当前位置:网站首页>Hedhat firewall
Hedhat firewall
2022-07-05 01:11:00 【weixin_ fifty-one million four hundred and twenty-eight thousan】
The firewall will read the configured policy rules from top to bottom , Immediately after the match is found, the matching work is finished and the behavior defined in the match is executed ( To release or prevent ). If there is no match after reading all the policy rules , Go ahead and implement the default strategy . generally speaking , There are two kinds of firewall policy rules :“ through ”( Let's go ) and “ Block up ”( That is to prevent ). When the default policy of firewall is reject ( Block up ), It's about setting the allow rule ( through ), Otherwise no one can come in ; If the default policy of the firewall is allow , It's about setting rejection rules , Otherwise everyone can come in , Firewall also lost the role of prevention .
iptables The service refers to the policy entries used to process or filter traffic as rules , Multiple rules can form a rule chain , The rule chain is classified according to the location of packet processing , As follows :
Process packets before routing (PREROUTING);
Process incoming packets (INPUT);
Process outgoing packets (OUTPUT);
Process forwarded packets (FORWARD);
Process packets after routing (POSTROUTING).
Generally speaking , The traffic sent from the intranet to the Internet is generally controllable and benign , So the most used is INPUT Rule chain , The rule chain can make it more difficult for hackers to invade the intranet from the external network .
For example, in the community where you live , Property management companies have two provisions : Prohibit hawkers from entering the community ; All kinds of vehicles must be registered when entering the community . Obvious , These two rules should be applied to the front door of the community ( Where the flow must pass ), Not on the security door of every house . According to the matching order of firewall policies mentioned above , There may be many situations . such as , The visitors are vendors , Will be directly rejected by the security of the property company , There is no need to register the vehicle . If visitors enter the main gate of the community in a car , be “ Prohibit hawkers from entering the community ” The first rule of is not matched , So match the second strategy in order , That is, the vehicle needs to be registered . If you are a community resident, you need to enter the main entrance , Then these two provisions will not match , Therefore, the default release policy will be implemented .
however , Only policy rules cannot guarantee the safety of the community , The security guard should also know what actions to take to deal with these matching traffic , such as “ allow ”“ Refuse ”“ registration ”“ Ignore it ”. These actions correspond to iptables The terms of service are ACCEPT( Allow flow through )、REJECT( Reject traffic through )、LOG( Logging information )、DROP( Reject traffic through ).“ Allow flow through ” and “ Logging information ” It's easy to understand , What needs to be emphasized here is REJECT and DROP The difference between . Just DROP Come on , It directly discards traffic and does not respond ;REJECT Then it will reply one more message after rejecting the traffic “ The message has been received , But it was thrown away ” Information , So that the traffic sender can clearly see the response information of data rejected .
边栏推荐
- Ruby tutorial
- const、volatile和restrict的作用和用法总结
- Which financial products with stable income are good
- What you learned in the eleventh week
- SAP UI5 应用的主-从-从(Master-Detail-Detail)布局模式的实现步骤
- Les phénomènes de « salaire inversé » et de « remplacement des diplômés » indiquent que l'industrie des tests a...
- Playwright之录制
- Maximum number of "balloons"
- Introduction to the gtid mode of MySQL master-slave replication
- 【大型电商项目开发】性能压测-优化-中间件对性能的影响-40
猜你喜欢
【Unity】InputSystem
Basic operation of database and table ----- the concept of index
Visual explanation of Newton iteration method
Innovation leads the direction. Huawei Smart Life launches new products in the whole scene
“薪资倒挂”、“毕业生平替” 这些现象说明测试行业已经...
Reasons and solutions of redis cache penetration and avalanche
Redis master-slave replication cluster and recovery ideas for abnormal data loss # yyds dry goods inventory #
dotnet-exec 0.6.0 released
Chia Tai International Futures: what is the master account and how to open it?
Apifox (postman + swagger + mock + JMeter), an artifact of full stack development and efficiency improvement
随机推荐
微信小程序:全网独家小程序版本独立微信社群人脉
揭露测试外包公司,关于外包,你或许听到过这样的声音
To sort out messy header files, I use include what you use
【大型电商项目开发】性能压测-性能监控-堆内存与垃圾回收-39
Database postragesql client connection default
The difference between string STR and new string
Huawei employs millions of data governance experts! The 100 billion market behind it deserves attention
[Yocto RM]10 - Images
【FPGA教程案例9】基于vivado核的时钟管理器设计与实现
User login function: simple but difficult
Which financial products with stable income are good
Paxos 入门
Heartless sword English translation of Xi Murong's youth without complaint
node工程中package.json文件作用是什么?里面的^尖括号和~波浪号是什么意思?
A simple SSO unified login design
Introduction to the gtid mode of MySQL master-slave replication
Hand drawn video website
Several simplified forms of lambda expression
ROS command line tool
Global and Chinese markets for stratospheric UAV payloads 2022-2028: Research Report on technology, participants, trends, market size and share