Working principle of firewall (1)
Kevin WHISTLER
"Will hackers play my idea?" I want to be right, hackers want to drill the flies of chicken fatches, seeing a shower from the system vulnerability will be stupid! " Ok, how to protect your network? Masters in the computer may propose a mouth that you have a new firewall to install the network, then the first question is coming: What is a firewall?
What is a firewall?
The firewall is a filter plug (now you understand this is not wrong), you can make your favorite things through this plug, other things are all filtered out. In the world of the network, it is to be filtered by the firewall is a communication package that carries communication data.
At least two words: Yes or No. at least two words: yes or no. It is directly that it is accepted or refused. The simplest firewall is an Ethernet bridge. But almost no one will think that this original firewall can be used. Most firewalls use technology and standards can be described as a five-flowers. These firewalls have a variety of ways: some replacement of TCP / IP protocol stacks on the system; some have their own software modules on existing protocol stacks; some are simply an independent operating system. There are also some application-type firewalls to provide only protecting specific types of network connections (such as SMTP or HTTP protocols, etc.). There are also some hardware-based firewall products, which should be classified into a secure router. The above products can be called firewalls because their work mode is the same: analyze the packets of the firewall, decide to release them on one side.
All firewalls have IP address filtering. This task is to check the IP header and make a release / discard decision based on its IP source address and destination address. See the picture below, between the two network segments, have a firewall, one end of the firewall with a Unix computer, and the network segment of the other is a platform PC client.
When the PC client initiates a Telnet request to the UNIX computer, the PC's Telnet client produces a TCP package and transmits it to the local protocol preparation. Next, the protocol stack will "plug" into an IP package, and then send it to UNIX computers through the path defined by the PC's TCP / IP stack. In this example, this IP package must pass through the firewall in the PC and UNIX machines to the UNIX computer.
Now we "command" (speculative by professional terminology) firewall refused to send all packets sent to UNIX computers, after completing this work, "Heart intestines" firewall will notify the customer program! Since IP data that is swimming is not forwarded, then only the Unix computer can access the UNIX computer with a UNIX computer in a network segment.
There is also a situation, you can order the firewall to find the poor PC to find 茬, someone else's packets have made it. This is the most basic function of the firewall: the forwarding judgment is made according to the IP address. But I have to go to the big scene. This kind of little trick doesn't turn. Since the hackers can use IP address spoofing technology, the computer that disguise into a legitimate address can pass the firewall trusting this address. However, the forwarding decision mechanism according to the address is still the most basic and necessary. In addition, it is to pay attention to it. Do not build a filter table with the DNS hostname, which is much easier to deceive the DNS than IP address.
Server TCP / UDP port filtering
It is not feasible to rely on the address to perform data filtering in practical use. There is a reason is that the target host is often running a variety of communication services. For example, we don't want users to connect to the system in a Telnet, but this is never Is it possible to ban them using the SMTP / POP mail server at the same time? So, we have to filter the server's TCP / UDP port outside of the address.
For example, the default Telnet service connection port number is 23. If we don't allow the PC client to establish a Telnet connection to UNIX computers (at this time we are server), then we only need to command the firewall check the sending target is a packet of UNIX servers, and filtering it with a 23 target port number. Ok. In this way, do we combine IP addresses and target server TCP / UDP ports that can be used as a filter criteria to achieve a fairly reliable firewall? No, not so simple. The client also has TCP / UDP ports
TCP / IP is an end-to-end protocol, each with a unique address. The application layer of the network node is also the case, each application and service in the application layer have its own corresponding "address", which is the port number. Equipment and ports have effective communication links between various applications of clients and servers. For example, a Telnet server listens in inbound connections at port 23. At the same time, the Telnet client also has a port number, otherwise how the client's IP stack knows which application belonging to a packet?
For historical reasons, almost all TCP / IP clients use a random allocation port number greater than 1023. Only Root users on UNIX machines can access ports below 1024, and these ports are also used for services on the server. So, unless we let all packets with greater than 1023 port numbers into the network, various network connects cannot work properly.