Home Internet access is NAT, and Ping is not connected to other IP on the network segment (confirm online). What isolation technology is used?
Whether it is a wireless connection or a wired connection in a home LAN, or a wireless connection or a wired connection in a very large corporate network, communication between hosts in the same broadcast domain (same network segment) will not be isolated (shielded). Under normal circumstances, there will be no obstacles in the communication between the hosts. However, because the operating system of the host will have its own firewall function, the firewall's default security policy is specified as follows:
• Allow the host to initiate the connection, that is, allow the outgoing and returning packets (Outgoing / IncomingPacket) related to the connection to pass.
• Reject the connection initiated by an external host, and reject the incoming packet (Incoming Packet) related to the connection.
• The above restrictions apply not only to TCP, but also to other transport layer protocols such as UDP and ICMP.
Suppose this is Bob's host. Alice tries to ping Bob's host. Alice cannot ping Bob's host. Bob's firewall does not allow Ping packets from Alice to enter. For the Bob host, the Ping message from Alice was not initiated by Bob!
Solving this problem is simple, as long as the firewall is turned off, Alice can ping Bob's host. This kind of operation is only for temporary troubleshooting, and the firewall must be turned on immediately after the troubleshooting.
But with the firewall function, other hosts not only can't ping your host, but also can't access your shared folder. How can you find a solution that has the best of both worlds?
White List (White List)
You can explicitly allow active connections from external hosts on the firewall's configuration interface. For example, explicitly allow the shared file service to be accessed by external hosts. You can set it like this:
• Allow external incoming requests for SMB service (TCP port 445)
• Allow external incoming requests for SSH service (TCP port 22)
Once this whitelist takes effect, Alice can access Bob's shared folder (SMB) and can also access Bob's SSH service remotely. But Alice still can't ping Bob's host, why?
The firewall filtering list of Bob's host should look like this:
1. Allow internal hosts to initiate connection requests
2. Allow external incoming requests for SMB service (TCP port 445)
3. Allow external incoming requests for SSH service (TCP port 22)
4. Deny all other access
Obviously, Alice's Ping message did not match the security lists 1, 2, 3, and finally matched 4, so access was denied.
There is also an option "Block all incoming connections, including those in the application list", what is this for?
Disable the currently configured whitelist. There are two whitelists above. Invalidation means that if they are removed from the filtering list, then only 2 lists remain:
1. Allow internal hosts to initiate connection requests
2. Deny all other access
This is undoubtedly the safest, because all active connections from outside are rejected.
There was a problem in the PASSHOT learning group before: the firewall function of the home LAN gateway is turned on, is it necessary to turn on the firewall of the personal computer?
This question seems to be asking, is there a border guard's guard in the motherland's frontier, is there still a need for the guards in the community?
The answer is yes, it is very necessary!
The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps and CCNP Written dumps waiting for you.
Comments