CN106027569A - Firewall management methods, master node, slave node, and cluster - Google Patents

Firewall management methods, master node, slave node, and cluster Download PDF

Info

Publication number
CN106027569A
CN106027569A CN201610570399.6A CN201610570399A CN106027569A CN 106027569 A CN106027569 A CN 106027569A CN 201610570399 A CN201610570399 A CN 201610570399A CN 106027569 A CN106027569 A CN 106027569A
Authority
CN
China
Prior art keywords
node
target
firewall
firewall policy
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610570399.6A
Other languages
Chinese (zh)
Inventor
璧靛北
赵山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Electronic Information Industry Co Ltd
Original Assignee
Inspur Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Electronic Information Industry Co Ltd filed Critical Inspur Electronic Information Industry Co Ltd
Priority to CN201610570399.6A priority Critical patent/CN106027569A/en
Publication of CN106027569A publication Critical patent/CN106027569A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Abstract

The present invention provides firewall management methods, a master node, a slave node, and a cluster. The firewall management methods are applied to the master node in the cluster and include steps of receiving an external input management command, wherein the management command includes target slave node information and a firewall policy; determining a target slave node according to the target slave node information; and sending the firewall policy to the target slave node. Through adoption of the method, firewalls on all nodes can be managed in a uniform manner.

