CN1192310C - Fireproof wall for interconnecting network - Google Patents
Fireproof wall for interconnecting network Download PDFInfo
- Publication number
- CN1192310C CN1192310C CNB991184033A CN99118403A CN1192310C CN 1192310 C CN1192310 C CN 1192310C CN B991184033 A CNB991184033 A CN B991184033A CN 99118403 A CN99118403 A CN 99118403A CN 1192310 C CN1192310 C CN 1192310C
- Authority
- CN
- China
- Prior art keywords
- information
- network
- policy table
- packets
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a network firewall which comprises an inner network interface, an outer network interface, a firewall strategy table memory, an information packet processor and a network node table memory, wherein the network node table memory is used for storing corresponding tables of internet protocol (IP) addresses and media access control (MAC) addresses. After receiving network information, the information packet processor lookups the firewall strategy table memory and decides to forward or discard information packets according to the strategy settings of the firewall. The firewall self does not have an IP address and can directly collect all information packets which are connected with networks which are connected to the firewall, and the information packet processor processes the information packets.
Description
Technical field
The present invention relates generally to fireproof wall for interconnecting network, relates to a fireproof wall for interconnecting network that does not need to be provided with the IP address especially, hides the existence of fireproof wall for interconnecting network according to this.
Background technology
As everyone knows, fire wall generally is connected between dedicated network and the public network, to play the effect of control and protection dedicated network.The shortcoming of known firewall product is that its inside and outside port all need be provided with the IP address, can be connected with corresponding network.As U.S. 3COM Corp. fire wall, before using, need elder generation's external network interface to be set to a certain and the IP address common network compatibility, internal network interface is set to a certain and the IP address dedicated network compatibility again, and right Hou can be carried out firewall functionality.Known fire wall receives only the IP packets of information of giving MAC Address own or broadcast address, and handles according to the IP information of packets of information, as transmitting or abandoning.Therefore, need provide a fire wall that does not need to be provided with inside and outside IP address, make being provided with of fire wall simple, and the existence that can hide fire wall.
Summary of the invention
The object of the present invention is to provide a fire wall that does not need to be provided with the IP address, be used to connect two computer networks.
Fireproof wall for interconnecting network of the present invention comprises: internal network interface is used for reception/transmission internal network information; External network interface is used for reception/transmission internal network information; Firewall policy table storer is used to store the firewall policy table; Packet processor, connect internal network interface and external network interface, be used to analyze inside and the received contents of packet of external interface, according to holding within the firewall policy table storer, packets of information is handled, result is sent to outside or internal network interface respectively; With a network node table storer, be used for the corresponding tables of IP address and MAC Address is stored in wherein; When packet processor receives any interface when receiving the quantity of information bag, do following processing:
(1) extract network node information from packets of information, promptly IP address and MAC Address are stored in the network node on public and the dedicated network respectively in this table;
(2) whether comparison information bag content conforms to the content of network node table storage; Determine packet stream to, when the flow direction of packets of information belongs to same type in network node table storer, packet processor is not done any processing, otherwise, change next step processing;
(3) firewall policy table storer is consulted in judgment processing packets of information action, and according to the strategy setting of fire wall, packets of information is transmitted or abandoned in decision.
Therefore fire wall of the present invention can be placed arbitrary node of network dynamically, need not to carry out any reconfiguring, and just can network information bag be handled and filter according to the firewall policy of importing in advance.
Description of drawings
Fig. 1 is the structural representation of fire wall of the present invention.
Fig. 2 is the connection diagram of fire wall of the present invention.
Embodiment
As shown in Figure 1, fire wall 1 of the present invention comprises: packet processor 2 is connected to network node table storer 3 respectively, firewall policy table storer 4, external network interface 5 and internal network interface 6.After network information bag was by internal network interface 6 or external network interface 5 receptions, the treatment step of packet processor 2 was as follows:
(1) extract network node information from packets of information, promptly IP and MAC Address are stored in the network node on public and the dedicated network respectively in the network node table storer 3;
(2) determine packet stream to, when the flow direction of packets of information belongs to same type in network node table storer 3, for example from the common network to the common network, or from the dedicated network to the dedicated network, packet processor is not done any processing, otherwise, change next step processing;
(3) consult firewall policy table storer 4, and according to the setting of this IP address among the Policy Table of fire wall and the package informatin that receives, it is source IP address, purpose IP address, protocol types etc. are taken action to the packets of information that meets feature is required, as are forwarded to internal network interface 6, be forwarded to external network interface 5, or abandon etc.
Fire wall 1 also can comprise Policy Table's processor 7, connect firewall policy table storer 4 and internal network interface 6 or external network interface 5, by www server or ad hoc network agreement, receive the network information, and, the firewall policy table in the firewall policy table storer 4 is set according to the information that receives.
Fire wall 1 also can comprise one interface 8 is set, as RS232, and keyboard terminal etc., this is provided with interface 8 and is connected to Policy Table's processor 7, and Policy Table's processor receives the signal that interface is set, and the firewall policy in the firewall policy table storer 4 is set.
Connected mode when Fig. 2 example goes out fire wall of the present invention and is connected between dedicated network and the common network, fire wall of the present invention also can be used for connecting dedicated network and dedicated network or common network and common network.
