1、Packet Filters
Packet filters are first-generation firewalls,They are stateless in nature because they do not have the concept of state table or connection.
第一代防火墙技术,他的本质是无状态因为他没有状态化的表项或connection这个概念。
2、这个以前没有看到过:电路级的代理
Circuit-level proxies establish sessions to intended destinations on behalf of requesting hosts. The term session here refers to the Layer 5 of the OSI reference model,
电路级代理--代表请求的主机建立一个会话层面(OSI的第五层)
Step 1. The SOCKS5 client opens a connection to the SOCKS server on a reserved TCP port and negotiates the authentication method to be used.
Step 2. The client authenticates with the agreed method and sends a relay request to the proxy server. This request contains the destination L4 port and IP address of the remote host reachable through the firewall (in this scenario, DestPort1 on Server1).
Step 3. The SOCKS server establishes the connection to Server1 on behalf of the client.
Step 4. The packets sent from the client to the proxy are then relayed to Server1.
3、Application-Level Proxies
Given that they require specific proxy software on the client side, they are also known as dedicated proxies.
在客户机上安装特定代理软件,比如ISA2006
4、stateful firewall
This class of firewalls incorporates the concept of connections and state to packet filter implementations.
这类防火墙结合了的第一代的包过滤,实现了状态化的包过滤
flow belonging to the same connection
不同于ACE,单个包都要过ACL
depicts an environment in which the client C1 needs to initiate a connection through a stateful firewall to reach the TCP/Y1 service on destination host H1:
Step 1. The firewall checks its access control rules (much like a packet filter) to see if this type of connection initiation is allowed.
Step 2. For acceptable connections, an entry is created in the firewall state table, containing parameters such as source/destination IP addresses and TCP ports, the pertinent TCP flags, and the SEQ and ACK numbers