Description

A kind of firewall management method, host node, from node and cluster
Technical field
The present invention relates to field of computer technology, particularly to a kind of firewall management method, host node, From node and cluster.
Background technology
Along with the development of information technology, the server system of distributed deployment framework is used to get more and more, for Improve the safety of server system, it usually needs arrange on each node in server system or Safeguard corresponding firewall policy.
At present, main by each node position, arrange or be respectively provided with and safeguard this position Firewall policy (such as, iptables, firewalld) on corresponding present node, can not be to each Fire wall on node is managed collectively.
Summary of the invention
Embodiments provide a kind of firewall management method, host node, from node and cluster, energy Enough the fire wall on each node is managed collectively.
First aspect, embodiments provides a kind of firewall management method, is applied in cluster Host node, including:
Receiving the administration order of outside input, described administration order includes: target is from nodal information and fire prevention Wall strategy;
According to described target from nodal information, determine that target is from node;
Send described firewall policy to described target from node.
Preferably, the method farther includes: the host node in described cluster passes through message-oriented middleware with each Individual connected from node;
The described firewall policy of described transmission to described target from node, including: send described fire wall plan Slightly give described message-oriented middleware;
Control described message-oriented middleware to monitor in real time with described target from the connection status of node;
When described connection status is normal, then controls described message-oriented middleware and directly transmit described fire wall plan Slightly give described target from node;
When described connection status exception, then control described message-oriented middleware and store described firewall policy;
And/or,
Farther include: host node IP white list is set;
Before the described administration order receiving outside input, farther include: receive what terminal sent Connection request;
When terminal IP carried in described connection request is present in described host node IP white list, build Vertical connection between described terminal and described host node;
The described administration order receiving outside input, including: receive the administration order that described terminal sends.
Preferably, described firewall policy, including:
Obtain and protect state from the current safety of node, open from the security protection of node, closedown from node Security protection, obtain from internodal mutual trust strategy, amendment from internodal mutual trust strategy, acquisition From the IP white list of node, any one or more from the IP white list of node of amendment.
Second aspect, inventive embodiments provides another kind of firewall management method, is applied in cluster Each is from node, including:
Described each from node each from node as target from node time, perform:
Receive firewall policy;
According to described firewall policy, manage the fire wall self existed.
Preferably, the method farther includes: arrange the fire prevention of correspondence for each fire wall from node Wall interface;
At least one safeguard function is configured for described firewall interface;
The fire wall that described management self exists, including:
Call described target from firewall interface corresponding to node;
According to described firewall policy, determine the Target Protection function in described firewall interface;
Utilize described Target Protection function, manage the fire wall that described firewall interface is corresponding.
Preferably, at least one safeguard function described, including:
Place is provided to protect state from the current safety of node, open place from the security protection of node, pass Close place from the security protection of node, provide place from node with its place from the IP white list of node, repair Change any one or more from the IP white list of node of place.
The third aspect, embodiments provides a kind of host node, is connected from node with each of peripheral hardware, Including:
Receiving unit, for receiving the administration order of outside input, described administration order includes: target from Nodal information and firewall policy;
Processing unit, for according to described target from nodal information, at each of described peripheral hardware from node, Determine that the target of peripheral hardware from node, and sends firewall policy that described reception unit receives to described mesh Mark is from node.
Preferably, described processing unit, including: control subelement and message-oriented middleware, wherein,
Described control subelement, is used for controlling described message-oriented middleware;
Described message-oriented middleware, is connected from node with each of peripheral hardware, for determining that the target of peripheral hardware is from joint Point, and receive described firewall policy, when receiving the control of described control subelement, monitor in real time With the target of described peripheral hardware from the connection status of node, when described connection status is normal, then send described Firewall policy gives the target of described peripheral hardware from node;When described connection status exception, then storage is described Firewall policy;
And/or,
Farther include: unit is set and connects unit, wherein,
Described unit is set, is used for arranging host node IP white list;
Described connection unit, for receiving the connection request that the terminal of peripheral hardware sends, when described connection please When asking terminal IP carried to be present in described setting in the host node IP white list that unit is arranged, set up And the connection between the terminal of described peripheral hardware;
Described reception unit, for by described connection unit, receiving the pipe that the terminal of described peripheral hardware sends Reason order.
Fourth aspect, embodiments provides a kind of from node, including: receive unit, fire wall Interface and fire wall, wherein,
Described reception unit, is used for receiving firewall policy;
Described firewall interface, connects described reception unit and described fire wall, is used for configuring at least one Safeguard function, the firewall policy received according to described reception unit, determine at least one protection described Target Protection function in function, utilizes described Target Protection function, manages described firewall interface corresponding Fire wall.
5th aspect, embodiments provides a kind of cluster, including: described host node and at least one Described from node, wherein,
Described host node includes message-oriented middleware, by described message-oriented middleware with described at least one from joint Point is connected, and receives the administration order that the terminal of peripheral hardware sends;
Described at least one from node each from node comprise correspondence firewall interface, by described The fire wall that firewall interface protection exists self.
Embodiments provide a kind of firewall management method, host node, from node and cluster, should Firewall management method, during the host node being applied in cluster, by receiving the administration order of outside input, Described administration order includes: target is from nodal information and firewall policy;Believe from node according to described target Breath, determines that target is from node;Send described firewall policy to described target from node, i.e. in cluster Each from node as target from node time, the host node in cluster can be sent to firewall policy, And need not arrive the most specially and log in from node to safeguard firewall policy from node position, it is possible to respectively Fire wall on individual node is managed collectively.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to reality Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that below, Accompanying drawing in description is some embodiments of the present invention, for those of ordinary skill in the art, not On the premise of paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of a kind of firewall management method that one embodiment of the invention provides;
Fig. 2 is the flow chart of the another kind of firewall management method that one embodiment of the invention provides;
Fig. 3 is the flow chart of another firewall management method that one embodiment of the invention provides;
Fig. 4 is the structural representation of a kind of host node that one embodiment of the invention provides;
Fig. 5 is a kind of structural representation from node that one embodiment of the invention provides;