Claims (4)
1. fireproof wall for interconnecting network comprises:
Internal network interface is used for reception/transmission internal network information;
External network interface is used for reception/transmission external network information;
Firewall policy table storer is used to store the firewall policy table;
Packet processor, connect internal network interface and external network interface, be used to analyze inside and the received contents of packet of external interface, according to holding within the firewall policy table storer, packets of information is handled, result is sent to outside or internal network interface respectively;
It is characterized in that:
Also comprise a network node table storer, be used for the corresponding tables of IP address and MAC Address is stored in wherein;
When packet processor receives any interface when receiving packets of information, this packet processor is done following processing:
(1) extract network node information on the public and dedicated network from packets of information, promptly IP address and MAC Address will be stored in respectively in the network node table storer;
(2) whether comparison information bag content conforms to the content of network node table storage; Determine packet stream to, when the flow direction of packets of information belongs to same type in network node table storer, packet processor is not done any processing, otherwise, change next step processing;
(3) consult firewall policy table storer, and according to the strategy setting of fire wall, packets of information is transmitted or is abandoned in decision.
2. fire wall as claimed in claim 1, it is characterized in that, packet processor is according to source IP address, purpose IP address, the protocol type of the packets of information that receives, the packets of information that meets the feature of IP address described in the firewall policy table storer is taked required action, promptly be forwarded to internal network interface, be forwarded to external network interface, or abandon etc.
3. fire wall according to claim 1 is characterized in that, also comprises Policy Table's processor, is used to connect inside or external network interface, by www server or ad hoc network agreement, the firewall policy table in the firewall policy table storer is set.
4. as fire wall as described in the claim 3, it is characterized in that this fire wall also can comprise one interface is set that Policy Table's processor receives the signal that interface is set, and the firewall policy table of firewall policy table storer is set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB991184033A CN1192310C (en) | 1999-08-26 | 1999-08-26 | Fireproof wall for interconnecting network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB991184033A CN1192310C (en) | 1999-08-26 | 1999-08-26 | Fireproof wall for interconnecting network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1286430A CN1286430A (en) | 2001-03-07 |
| CN1192310C true CN1192310C (en) | 2005-03-09 |
Family
ID=5280440
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB991184033A Expired - Fee Related CN1192310C (en) | 1999-08-26 | 1999-08-26 | Fireproof wall for interconnecting network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1192310C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7987503B2 (en) | 2005-07-30 | 2011-07-26 | Huawei Technologies Co., Ltd. | Firewall control system based on a next generation network service and method thereof |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100530205C (en) * | 2003-07-05 | 2009-08-19 | 鸿富锦精密工业(深圳)有限公司 | Firewall device and setting method thereof |
| CN100337222C (en) * | 2004-07-15 | 2007-09-12 | 联想网御科技(北京)有限公司 | A firewall and access restriction method thereof |
| EP1617619B1 (en) * | 2004-07-16 | 2007-05-02 | Alcatel Lucent | Method for securing communication in a local area network switch |
| US8239930B2 (en) * | 2006-10-25 | 2012-08-07 | Nokia Corporation | Method for controlling access to a network in a communication system |
| CN101296222B (en) * | 2007-04-25 | 2011-02-02 | 北京天融信网络安全技术有限公司 | Method for improving hardware acceleration performance of fire wall chip |
| CN101355415B (en) * | 2007-07-26 | 2010-12-01 | 万能 | Method and system for implementing safety access public network of network terminal as well as special network access controller thereof |
| CN101662368A (en) * | 2008-08-28 | 2010-03-03 | 黄金富 | Network data filtering device capable of fighting against Trojan horse programs and corresponding method |
| DE102013216501A1 (en) * | 2013-08-20 | 2015-02-26 | Vega Grieshaber Kg | Instrument access device, field device and method for controlling access to a meter |
| CN104717205A (en) * | 2015-02-04 | 2015-06-17 | 上海展湾信息科技有限公司 | Industrial control firewall control method based on message reconstitution |
-
1999
- 1999-08-26 CN CNB991184033A patent/CN1192310C/en not_active Expired - Fee Related
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7987503B2 (en) | 2005-07-30 | 2011-07-26 | Huawei Technologies Co., Ltd. | Firewall control system based on a next generation network service and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1286430A (en) | 2001-03-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2260561C (en) | An improved method for network address translation | |
| US7339895B2 (en) | Gateway device and control method for communication with IP and IPV6 protocols | |
| US8238336B2 (en) | Method for forwarding data packet, system, and device | |
| CN101087296B (en) | Method for utilizing network processor to translate the IPv4/IPv6 network protocol | |
| US20100272107A1 (en) | Technique for address resolution in a data transmission network | |
| US20020026528A1 (en) | System and method for selectively bridging and routing data packets between multiple networks | |
| CN1192310C (en) | Fireproof wall for interconnecting network | |
| CN101072138A (en) | Method and device for providing multi public network service for small networks | |
| KR100587560B1 (en) | Method and apparatus for communicating with outer system in link local address system | |
| CN113923186A (en) | IPV6 network communication method, device and system | |
| KR100433621B1 (en) | Multi layer internet protocol(MLIP) for peer to peer service of private internet and method for transmitting/receiving the MLIP packet | |
| US6976054B1 (en) | Method and system for accessing low-level resources in a network device | |
| US6845397B1 (en) | Interface method and system for accessing inner layers of a network protocol | |
| Cisco | IP Commands | |
| Cisco | Configuring Network Address Translation | |
| Cisco | IP Commands | |
| Cisco | IP Commands | |
| Cisco | IP Commands | |
| Cisco | IP Commands | |
| Cisco | IP Commands | |
| Cisco | IP Commands | |
| Cisco | AppleTalk Commands | |
| Cisco | IP Commands | |
| Cisco | IP Commands | |
| Cisco | IP Commands |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C19 | Lapse of patent right due to non-payment of the annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |