[go: up one dir, main page]

CN100530205C - Firewall device and setting method thereof - Google Patents

Firewall device and setting method thereof Download PDF

Info

Publication number
CN100530205C
CN100530205C CNB031397190A CN03139719A CN100530205C CN 100530205 C CN100530205 C CN 100530205C CN B031397190 A CNB031397190 A CN B031397190A CN 03139719 A CN03139719 A CN 03139719A CN 100530205 C CN100530205 C CN 100530205C
Authority
CN
China
Prior art keywords
firewall
database
sub
management module
shared database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB031397190A
Other languages
Chinese (zh)
Other versions
CN1567333A (en
Inventor
周星雨
何唐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hongfujin Precision Industry Shenzhen Co Ltd
Hon Hai Precision Industry Co Ltd
Original Assignee
Hongfujin Precision Industry Shenzhen Co Ltd
Hon Hai Precision Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hongfujin Precision Industry Shenzhen Co Ltd, Hon Hai Precision Industry Co Ltd filed Critical Hongfujin Precision Industry Shenzhen Co Ltd
Priority to CNB031397190A priority Critical patent/CN100530205C/en
Publication of CN1567333A publication Critical patent/CN1567333A/en
Application granted granted Critical
Publication of CN100530205C publication Critical patent/CN100530205C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

It is a kind of firewall apparatus and its setting method. This firewall apparatus comprises firewall hardware structure and firewall software system. Among which, the firewall hardware structure comprises at least three network ports; the firewall software system comprises a command line interface, a WEB management interface, a setting management module, a Lib sharing database and a tool management module. When setting the firewall, first, user inputs command to system through command line interface or WEB management interface; then system checks, pretreats and compiles the command; and opens the sub-database that needs to change setting in Lib sharing database; and changes the regulation and list in this sub-database; then stores and closes the sub-database after change, at last returns the database change result to user and finish the setting of firewall apparatus.