Fig. 6 is the structural representation of a kind of cluster that one embodiment of the invention provides.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with this Accompanying drawing in bright embodiment, is clearly and completely described the technical scheme in the embodiment of the present invention, Obviously, described embodiment is a part of embodiment of the present invention rather than whole embodiments, based on Embodiment in the present invention, those of ordinary skill in the art are institute on the premise of not making creative work The every other embodiment obtained, broadly falls into the scope of protection of the invention.
As it is shown in figure 1, embodiments provide a kind of firewall management method, it is applied in cluster Host node, including:
Step 101, receives the administration order of outside input, and described administration order includes: target is from node Information and firewall policy;
Step 102, according to described target from nodal information, determines that target is from node;
Step 103, sends described firewall policy to described target from node.
The firewall management method provided by above-described embodiment, during the host node being applied in cluster, By receiving the administration order of outside input, described administration order includes: target is from nodal information and fire prevention Wall strategy;According to described target from nodal information, determine that target is from node;Send described firewall policy To each from node, i.e. cluster of described target from node as target from node time, the master in cluster Node can be sent to firewall policy, gets final product the security strategy of each node in synchronized update cluster, and Need not arrive the most specially and log in from node to safeguard firewall policy from node position, it is possible to each Fire wall on node is managed collectively, and also effectively reduces the workload that security strategy is safeguarded simultaneously.
In one embodiment of the invention, the host node in cluster is connected from node with each by message-oriented middleware; The detailed description of the invention of step 103, including: send described firewall policy to described message-oriented middleware; Control described message-oriented middleware to monitor in real time with described target from the connection status of node;When described connection shape When state is normal, then controls described message-oriented middleware and directly transmit described firewall policy to described target from joint Point;When described connection status exception, then control described message-oriented middleware and store described firewall policy.
In the above-described embodiments, the host node in cluster is connected from node with each by message-oriented middleware, Firewall policy is sent to target from node by host node by message-oriented middleware, and this is more beneficial for host node With target from internodal intercommunication;Such as, when target is in off-mode from node, host node Directly described firewall policy cannot be sent to target from node, in the presence of having message-oriented middleware, main joint Firewall policy can be sent to message-oriented middleware by point, under described firewall policy is stored by message-oriented middleware Coming, message-oriented middleware monitors it with target in real time from the connection status of node, waits that target is started shooting from node After being normally connected with message-oriented middleware, described firewall policy is sent to target from joint by message-oriented middleware again Point;As can be seen here, when message-oriented middleware makes the fire wall of maintenance cluster, management end only need to send once orders Order can manage each from node, operates easier, be more beneficial for being managed collectively each joint when making fire wall safeguard The fire wall of point.
In one embodiment of the invention, farther include: host node IP white list is set;In step 101 Before, farther include: receive the connection request that terminal sends;When what described connection request carried When terminal IP is present in described host node IP white list, set up between described terminal and described host node Connection;The described administration order receiving outside input, including: receive the management life that described terminal sends Order.
In above-described embodiment, IP white list is set in the master node, cluster can be made to pass through IP white list Mode is authenticated with the access outside cluster, i.e. the IP of peripheral hardware terminal when this IP white list, main joint Point accepts the connection request of this peripheral hardware terminal transmission and establishes a connection, then this peripheral hardware terminal can be to main joint Point sends administration order, if the IP of peripheral hardware terminal is not in this list, then host node directly refuses this peripheral hardware The connection request of terminal;As can be seen here, arrange host node IP white list to be more beneficial for improving cluster at network On safety.
In one embodiment of the invention, described firewall policy, including: obtain and prevent from the current safety of node Protect state, open from the security protection of node, close from the security protection of node, obtain from internodal Mutual trust strategy, amendment from internodal mutual trust strategy, obtain from the IP white list of node, amendment from joint Point IP white list in any one or more.
As in figure 2 it is shown, one embodiment of the invention provides another kind of firewall management method, it is applied to collection Each in Qun from node, including:
Step 201, described each from node each from node as target from node time, perform:
Step 202, receives firewall policy;
Step 203, according to described firewall policy, manages the fire wall self existed.
In above-described embodiment, respectively when node sends the target of firewall policy from node as host node, Receive this firewall policy the fire wall self existed according to the management of described firewall policy;Host node is sent out When sending firewall policy, can be sent simultaneously to multiple target from node, this makes host node only send once to prevent Wall with flues management request can manage multiple fire wall from node simultaneously, thus realizes being managed collectively each node Fire wall.
In another embodiment of the present invention, said method farther includes: for each fire wall from node The firewall interface of correspondence is set;At least one safeguard function is configured for described firewall interface;Step 203 Detailed description of the invention, including: call described target from firewall interface corresponding to node;According to described Firewall policy, determines the Target Protection function in described firewall interface;Utilize described Target Protection merit Can, manage the fire wall that described firewall interface is corresponding.
In the above embodiment of the present invention, the fire wall for each node arranges corresponding firewall interface, and is Each firewall interface configures at least one safeguard function and such as prevents from node by malicious access etc., from node Receiving after firewall policy, invocation target is from firewall interface corresponding to node, and in slave firewall strategy Determine the Target Protection function of this firewall interface, utilize the corresponding firewall interface of this safeguard function management Fire wall;Such as, firewall interface can be write by shell, python, C, real according to firewall policy Existing iptables, firewall-cmd order;By each from node firewall interface management respective anti- Wall with flues, easier when this makes the fire wall of unified management each node.
In one embodiment of the invention, at least one safeguard function of firewall interface, including: place is provided Protect state from the current safety of node, open place from the security protection of node, closedown place from node Security protection, provide place from node with other from internodal mutual trust strategy, amendment place from node With other from internodal mutual trust strategy, provide place from the IP white list of node, amendment place from node IP white list in any one or more.
In above-described embodiment, the safeguard function of firewall interface is relative with the protecting wall strategy that host node sends Should, the firewall policy that i.e. host node sends, firewall interface is respectively provided with corresponding safeguard function and gives reality Existing, this fire wall being conducive to respectively utilizing firewall interface management self from node.
Below with host node A, message-oriented middleware B and as a example by node C, D and E, to the present invention Embodiment firewall management method is described in detail, as it is shown on figure 3, one embodiment of the invention provides Another firewall management method, including:
