1、Packet Filters
Packet filters are first-generation firewalls,They are stateless in nature because they do not have the concept of state table or connection.
第一代防火牆技術,他的本質是無狀態因爲他沒有狀態化的表項或connection這個概念。
2、這個以前沒有看到過:電路級的代理
Circuit-level proxies establish sessions to intended destinations on behalf of requesting hosts. The term session here refers to the Layer 5 of the OSI reference model,
電路級代理--代表請求的主機建立一個會話層面(OSI的第五層)
Step 1. The SOCKS5 client opens a connection to the SOCKS server on a reserved TCP port and negotiates the authentication method to be used.
Step 2. The client authenticates with the agreed method and sends a relay request to the proxy server. This request contains the destination L4 port and IP address of the remote host reachable through the firewall (in this scenario, DestPort1 on Server1).
Step 3. The SOCKS server establishes the connection to Server1 on behalf of the client.
Step 4. The packets sent from the client to the proxy are then relayed to Server1.
3、Application-Level Proxies
Given that they require specific proxy software on the client side, they are also known as dedicated proxies.
在客戶機上安裝特定代理軟件,比如ISA2006
4、stateful firewall
This class of firewalls incorporates the concept of connections and state to packet filter implementations.
這類防火牆結合了的第一代的包過濾,實現了狀態化的包過濾
flow belonging to the same connection
不同於ACE,單個包都要過ACL
depicts an environment in which the client C1 needs to initiate a connection through a stateful firewall to reach the TCP/Y1 service on destination host H1:
Step 1. The firewall checks its access control rules (much like a packet filter) to see if this type of connection initiation is allowed.
Step 2. For acceptable connections, an entry is created in the firewall state table, containing parameters such as source/destination IP addresses and TCP ports, the pertinent TCP flags, and the SEQ and ACK numbers