Description

Firewall device and method to set up thereof
[technical field]
The invention relates to a kind of firewall device and method to set up thereof.
[background technology]
Fire wall is a kind of system or system in combination that strengthens border between two or more networks, it is the controlled access point between a network and other network, can be divided into hardware firewall and software firewall, it can scan its all-network communication of flowing through, and filter out some aggressive operations, in order to avoid objective network wrecks, fire wall can also be closed the port that seldom uses, but also can forbid the communication of particular port and forbid visit, thereby prevent all communications from not clear invador from some special website.
There is the system architecture complexity mostly in present fire wall; loaded down with trivial details or the not high shortcoming of security performance of method to set up; as No. the 97115121.0th, Chinese patent application; it is by packet filter; safety governor; system administration manager and card reader four parts are formed; packet filter is between Intranet and router; safety governor is between system administration manager and Intranet; system administration manager is carried out insulation blocking; card reader links to each other with system administration manager; system administration manager will be when relating to the network security controlled variable and be configured in the fire wall; must insert safety card to the card reader mouth; and input correct PIN code; just can enter configuration status; because it has been set up card reader and must insert safety card and import PIN code the fire wall parameter is configured before, thereby increased the complexity of system and to the operation easier of this fire wall parameter configuration.
[summary of the invention]
In view of this, need provide a kind of firewall device, its system architecture is simple, be provided with conveniently.
Also need to provide a kind of fire wall method to set up, it is provided with conveniently, and has higher safety performance.
A kind of firewall device, it comprises firewall hardware structure and firewall software system, wherein the firewall hardware structure comprises three network ports at least.The firewall software system comprises command line interface, WEB management interface at least, management module, shared data bank and tool management module is set.Wherein, command line interface and WEB management interface are used to offer a kind of management interface that the firewall configuration parameter is set of user.The management module is set to be used for loading the user command file to shared data bank dynamically.Shared data bank is used to store a plurality of subdata bases, and checks whether the user command file is legal.The tool management module is a kind of IP packet filtration system that is integrated in the linux kernel, is used for revising the rule and the tabulation that are stored in shared data bank.
A kind of firewall device method to set up may further comprise the steps: the user at first passes through command line interface or WEB management interface to system's input command; Command line interface and WEB management interface are submitted to described order the management module are set; The management module is set then can be started the foundation of communication call function and shared data bank and get in touch and shared data bank is sent in order; The shared data bank system can check whether this order is legal, does not conform to rule and returns and show error message, as order legal this system then can those legal orders of pre-service; Shared data bank compiles these order and submits to the tool management module; It opens the subdata base that needs to revise setting in the shared data bank tool management module, and the rule and the tabulation that are stored in this subdata base are made amendment; Finish behind this modification process deposit and close this subdata base; And system returns to the user with the database update result.
Firewall device of the present invention has the security performance height, and system architecture is simple and advantage easily is set.
[description of drawings]
Fig. 1 is the hardware configuration synoptic diagram of firewall device of the present invention.
Fig. 2 is the software systems synoptic diagram of firewall device of the present invention.
Fig. 3 is the method to set up process flow diagram of firewall device of the present invention.
[embodiment]
Firewall device of the present invention comprises firewall hardware structure and firewall software system, sees also Fig. 1, is the hardware configuration synoptic diagram of firewall device of the present invention.This firewall hardware structure comprises three network ports at least, and it is respectively four port lan ports 12, WAN port 14 and DMZ (Demilitarized Zone) port one 6.Wherein, lan port 12 is used to link inner LAN, and WAN port 14 is used to link outside Wide Area Network, and DMZ port one 6 is used to link the network of outside DMZ framework fire wall.
Seeing also Fig. 2, is the software systems synoptic diagram of firewall device of the present invention.This firewall software system comprises command line interface 21, WEB management interface 22 at least, management module 23, shared data bank 24 and tool management module 25 is set.In the embodiment of the present invention, shared data bank 24 is the Lib shared data bank.Wherein, command line interface 21 and WEB management interface 22 are used to offer a kind of management interface that the firewall configuration parameter is set of user.Management module 23 is set is used for dynamically, and this Lib shared data bank 24 further comprises Access subdata base 241, Nat subdata base 242, If subdata base 243 and Pool subdata base 244 to Lib shared data bank 24 loading command files.Wherein, Access subdata base 241 is used for memory access tabulation and access rule, and this Nat subdata base 242 is used to store NAT (Network Address Translation) rule; If subdata base 243 is used for storage system interface information; Pool subdata base 244 is used to store nat pool tabulation (NAT POOLLIST).Tool management module 25 in the above-mentioned firewall software system is a kind of IP packet filtration system that is integrated in the linux kernel, it includes kernel spacing assembly 251 and user's space assembly 252, wherein, kernel spacing assembly 251 is parts of kernel, form by some packet filtration tables, these tables comprise kernel and are used for the rule set that the control information packet filtering handles, user's space assembly 252 then is a kind of instrument, it makes insertion, the rule of revising and removing in the packet filtration table becomes easy, by using user's space, can make up the customized rules of oneself easily, and with these rale store in the packet filtration table of kernel spacing.
Seeing also Fig. 3, is the method to set up process flow diagram of firewall device of the present invention.At first, the user, is submitted to order by it management module 23 (step 110) is set to system's input command (step 100) by command line interface 21 or WEB management interface 22.Then, 23 of modules of management being set can start 24 foundation of communication call function and Lib shared data bank and get in touch and this Lib shared data bank 24 (step 120) is sent in order.After this, Lib shared data bank 24 can be checked this order whether legal (step 130), does not conform to rule and returns and show error message (step 140).As order legally, then Lib shared data bank 24 can those legal orders (step 150) of pre-service, to reject redundance character (for example TAB key and space bar) wherein, then compile these order and submit to tool management module 25 (step 160).Thereby tool management module 25 is opened the subdata base that needs to revise setting in the Lib shared data banks 24, and to being stored in rule in this subdata base and tabulation make amendment (step 170).After finishing modification process the deposit and close subdata base (step 180), final system returns to user's (step 190) to finish the setting to firewall device with the database update result.

Claims (12)