Step 301, arranges the IP white list of host node A in cluster;
In this step, arrange host node A IP white list be conducive to ensure host node A only with mutual trust Peripheral hardware terminal is set up and is connected, thus the safety that effective guarantee cluster is on network.
Step 302, arranges message-oriented middleware B on host node A;
In this step, message-oriented middleware can be arranged on host node, it is also possible to the most on the primary node, Arranged and be more beneficial for message-oriented middleware on host node and be connected host node with each from node.
Step 303, the host node A in cluster is connected from node with each by message-oriented middleware B;
In this step, connect host node A by message-oriented middleware B and each from node C, D and E, have The request of A, as the communication media between A and C, D and E, is transferred to by beneficially message-oriented middleware respectively C, D and E.
Step 304, arranges the firewall interface of correspondence for each fire wall from node;
In this step, for from node C, D and E be respectively configured respective firewall interface C1, D1 and E1, is conducive to respectively utilizing the fire wall of the firewall interface management correspondence of self from node.
Step 305, configures at least one safeguard function for described firewall interface;
In this step, it is anti-that the safeguard function of firewall interface C1, D1 and E1 and host node A send Wall with flues strategy is corresponding, the firewall policy i.e. sent for A, firewall interface C1, D1 and E1 Being respectively provided with corresponding safeguard function to be achieved, this is respectively to call firewall interface management from node self to prevent The basis of wall with flues, the safeguard function of each firewall interface includes: provide place to prevent from the current safety of node Protect state, open place from the security protection of node, closedown place from the security protection of node, offer institute From node with other from internodal mutual trust strategy, amendment place from node with other from internodal mutually Letter strategy, offer place are from the IP white list of node, amendment place appointing from the IP white list of node Anticipate one or more.
Step 306, host node A receives the connection request that terminal sends;
In this step, the connection request that peripheral hardware terminal sends comprises the IP of described terminal, it is simple to host node The IP of this terminal is contrasted by A with self IP white list, thus judges whether to set up with this terminal Connect.
Step 307, when terminal IP carried in described connection request is present in the IP white list of described A Time middle, set up the connection between described terminal and A;
In this step, host node is only set up with the peripheral hardware terminal in IP white list and is connected, and is conducive to ensureing collection Group's safety in networking.
Step 308, host node A receives the administration order that described terminal sends;
In this step, described administration order includes: target, from nodal information and firewall policy, is passed through Target can position target from node accurately from nodal information, this firewall policy realize with from node Fire wall communication.
Step 309, host node A from nodal information, determines that target is from node according to described target;
In this step, host node A first determines that the target needing to carry out firewall management, from node, i.e. determines Sending the target of firewall policy, such as, host node A determines that target is C from node.
Step 310, host node A sends described firewall policy to message-oriented middleware B;
Step 311, host node A controls middleware B and monitors in real time with described target from the connection shape of node State, it is judged that described connection status is the most normal, if it is, perform step 312, otherwise, performs step Rapid 313;
In this step, middleware is monitored in real time and judges that it is the most normal with the connection status from node, has It is beneficial to middleware and in the suitable time, the firewall policy that host node sends is transferred to from node, such as, From node C as target from node, then A controls the connection shape that B monitors in real time and judges between B and C State is the most normal..
Step 312, controls message-oriented middleware B and directly transmits described firewall policy to described target from joint Point, performs step 314;
In this step, the connection status of B and C is normal, then the firewall policy that A sends directly is sent out by B Give C.
Step 313, host node A controls message-oriented middleware B and stores described firewall policy, performs step 311;
In this step, B Yu C is currently without annexation, and this is likely due to C and is in off-mode, Or the mutual trust between B and C is broken down, the firewall policy that now A is sent by B stores, When the connection of wait B Yu C is normal, more described firewall policy is sent to C.
Step 314, target receives firewall policy from node;
In this step, such as when C as target from node time, then C receives the fire wall plan that sends of A Slightly.
Step 315, target calls described target from firewall interface corresponding to node from node;
In this step, target calls the firewall interface C1 of self from node C, prepares according to fire wall The fire wall of tactical management self.
Step 316, target, determines in described firewall interface according to described firewall policy from node Target Protection function;
In this step, C, determines as target after node receives the firewall policy that host node A sends The Target Protection function of self firewall interface C1;Such as, the life that host node sends according to peripheral hardware terminal Order, it is desirable to be respectively modified from node C and mutual trust strategy between node D and E, then from node C After the order receiving A, call corresponding firewall interface C1, and determine that its Target Protection function is for " to repair Change place from node with other from internodal mutual trust strategy ", prepare utilize this function management correspondence to prevent fires Wall.
Step 317, target utilizes described Target Protection function from node, manages described firewall interface pair The fire wall answered.
In this step, according to the Target Protection function of firewall interface C1 " amendment place from node and its It is from internodal mutual trust strategy ", revise from node C and mutual trust plan between node D and E simultaneously Slightly, the firewall management request that host node A sends is completed.
In the above embodiment of the present invention, host node utilizes the IP white list peripheral hardware terminal only with mutual trust to set up even Connecing, receive its administration order and send information to message-oriented middleware, this is prevented fires wall coil by message-oriented middleware Reason request is sent to target in the suitable time and calls the firewall interface of self from node, target from node The fire wall that management is corresponding, has multiple target immediately when node, and host node the most only need to send a subcommand Multiple fire wall from node can be managed collectively, ensureing that cluster reduces while safety on network The workload that firewall cluster is safeguarded.
As shown in Figure 4, one embodiment of the invention provides a kind of host node, with peripheral hardware from node phase Even, including: reception unit 401, for receiving the administration order of outside input, described administration order bag Include: target is from nodal information and firewall policy;
Processing unit 402, for according to described target from nodal information, at each of described peripheral hardware from joint In point, determine that the target of peripheral hardware, from node, and sends the fire wall plan that described reception unit 401 receives Slightly give described target from node.
In the above embodiment of the present invention, received the administration order of outside input, described management by host node Order includes: target is from nodal information and firewall policy;According to described target from nodal information, determine Target is from node;Send described firewall policy to each from node, i.e. cluster of described target from joint Point as target from node time, the host node in cluster can be sent to firewall policy, can synchronize Update the security strategy of each node in cluster, and need not distinguish and arrive specially from the login of node position from joint Point safeguards firewall policy, it is possible to being managed collectively the fire wall on each node, this not only may be used To improve cluster safety on network, also effectively reduce the workload that security strategy is safeguarded simultaneously.
