Copyright NOTICE: This content is original content, reprint please declare source.
Original address: Http://www.excelib.com/article/286/show
To really use a live firewall, the first need to understand what the firewall is, what role, only in this way can be used handy, but because of historical reasons, now the general understanding of the firewall concept has a certain misunderstanding, which affects the flexible use of firewalls, So before the formal study of FIREWALLD students first introduce the nature of the firewall is what.
What exactly is a "firewall"?
"Firewall" in China, the earliest is a building, he also called "Seal Firewall", its main role is fire, because the buildings are mainly wooden structure, and very dense, so a house on fire is easy to spread to neighboring homes, The original firewall is the wood structure of the plaster to achieve the purpose of separating the fire source.
The firewall in the network comes from the English word "firewall" translation, sometimes called "network Firewall", but the word use is not very accurate, which has led to widespread misunderstanding of the firewall.
The first impression of the firewall everyone is probably "quarantine", and many of the firewall's information is so introduced, such as "to isolate the intranet and the external network," "The local computer and external networks isolated" and so on, and sometimes with a picture, the firewall is a wall. Before the students in the first contact with the firewall in the heart of a few questions: Since the firewall has been the network to partition, then the normal communication is how to do it? Is it possible to pass through a wall or to enter from another channel? And, at that time, students even think that firewalls are used to prevent viruses!
In fact, all of this stems from the "firewall" the word itself understanding, in fact, "network Firewall" is not the role of the wall, but the role of the doorman, if the doorman to understand a lot of problems will be solved.
What is the difference between a wall and a doorman? This problem may seem ridiculous, but it's good for understanding the network firewall. First of all, the role of the wall is cut off, no matter who can not pass, but the guard is not the same, his function is to check and judge whether it can be passed, as long as the conditions can be passed; second, the Wall is dead, and the doorman is alive, so the doorman can also complete a lot of more flexible functions, such as someone to But a department moved to a new office address, then the doorman can tell someone "you want to go to the department change place, you go to xxx", again for example some people do not want to go in to work, just want to take a shortcut from inside, this situation can be handled by the doorman, but the wall is in any case cannot be done.
Understanding the benefits of firewall nature
Perhaps some readers will think: you this is in the word, is not a noun, understanding does not understand what is the relationship? Would it be all right? And it's not too bad for all those years!
In fact, it is not so, we used to use a firewall is generally the first to see what he has features, which we can use, how to use, and then go to find documents, find examples ... This is actually a passive usage, because here we are actually using the firewall as a new thing to learn and use (although we are generally beginning to understand it as a wall, but slowly will find that he is not consistent with the model of the wall, so it will be as a new thing to learn), But understand the nature of the firewall is not the same after the doorman, when we use the firewall when the first thing to think: I will give my server (or my own PC) to find a doorman, what the doorman needs to do, and then go to the firewall, check the specific features of the configuration method and so on initiative.
Not only that, but after understanding its essence, there are even more advantages, such as you want to find the "doorman" need to have what features and then go to the firewall, but found that no firewall can meet your needs, then the opportunity to innovate! In other words, it is easier to design a more reasonable and easy-to-use firewall through the categories of firewalls and gatekeeper functions. Let's take a look at an example, such as a gatekeeper should be able to release the function according to the time period, but the existing firewall has little to do with this function, in fact, this function is a lot of places can be used, such as a regular remote backup of the log every day, so long as the day in a specific period of time to open the port on , of course, this demand can be easily solved by the task of timing, but as long as the "doorman" from the perspective of thinking, there is a lot of demand.
Really good ideas are based on solid basic skills and deep understanding of the nature of things, not for innovation and innovation.
Firewall and anti-virus software
For users who do not know the firewall is often not clear the relationship between the firewall and anti-virus software, and tend to think that the firewall is used to prevent viruses, in fact, this is a very big misunderstanding of the firewall, which may be in the eyes of the firewall "wall", "protection", "security" and other characteristics of the relationship, But firewalls don't actually prevent viruses.
We said above, the firewall is the role of the gatekeeper, but the gatekeeper's logic is very simple, his main concern is only two things: 1, from where the 2, where to go, other things he does not care (actually there are some things, such as the appointment of--TCP, or no appointment of the--UDP, If you have an appointment, you will decide whether you are just going to make an appointment or have already made an appointment. And the virus belongs to the contents of the content of things, this part is not the gatekeeper's responsibility, but should have someone to take responsibility, it seems that some people with the doorman said to go to the marketing department, and the doorman received the instruction is "all to the market department of all release", so the doorman released, but did not think that this person is to the market But this is not what the doorman should be in control of, but the security should be in control of the matter. In fact, not only that, our firewall this "doorman" even see the person with a knife, take a gun, also will release, because he only cares about two things: where and where to go.
This kind of structure although "the Division of labor is clear", but we always think this kind of guard is a bit inhuman, at least not a good doorman. So can he include virus detection, anti-virus and even antivirus function? Of course no problem, because the firewall is a software, software is written by people, as long as we put the corresponding functions to add in it, very simple! However, in fact, we also take the example of the doorman to explain to everyone, because the guard needs to check all the people in and out, and to know whether a person is carrying prohibited items (viruses) will need to collect, if the doorman to all the body to collect, Then you can imagine what kind of scene the rush hour is going to be! And for the server there may be tens of thousands of visits a second, so even if a little more than a few times each check, the cumulative is very scary! And it's not a "little bit of time" to check for viruses in the way we check out the signatures, so the idea is not technically problematic, but it's not feasible, at least in terms of current technology.
Let's sum up, the firewall is like a doorman, his function is responsible for letting go in and out, and what to do after that is not what he needs to manage, this should be the security (anti-virus software) or other relevant departments of the people need to be responsible.
Understand the nature of the firewall and then to learn, use the firewall is easy, but for Centos7 new firewall Firewalld There is a lot of people do not really understand the concept, that is zone, students next section to give you detailed introduction.
Do you really understand the firewall?