1.一种防火墙装置,其包括:防火墙硬件结构,其至少包括三个网络端口;以及防火墙软件系统,其特征在于,所述防火墙软件系统至少包括有:1. A firewall device, comprising: a firewall hardware structure, which at least includes three network ports; and a firewall software system, characterized in that, the firewall software system at least includes: 命令行接口;command line interface; WEB管理接口,其中,所述WEB管理接口与命令行接口用于提供给用户一种设置防火墙配置参数的管理接口;WEB management interface, wherein, the WEB management interface and the command line interface are used to provide users with a management interface for setting firewall configuration parameters; 设置管理模组,其用于动态的向所述共享数据库中加载用户命令文件;Setting up a management module, which is used to dynamically load user command files into the shared database; 共享数据库,其用于存储多个子数据库,并检查所述用户命令文件是否合法;及Shared database, which is used to store multiple sub-databases, and checks whether the user command file is legal; and 工具管理模组,其为一种集成于Linux内核中的IP信息包过滤系统,用于修改存储在所述共享数据库中子数据库中的规则和列表。The tool management module is an IP packet filtering system integrated in the Linux kernel, and is used to modify the rules and lists stored in the sub-database of the shared database. 2.如权利要求1所述的防火墙装置,其特征在于,所述网络端口包括四端口的局域网端口,其用于连结内部的局域网络。2 . The firewall device according to claim 1 , wherein the network ports include four-port LAN ports, which are used to connect to internal LANs. 3 . 3.如权利要求1所述的防火墙装置,其特征在于,所述网络端口包括广域网端口,其用于连结外部的广域网络。3. The firewall device according to claim 1, wherein the network port comprises a wide area network port, which is used to connect to an external wide area network. 4.如权利要求1所述的防火墙装置,其特征在于,所述网络端口为DMZ端口,其用于连结外部的DMZ架构防火墙的网络。4 . The firewall device according to claim 1 , wherein the network port is a DMZ port, which is used to connect to a network of an external DMZ-based firewall. 5.如权利要求1所述的防火墙装置,其特征在于,所述共享数据库包括第一子数据库,其用于存储访问列表和访问规则。5. The firewall device according to claim 1, wherein the shared database comprises a first sub-database for storing access lists and access rules. 6.如权利要求1所述的防火墙装置,其特征在于,所述共享数据库包括第二子数据库,其用于存储NAT规则。6. The firewall device according to claim 1, wherein the shared database comprises a second sub-database for storing NAT rules. 7.如权利要求1所述的防火墙装置,其特征在于,所述共享数据库包括第三子数据库,其用于存储系统接口信息。7. The firewall device according to claim 1, wherein the shared database comprises a third sub-database for storing system interface information. 8.如权利要求1所述的防火墙装置,其特征在于,所述共享数据库包括第四子数据库,其用于存储NAT池列表。8. The firewall device according to claim 1, wherein the shared database comprises a fourth sub-database for storing a list of NAT pools. 9.如权利要求1所述的防火墙装置,其特征在于,所述工具管理模组包括内核空间组件,其由多个信息包过滤表组成,其中,所述信息包过滤表包含有内核用来控制信息包过滤处理的规则集。9. The firewall device according to claim 1, wherein the tool management module includes a kernel space component, which is composed of a plurality of packet filter tables, wherein the packet filter table includes a kernel for A rule set that controls packet filtering processing. 10.如权利要求1所述的防火墙装置,其特征在于,所述工具管理模组包括用户空间组件,其用于修改或删除信息包过滤表中规则。10. The firewall device according to claim 1, wherein the tool management module includes a user space component, which is used to modify or delete the rules in the packet filtering table. 11.一种防火墙设置方法,其特征在于,所述防火墙设置方法包括有以下步骤:11. A firewall setting method, characterized in that, said firewall setting method comprises the following steps: 用户通过命令行接口或WEB管理接口向系统输入命令;Users input commands to the system through the command line interface or WEB management interface; 命令行接口或WEB管理接口将命令提交给设置管理模组;Command line interface or WEB management interface submits commands to the configuration management module; 设置管理模组启动通讯呼叫功能与共享数据库建立联系并将命令送往所述共享数据库;Set the management module to start the communication call function to establish contact with the shared database and send the command to the shared database; 所述共享数据库检查命令是否合法,如命令不合法则返回并显示出错信息,如命令合法该系统则预处理这些合法命令;The shared database checks whether the order is legal, returns and displays an error message if the order is illegal, and preprocesses these legal orders as the system is legal if the order is legal; 所述共享数据库编译这些合法命令并提交给工具管理模组;The shared database compiles these legal commands and submits them to the tool management module; 所述工具管理模组开启共享数据库中需要修改设置的子数据库,并对存储在该子数据库中的规则和列表进行修改;The tool management module opens the sub-database that needs to be modified in the shared database, and modifies the rules and lists stored in the sub-database; 完成修改过程后存盘并关闭子数据库;After completing the modification process, save and close the sub-database; 所述共享数据库将数据库修改结果返回给用户。The shared database returns the database modification result to the user. 12.如权利要求11所述的防火墙设置方法,其特征在于,所述共享数据库在预处理这些合法命令时会剔除这些命令中之冗余字符。12. The firewall setting method according to claim 11, characterized in that, when said shared database preprocesses these legal commands, redundant characters in these commands will be eliminated.
CNB031397190A 2003-07-05 2003-07-05 Firewall device and setting method thereof Expired - Fee Related CN100530205C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB031397190A CN100530205C (en) 2003-07-05 2003-07-05 Firewall device and setting method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB031397190A CN100530205C (en) 2003-07-05 2003-07-05 Firewall device and setting method thereof