In one embodiment of the invention, described processing unit, including: control subelement and message-oriented middleware (figure Not shown in), wherein,
Described control subelement, is used for controlling described message-oriented middleware;
Described message-oriented middleware, is connected from node with each of peripheral hardware, for determining that the target of peripheral hardware is from joint Point, and receive described firewall policy, when receiving the control of described control subelement, monitor in real time With the target of described peripheral hardware from the connection status of node, when described connection status is normal, then send described Firewall policy gives the target of described peripheral hardware from node;When described connection status exception, then storage is described Firewall policy;
In above-described embodiment, firewall policy is sent to target from node by message-oriented middleware by host node, This is more beneficial for host node with target from internodal intercommunication;Such as, it is in shutdown shape when target from node State or other faults cause when mutual trust exception between node and host node, and host node cannot be directly by institute Stating firewall policy to send to target from node, in the presence of having message-oriented middleware, host node can be by fire wall Strategy is sent to message-oriented middleware, and described firewall policy is first stored by message-oriented middleware, then is closing Described firewall policy is sent to target from node by the suitable time;As can be seen here, message-oriented middleware makes dimension When protecting the fire wall of cluster, operate easier, be more beneficial for being managed collectively the fire wall of each node.
In one embodiment of the invention, described host node farther includes: arranges unit and connects unit (in figure Not shown), wherein,
Described unit is set, is used for arranging host node IP white list;
Described connection unit, for receiving the connection request that the terminal of peripheral hardware sends, when described connection please When asking terminal IP carried to be present in described setting in the host node IP white list that unit is arranged, set up And the connection between the terminal of described peripheral hardware;
In above-described embodiment, IP white list is set in the master node, makes host node only whole with the peripheral hardware of mutual trust End is set up and is connected, and can ensure that cluster is safety on network.
In one embodiment of the invention, described reception unit, specifically for by described connection unit, receive The administration order that the terminal of described peripheral hardware sends.
In above-described embodiment, host node accepts the administration order that peripheral hardware terminal sends, root by receiving unit The fire wall of each node it is managed collectively according to described administration order.
As it is shown in figure 5, another embodiment of the present invention provides a kind of from node, including: receive unit 501, firewall interface 502 and fire wall 503, wherein,
Described reception unit 501, is used for receiving firewall policy;
Described firewall interface 502, connects described reception unit 501 and described fire wall 503, is used for joining Put at least one safeguard function, the firewall policy received according to described reception unit, determine described in extremely Target Protection function in few a kind of safeguard function, utilizes described Target Protection function, manages described fire prevention The fire wall that wall interface is corresponding.
In the above embodiment of the present invention, respectively send the target of firewall policy from joint from node as host node During point, receive this firewall policy and call the fire wall that the management of self firewall interface is corresponding;Host node When sending firewall policy, can be sent simultaneously to multiple target from node, this makes host node only send once Firewall management request can manage multiple fire wall from node simultaneously, thus realizes being managed collectively each joint The fire wall of point.
As shown in Figure 6, one embodiment of the invention provides a kind of cluster 60, including described host node 601, At least one is from node 602, wherein,
Described host node includes message-oriented middleware 603, by described message-oriented middleware with described at least one It is connected from node, receives the administration order that the terminal of peripheral hardware sends;
Described at least one from node each from node comprise correspondence firewall interface 6021, pass through The fire wall 6022 that the protection of described firewall interface exists self.
In above-described embodiment, cluster includes host node and at least one is from node, host node and from node Between connected by message-oriented middleware, the protecting wall management request that host node sends according to the peripheral hardware terminal of mutual trust, The each target of unified call is from firewall interface corresponding to node, and then realizes the unification to each node fire wall Management, reduces the workload that fire wall is safeguarded.
Each embodiment of the present invention at least has the advantages that
1, received the administration order of outside input by host node, described administration order includes: target is from joint Dot information and firewall policy;According to described target from nodal information, determine that target is from node;Send institute State firewall policy to each from node, i.e. cluster of described target from node as target from node time, Host node in cluster can be sent to firewall policy, and need not distinguish and arrive specially from node institute in place Put login from node to safeguard firewall policy, it is possible to the fire wall on each node is managed collectively.
2, utilize message-oriented middleware to connect host node and each is from node, when target is in the middle of node with message When part connection status is normal, message-oriented middleware directly transmit firewall policy that host node sends to target from Node, when message-oriented middleware and target are from the connection status exception of node, message-oriented middleware is by described anti- Wall with flues policy store is got off, and message-oriented middleware monitors it with target in real time from the connection status of node, waits Target is after node start is normally connected with message-oriented middleware, and message-oriented middleware is again by described firewall policy Send to target from node;This is more beneficial for host node and the intercommunication between node, makes management end Only need to send a subcommand and can manage each from node, operate easier, be more beneficial for being managed collectively each joint The fire wall of point.
3, by arranging IP white list on the primary node, host node is made only to be connected with the peripheral hardware terminal of mutual trust, The safety on network of the effective guarantee cluster.
It should be noted that in this article, the relational terms of such as first and second etc be used merely to by One entity or operation separate with another entity or operating space, and not necessarily require or imply this Relation or the order of any this reality is there is between a little entities or operation.And, term " includes ", " comprise " or its any other variant is intended to comprising of nonexcludability, so that include that one is The process of row key element, method, article or equipment not only include those key elements, but also include the brightest Other key elements really listed, or also include intrinsic for this process, method, article or equipment Key element.In the case of there is no more restriction, statement " include one " and limit Key element, it is not excluded that there is also another in including the process of described key element, method, article or equipment Outer same factor.
One of ordinary skill in the art will appreciate that: realize all or part of step of said method embodiment Can be completed by the hardware that programmed instruction is relevant, aforesaid program can be stored in embodied on computer readable Storage medium in, this program upon execution, performs to include the step of said method embodiment;And it is aforementioned Storage medium include: various Jie that can store program code such as ROM, RAM, magnetic disc or CD In matter.
Last it should be understood that the foregoing is only presently preferred embodiments of the present invention, it is merely to illustrate this The technical scheme of invention, is not intended to limit protection scope of the present invention.All spirit in the present invention and former Any modification, equivalent substitution and improvement etc. done within then, are all contained in protection scope of the present invention.

