Netfilter/Iptables的防火墙功能介绍

核心提示：防火墙介绍Disclaimer: 下面描述的有些内容可能不完全正确.但希望对你理解iptables有帮助，如果你发现了错误，Netfilter/Iptables的防火墙功能介绍，请通知我，注意，没有安全可言，很明显，此说明是非拷贝的(例如在GPL).如果你想做任何修改、发布、拷贝、引用，请先联系我

防火墙介绍

Disclaimer: 下面描述的有些内容可能不完全正确.但希望对你理解iptables有帮助，如果你发现了错误，请通知我。

注意，此说明是非拷贝的(例如在GPL).如果你想做任何修改、发布、拷贝、引用，请先联系我。(哈哈，不管了)

什么是防火墙?

简单说，防火墙就是用来保护你的网络的一台主机，它对来自internet和你的内网(受保护)之间的通讯进行限制，反过来亦可。

非防火墙功能

误区 - 防火墙并不能保证你的网络绝对安全

堡垒主机(A bastion host)- In an ideal world, this would be true. However, a firewall is only as secure as the work you put into securing it.

主机安全替换(A replacement for host security) - 每一项防火墙允许的服务都是潜在的风险。

使用类型

本地 - 对于在实际的物理连接而言，没有安全可言。很明显，防火墙对此无能为力。

Local privilege escalation - The trojan horse attack. The attacker alreay has a local account on your box (inside the gates) and obtains root by some means (vulnerability or misconfiguration). A firewall cannot protect again this type of attacks.

Remote - Your host is listening on a port that the attacker is able to connect to remotely over a network and exploit a vunerability somehow. This is the only type of attack a firewall can (hopefully) protect you against. There is another important point here that most firewall howtos neglect. In order for someone to exploit your box remotely, it has to be listening on some ports (i.e. providing a way for an attacker to connect). Therefore, if your host isn't listening on any ports, you are safe from remote exploits (unless the attacker manages to attack the network stack itself).