Publications (2)

Publication Number Publication Date
CN1567333A CN1567333A (en) 2005-01-19
CN100530205C true CN100530205C (en) 2009-08-19

Family

ID=34470680

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB031397190A Expired - Fee Related CN100530205C (en) 2003-07-05 2003-07-05 Firewall device and setting method thereof

Country Status (1)

Country Link
CN (1) CN100530205C (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100426748C (en) * 2006-01-25 2008-10-15 华为技术有限公司 Method for checking soundness of allocation parameter
CN105988687B (en) * 2015-06-16 2019-09-06 杭州迪普科技股份有限公司 A kind of control method and device
CN106569849A (en) * 2016-10-17 2017-04-19 汉柏科技有限公司 Method and device for installing fire wall in ISO manner
TW201926108A (en) * 2017-12-04 2019-07-01 和碩聯合科技股份有限公司 Network security system and method thereof
CN108108210A (en) * 2018-01-11 2018-06-01 上海有云信息技术有限公司 Management method, device, server and the storage medium of safety product

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1286430A (en) * 1999-08-26 2001-03-07 网观科技(加拿大)有限公司 Fireproof wall for interconnecting network
JP2003115880A (en) * 2001-10-04 2003-04-18 Hitachi Ltd Firewall device, information device and communication method of information device
CN1427344A (en) * 2001-12-20 2003-07-02 梅捷企业股份有限公司 Method and system for setting computer firewall

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1286430A (en) * 1999-08-26 2001-03-07 网观科技(加拿大)有限公司 Fireproof wall for interconnecting network
JP2003115880A (en) * 2001-10-04 2003-04-18 Hitachi Ltd Firewall device, information device and communication method of information device
CN1427344A (en) * 2001-12-20 2003-07-02 梅捷企业股份有限公司 Method and system for setting computer firewall

Also Published As

Publication number Publication date
CN1567333A (en) 2005-01-19

Similar Documents

Publication Publication Date Title
EP1326393A1 (en) Validation of the configuration of a Firewall
CN101203841B (en) Preventing fraudulent internet account access
US6826698B1 (en) System, method and computer program product for rule based network security policies
EP1374056B1 (en) Storage area network (san) security
CN100380271C (en) Method and apparatus for dynamic user authentication
US6321336B1 (en) System and method for redirecting network traffic to provide secure communication
JP4059931B2 (en) Computer network control method and security system
CN101083607B (en) Internet accessing server for inside and outside network isolation and its processing method
US7386885B1 (en) Constraint-based and attribute-based security system for controlling software component interaction
CN101099143A (en) System and method for implementing network device authorization using attribute certificates
CN100530205C (en) Firewall device and setting method thereof
Rghioui Managing patient medical record using blockchain in developing countries: challenges and security issues
KR20210015757A (en) Secure data processing
CN102165479A (en) Mobile banking architecture
WO2005066850A1 (en) System for controlling datanbase access based on 3-tier structure and method thereof
TWI243555B (en) Apparatus and method of firewall
CN109617929A (en) Node and user's interactive authentication method and system under block chain network mode
CN1254946C (en) Mobile telephone
DE102010004786A1 (en) Computer-aided method for providing development environment to implement secure application in motor car, involves invoking secure applications over interfaces, where secure applications are more configurable during implementation
CN119522555A (en) Computer system security
JP2000224234A (en) Dynamic micro arrangement method for connection filter and its system
Cisco Strategies for Applying Attributes
US20120324569A1 (en) Rule compilation in a firewall
Padovan Design and Implementation of a Blockchain Intent Management System
CN113765798A (en) QoS method, device, computer equipment and medium using external filter

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090819

Termination date: 20110705