Claims (10)

1. a firewall management method, it is characterised in that the host node being applied in cluster, including:
Receiving the administration order of outside input, described administration order includes: target is from nodal information and fire prevention Wall strategy;
According to described target from nodal information, determine that target is from node;
Send described firewall policy to described target from node.
Method the most according to claim 1, it is characterised in that
Farther include: the host node in described cluster is connected from node with each by message-oriented middleware;
The described firewall policy of described transmission to described target from node, including: send described fire wall plan Slightly give described message-oriented middleware;
Control described message-oriented middleware to monitor in real time with described target from the connection status of node;
When described connection status is normal, then controls described message-oriented middleware and directly transmit described fire wall plan Slightly give described target from node;
When described connection status exception, then control described message-oriented middleware and store described firewall policy;
And/or,
Farther include: host node IP white list is set;
Before the described administration order receiving outside input, farther include: receive what terminal sent Connection request;
When terminal IP carried in described connection request is present in described host node IP white list, build Vertical connection between described terminal and described host node;
The described administration order receiving outside input, including: receive the administration order that described terminal sends.
Method the most according to claim 1 and 2, it is characterised in that described firewall policy, bag Include:
Obtain and protect state from the current safety of node, open from the security protection of node, closedown from node Security protection, obtain from internodal mutual trust strategy, amendment from internodal mutual trust strategy, acquisition From the IP white list of node, any one or more from the IP white list of node of amendment.
4. a firewall management method, it is characterised in that each being applied in cluster is from node, bag Include:
Described each from node each from node as target from node time, perform:
Receive firewall policy;
According to described firewall policy, manage the fire wall self existed.
Method the most according to claim 4, it is characterised in that farther include: for each from joint Fire wall in point arranges the firewall interface of correspondence;
At least one safeguard function is configured for described firewall interface;
The fire wall that described management self exists, including:
Call described target from firewall interface corresponding to node;
According to described firewall policy, determine the Target Protection function in described firewall interface;
Utilize described Target Protection function, manage the fire wall that described firewall interface is corresponding.
Method the most according to claim 5, it is characterised in that at least one safeguard function described, Including:
Place is provided to protect state from the current safety of node, open place from the security protection of node, pass Close place from the security protection of node, provide place from node with other from internodal mutual trust strategy, repair Change place from node with other from internodal mutual trust strategy, provide place from the IP white list of node, repair Change any one or more from the IP white list of node of place.
7. a host node, it is characterised in that be connected from node with each of peripheral hardware, including:
Receiving unit, for receiving the administration order of outside input, described administration order includes: target from Nodal information and firewall policy;
Processing unit, for according to described target from nodal information, at each of described peripheral hardware from node, Determine that the target of peripheral hardware from node, and sends firewall policy that described reception unit receives to described mesh Mark is from node.
Host node the most according to claim 7, it is characterised in that
Described processing unit, including: control subelement and message-oriented middleware, wherein,
Described control subelement, is used for controlling described message-oriented middleware;
Described message-oriented middleware, is connected from node with each of peripheral hardware, for determining that the target of peripheral hardware is from joint Point, and receive described firewall policy, when receiving the control of described control subelement, monitor in real time With the target of described peripheral hardware from the connection status of node, when described connection status is normal, then send described Firewall policy gives the target of described peripheral hardware from node;When described connection status exception, then storage is described Firewall policy;
And/or,
Farther include: unit is set and connects unit, wherein,
Described unit is set, is used for arranging host node IP white list;
Described connection unit, for receiving the connection request that the terminal of peripheral hardware sends, when described connection please When asking terminal IP carried to be present in described setting in the host node IP white list that unit is arranged, set up And the connection between the terminal of described peripheral hardware;
Described reception unit, for by described connection unit, receiving the pipe that the terminal of described peripheral hardware sends Reason order.
9. one kind from node, it is characterised in that including: receive unit, firewall interface and fire wall, Wherein,
Described reception unit, is used for receiving firewall policy;
Described firewall interface, connects described reception unit and described fire wall, is used for configuring at least one Safeguard function, the firewall policy received according to described reception unit, determine at least one protection described Target Protection function in function, utilizes described Target Protection function, manages described firewall interface corresponding Fire wall.
10. a cluster, it is characterised in that including: host node described in claim 7 or 8 and extremely Described in few claim 9 from node, wherein,
Described host node includes message-oriented middleware, by described message-oriented middleware with described at least one from joint Point is connected, and receives the administration order that the terminal of peripheral hardware sends;
Described at least one from node each from node comprise correspondence firewall interface, by described The fire wall that firewall interface protection exists self.
CN201610570399.6A 2016-07-19 2016-07-19 Firewall management methods, master node, slave node, and cluster Pending CN106027569A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610570399.6A CN106027569A (en) 2016-07-19 2016-07-19 Firewall management methods, master node, slave node, and cluster

