لطفا منتظر باشید ...
7.2. What Is a Firewall?
A
firewall is a hardened and trusted host that acts as a
choke point among a group of networks (usually a
single private network and a single public network).[1] All network traffic among the affected
networks is routed through the firewall. The firewall host is
configured with a set of rules that determine which network traffic
will be allowed to pass and which will be blocked (dropped without
response) or refused (rejected with a response). In some large
organizations, you may even find a firewall located inside their
corporate network to segregate sensitive areas of the organization
from employees in other areas. Many cases of computer crime originate
within an organization, rather than from outside.[1] The term firewall comes from a device used to protect people
from fire. The firewall is a shield of material resistant to fire
that is placed between a potential fire and the people it is
protecting.
Firewalls
can be constructed in a variety of ways. The most sophisticated
arrangement involves a number of separate hosts and is known as a
perimeter network or
demilitarized zone (DMZ) network. Two hosts act
as "filters" (sometimes called
chokes) to allow only certain types of network
traffic to pass, and between these chokes reside network servers such
as an email (SMTP) server or a World Wide Web (HTTP) proxy server.
This configuration can be very safe and allows a great range of
control over who can connect both from the inside to the outside and
from the outside to the inside. This sort of configuration might be
used by large organizations.
In many cases, though,
people build firewalls that also provide other services (such as SMTP
or HTTP). These are less secure because if someone exploits a
weakness in one of the extra services running on the firewall, the
entire network's security has been breached. The
attacker could modify the firewall rules to allow more access and
turn off accounting that might have otherwise alerted the network
administrator that there was unusual network activity. Nevertheless,
these types of firewalls are cheaper and easier to manage than the
more sophisticated arrangement just described. Figure 7-1 illustrates the two most common firewall
configurations.
Figure 7-1. The two major classes of firewall design
The
Linux kernel provides a range of built-in features that allow it to
function as an IP firewall. The network implementation includes code
(the netfilter subsystem) to do IP packet
processing in a number of different ways, and provides a user-space
mechanism (the iptables command) to configure what sort of rules
you'd like to put in place. A Linux firewall is
flexible enough to make it very useful in either of the
configurations illustrated in Figure 7-1. Linux
firewall software provides two other useful features that
we'll discuss in separate chapters: IP Accounting
(Chapter 8) and IP Masquerade and Network
Address Translation (Chapter 9).
The three main classes
of packet processing are filtering, mangling, and Network Address
Translation (NAT). Filtering is simply deciding, at various points in
the packet flow, whether or not to allow the packets through to the
next stage. Packet mangling is a generic term for modifying packets
as they move through the packet flow. NAT is a special application of
mangling whereby source or destination IP addresses and/or ports are
modified to transparently redirect traffic.
