a firewall? This time xiaowai has something to say!!!
2022-07-03 05:47:00 【Tell a joke】
List of articles
Preface
It's not easy to code words , I hope you guys can make a fortune and give me a compliment , Thank you. ~!!!
The so-called firewall refers to a combination of software and hardware devices 、 Between the intranet and the extranet 、 Network security system between private network and public network . It is a combination of computer hardware and software , send internet And internet Set up a security gateway between , So as to protect the internal network from the intrusion of illegal users , Firewall is mainly made up of service access rules 、 Verification tool 、 Packet filtering and application gateways 4 Component composition . According to specific relevant rules , Allow or restrict the transmission of data through .
In the network , So-called “ A firewall ”, A method of separating an intranet from an extranet , It's actually an isolation technology . Firewall is a kind of access control scale which is executed when two networks communicate , It allows you to “ agree! ” People and data into your network , At the same time will you “ Disagree ” Of people and data , Prevent hackers in the network from accessing your network to the greatest extent . let me put it another way , If not through the firewall , People inside the company can't access internet,internet People on the can't communicate with people inside the company .
One 、 Firewall introduction
1、 Characteristics of firewall
(1) All network data flows between the internal network and the external network must pass through the firewall
(2) Only people and data flows that comply with the security policy rules can pass through the firewall
(3) The firewall itself should have very strong anti attack immunity
2、 The type of firewall
① Network layer firewall
Operating at the bottom TCP/IP On the protocol stack . We can enumerate , Only packets that meet specific rules are allowed to pass , The rest are not allowed to go through the firewall ( Except for viruses , Firewalls can't prevent viruses from invading ). These rules can usually be defined or modified by administrators , However, some firewall devices may only apply the built-in rules .
② Application layer firewall
Application layer firewall is in TCP/IP Stackable “ application layer ” Upper operation , The data stream generated when you use the browser or the FTP All the data streams in this layer belong to this layer . Application layer firewall can block all packets in and out of an application , And block other packets ( Usually, the packet is discarded directly ). Theoretically , This kind of firewall can completely block the flow of external data into the protected machine .
3、 The function of firewall
Intruders must first cross the security line of the firewall , To access the target computer . You can configure your firewall to many different levels of protection , To protect your computer
Network layer firewall can be regarded as a kind of IP Packet filter ( A combination of hardware and software that allows or denies the passage of packet data ), Operating at the bottom TCP/IP On the protocol stack . We can enumerate , Only packets that meet specific rules are allowed to pass , The rest are not allowed to go through the firewall ( Except for viruses , Firewalls can't prevent viruses from invading ). These rules can usually be defined or modified by administrators , However, some firewall devices may only apply the built-in rules .
We can also formulate firewall rules from another loose angle , As long as the packet does not meet any one “ Negative rules ” Let it go . Most of today's operating systems and network devices have built-in firewall function .
Newer firewalls can use the various attributes of packets to filter , for example : source IP Address 、 Source port number 、 Purpose IP Address or port number 、 Service type ( Such as WWW or FTP). It can also be via communication protocol 、TTL value 、 The domain name or segment of the source … And other attributes to filter .