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610570399.6A CN106027569A (en) 2016-07-19 2016-07-19 Firewall management methods, master node, slave node, and cluster

Publications (1)

Publication Number Publication Date
CN106027569A true CN106027569A (en) 2016-10-12

Family

ID=57116689

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610570399.6A Pending CN106027569A (en) 2016-07-19 2016-07-19 Firewall management methods, master node, slave node, and cluster

Country Status (1)

Country Link
CN (1) CN106027569A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108494766A (en) * 2018-03-21 2018-09-04 北京知道创宇信息技术有限公司 WAF regulation managements method and WAF groups
CN109218415A (en) * 2018-08-28 2019-01-15 浪潮电子信息产业股份有限公司 A kind of method, node and the storage medium of distributed node management
CN109413043A (en) * 2018-09-25 2019-03-01 聚好看科技股份有限公司 Realize method and device, the electronic equipment, storage medium of Database Dynamic configuration
CN109587239A (en) * 2018-12-03 2019-04-05 群蜂信息技术(上海)有限公司 A kind of processing method of access request, server and storage medium
CN110493064A (en) * 2019-08-30 2019-11-22 深圳壹账通智能科技有限公司 Firewall management method, apparatus, computer equipment and storage medium
CN110532789A (en) * 2019-08-13 2019-12-03 南京芯驰半导体科技有限公司 A kind of the system firewall and configuration method of stratification
CN113949537A (en) * 2021-09-26 2022-01-18 杭州谐云科技有限公司 Firewall management method and system based on eBPF
CN115134212A (en) * 2022-06-29 2022-09-30 中国工商银行股份有限公司 Policy pushing method and device, computer equipment and storage medium
CN116614318A (en) * 2023-07-20 2023-08-18 深圳市中科云科技开发有限公司 Network security protection method and system based on firewall

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060095497A1 (en) * 1996-11-29 2006-05-04 Ellis Frampton E Iii Global network computers
CN103763310A (en) * 2013-12-31 2014-04-30 曙光云计算技术有限公司 Firewall service system and method based on virtual network
CN105024855A (en) * 2015-07-13 2015-11-04 浪潮(北京)电子信息产业有限公司 Distributed cluster management system and method
US9264301B1 (en) * 2012-09-20 2016-02-16 Wiretap Ventures, LLC High availability for software defined networks
CN105516081A (en) * 2015-11-25 2016-04-20 浪潮电子信息产业股份有限公司 Method and system for issuing safety strategy by server and message queue middleware

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060095497A1 (en) * 1996-11-29 2006-05-04 Ellis Frampton E Iii Global network computers
US9264301B1 (en) * 2012-09-20 2016-02-16 Wiretap Ventures, LLC High availability for software defined networks
CN103763310A (en) * 2013-12-31 2014-04-30 曙光云计算技术有限公司 Firewall service system and method based on virtual network
CN105024855A (en) * 2015-07-13 2015-11-04 浪潮(北京)电子信息产业有限公司 Distributed cluster management system and method
CN105516081A (en) * 2015-11-25 2016-04-20 浪潮电子信息产业股份有限公司 Method and system for issuing safety strategy by server and message queue middleware

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108494766A (en) * 2018-03-21 2018-09-04 北京知道创宇信息技术有限公司 WAF regulation managements method and WAF groups
CN109218415B (en) * 2018-08-28 2021-06-29 浪潮电子信息产业股份有限公司 Distributed node management method, node and storage medium
CN109218415A (en) * 2018-08-28 2019-01-15 浪潮电子信息产业股份有限公司 A kind of method, node and the storage medium of distributed node management
CN109413043A (en) * 2018-09-25 2019-03-01 聚好看科技股份有限公司 Realize method and device, the electronic equipment, storage medium of Database Dynamic configuration
CN109413043B (en) * 2018-09-25 2022-04-12 聚好看科技股份有限公司 Method and device for realizing dynamic configuration of database, electronic equipment and storage medium
CN109587239A (en) * 2018-12-03 2019-04-05 群蜂信息技术(上海)有限公司 A kind of processing method of access request, server and storage medium
CN110532789A (en) * 2019-08-13 2019-12-03 南京芯驰半导体科技有限公司 A kind of the system firewall and configuration method of stratification
CN110493064A (en) * 2019-08-30 2019-11-22 深圳壹账通智能科技有限公司 Firewall management method, apparatus, computer equipment and storage medium
CN113949537A (en) * 2021-09-26 2022-01-18 杭州谐云科技有限公司 Firewall management method and system based on eBPF
CN113949537B (en) * 2021-09-26 2023-11-21 杭州谐云科技有限公司 Firewall management method and system based on eBPF
CN115134212A (en) * 2022-06-29 2022-09-30 中国工商银行股份有限公司 Policy pushing method and device, computer equipment and storage medium
CN115134212B (en) * 2022-06-29 2024-04-19 中国工商银行股份有限公司 Policy pushing method, device, computer equipment and storage medium
CN116614318A (en) * 2023-07-20 2023-08-18 深圳市中科云科技开发有限公司 Network security protection method and system based on firewall
CN116614318B (en) * 2023-07-20 2023-10-03 深圳市中科云科技开发有限公司 Network security protection method and system based on firewall

Similar Documents

Publication Publication Date Title
CN106027569A (en) Firewall management methods, master node, slave node, and cluster
CN101340444B (en) Fireproof wall and server policy synchronization method, system and apparatus
US10798218B2 (en) Environment isolation method and device
CN107241360A (en) A kind of data safety shares exchange method and data safety shares switching plane system
CN112615856B (en) Multi-cluster network security policy management and control method and system
CN104202303A (en) Policy conflict detection method and system for SDN (Software Defined Network) application
CN111404924B (en) Security management and control method, device, equipment and storage medium of cluster system
CN104506513B (en) Fire wall flow table backup method, fire wall and firewall system
CN105684391A (en) Automated generation of label-based access control rules
US10880332B2 (en) Enterprise security management tool
CN104135378B (en) The method and things-internet gateway management and control entity of control are managed to things-internet gateway
US10652280B2 (en) User interface features for enterprise security management
CN1988478A (en) Integrated tactic managing system based on expandable label language
CN109474936A (en) Applied to the Internet of Things means of communication and system between multiple lora gateways
CN107257332A (en) Time control in large-scale firewall cluster
CN104969517A (en) Automated control plane for limited user destruction
US20210278823A1 (en) Device and Method for Setting Up and/or Providing a Working Environment
CN109547502A (en) Firewall ACL management method and device
CN104660449A (en) Method and equipment for preventing generation of multiple masters through IRF (intelligent resilient framework) splitting
CN107797859A (en) A kind of dispatching method of timed task and a kind of dispatch server
CN110557318A (en) Method for realizing safe remote operation of IOT equipment
US10979455B2 (en) Solution definition for enterprise security management
CN110324415B (en) Method, device, equipment and medium for realizing routing of peer-to-peer network
CN103810419B (en) One kind applies anti-uninstall method and apparatus
CN115865537B (en) Privacy computing method based on centralized system management, electronic equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20161012

WD01 Invention patent application deemed withdrawn after publication