Two 、iptables A firewall
1、iptables Four tables and five chains
iptables There are four tables in the firewall :
① filter surface : Filter tables , Want to allow or deny packets to pass , You need to write the corresponding rule to filter In the table
② nat surface : Address translation table , Want to achieve linux The routing and forwarding function of , Need to be in nat Add corresponding rules to the table
③ mangle surface : Package tag table , Data transmission in the network , It's a packet , Each packet has header information , Want to modify the header information of the packet , You need to write the corresponding rule to mangle In the table
④ raw surface : Status tracking table , Track packets sent locally , Want to know who visited this machine for the first time , Who visits this computer for the second time , You need to write the corresponding rule to raw In the table
Each table has a fixed chain :
① filter surface :
INPUT # Rules for storing inbound flow
OUTPUT # Store outbound traffic rules
FORWARD # Store packet forwarding rules
② nat surface :
PREROUTING # Before routing
POSTROUTING # After routing
OUTPUT # Departure
③ mangle surface :
PREROUTING # Before routing
POSTROUTING # After routing
INPUT # Rules for storing inbound flow
OUTPUT # Store outbound traffic rules
FORWARD # Store packet forwarding rules
④ raw surface :
PREROUTING # Before routing
OUTPUT # Departure
2、iptables Packet filter matching process
Many rules can be written in a rule chain , When the firewall matches the rules , From top to bottom , Sequence matching , The matching rule stops , No longer match the following rules ;
log With the exception of ,log This is a special operation , Packets enter the firewall , Will only be recorded in the log , Don't do anything else ;
The firewall did not find a matching rule in all the rules , The default rules for each table are followed ;
3、 ... and 、iptables Related usage
The hypervisor location directory is :/sbin/iptables
matters needing attention :
√ No table can be specified , The default is filter surface
√ Chain can not be specified , It defaults to all chains of the corresponding table
√ If there is no matching rule , The firewall default rule is used
√ Options / Chain name / Target action capital letter , The rest are lowercase
1、 Basic usage
Command format :
iptables [-t Table name ] Options [ Chain name ] [ Conditions ] [-j Target operation ]
Option parameters :
| Options | purpose |
|---|---|
| -A | Add a rule to the end of the chain |
| -l | At the beginning of the chain ( Or specify the serial number ) Insert a rule |
| -L | View all rules |
| -n | Display the address as a number 、 Port and other information |
| –line-numbers | When looking at the rules , Display the sequence number of the rule |
| -D | Delete the specified sequence number in the chain ( Or content ) One of the rules of |
| -F | Clear all the rules |
| -P | Set default rules for the specified chain |
2、 Matching condition
Universal matching① Can be used directly , Not dependent on other conditions or extensions
② Including network protocol 、IP Address 、 Network interface and other conditions
Implicit matches
① It requires a specific protocol matching as the premise
② Including ports 、TCP Mark 、ICMP Type, etc
| Options | usage |
|---|---|
| Protocol matching | -p The name of the agreement |
| Address matching | -s source address 、-d Destination address |
| Interface matching | -i Network card for receiving data 、-o The network card that sends data |
| Port matching | –sport Source port 、–dport Target port |
| ICMP Type match | –icmp-type ICMP type |
边栏推荐
- NG Textarea-auto-resize
- 期末复习(Day2)
- 为什么网站打开速度慢?
- [written examination question analysis] | | get [sizeof and strlen] [pointer and array] graphic explanation + code analysis
- Introduction to redis using Lua script
- "C and pointer" - Chapter 13 function of function pointer 1 - callback function 1
- How to use source insight
- Altaro VM backup getting started
- Redhat7系统root用户密码破解
- 中职网络子网划分例题解析
猜你喜欢
![[teacher Zhao Yuqiang] use Oracle's tracking file](/img/0e/698478876d0dbfb37904d7b9ff9aca.jpg)
[teacher Zhao Yuqiang] use Oracle's tracking file
理解 YOLOV1 第一篇 预测阶段
Capacity expansion mechanism of map
How to install and configure altaro VM backup for VMware vSphere
配置xml文件的dtd
![[function explanation (Part 2)] | [function declaration and definition + function recursion] key analysis + code diagram](/img/29/1644588927226a49d4b8815d8bc196.jpg)
[function explanation (Part 2)] | [function declaration and definition + function recursion] key analysis + code diagram
Map的扩容机制
![[teacher Zhao Yuqiang] index in mongodb (Part 2)](/img/a7/2140744ebad9f1dc0a609254cc618e.jpg)
[teacher Zhao Yuqiang] index in mongodb (Part 2)
卷积神经网络CNN中的卷积操作详解
Notepad++ wrap by specified character
随机推荐
【无标题】
Apache+php+mysql environment construction is super detailed!!!
redis 无法远程连接问题。
Export the altaro event log to a text file
2022.DAY592
Communication - how to be a good listener?
2022.7.2 simulation match
期末复习(Day2)
一起上水硕系列】Day 9
Altaro o365 total backup subscription plan
pytorch 多分类中的损失函数
Shanghai daoning, together with American /n software, will provide you with more powerful Internet enterprise communication and security component services
Source insight automatic installation and licensing
Capacity expansion mechanism of map
ninja: build stopped: subcommand failed.
Redis encountered noauth authentication required
Ext4 vs XFS -- which file system should you use
Altaro set grandfather parent child (GFS) archiving
Understand one-way hash function
Qt读写Excel--QXlsx插入图表5