WO2019179027A1 - Electronic device, firewall provisioning verification method, system and storage medium - Google Patents

Electronic device, firewall provisioning verification method, system and storage medium Download PDF

Info

Publication number
WO2019179027A1
WO2019179027A1 PCT/CN2018/102094 CN2018102094W WO2019179027A1 WO 2019179027 A1 WO2019179027 A1 WO 2019179027A1 CN 2018102094 W CN2018102094 W CN 2018102094W WO 2019179027 A1 WO2019179027 A1 WO 2019179027A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
target
port information
source
firewall
Prior art date
Application number
PCT/CN2018/102094
Other languages
French (fr)
Chinese (zh)
Inventor
王开强
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2019179027A1 publication Critical patent/WO2019179027A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the present application relates to the field of Internet security, and in particular, to an electronic device, a firewall opening verification method, a system, and a storage medium.
  • a firewall is usually provided between the internal network and the external network.
  • the internal system calls the data of the external system, it needs to verify whether the firewall between the internal system and each external system to be called is enabled.
  • the commonly used method for verifying whether the firewall is turned on requires manual query of the destination IP address and destination port of each external system to be called by the internal system, and simulates the Http request to establish a communication channel between the internal system and the external system, and then executes the telnet command in sequence.
  • Remote login to query the destination IP address and the external system corresponding to the destination port to verify whether the corresponding firewall is enabled. Since the entire process requires manual query, there is a problem that error is easy, the accuracy is not high, and the verification efficiency is low.
  • the present application provides an electronic device, a firewall opening verification method, and a storage medium, which can improve the accuracy and efficiency of verifying whether a firewall is turned on.
  • the present application provides an electronic device including a memory and a processor connected to the memory, where the processor is configured to execute a firewall opening verification program stored on the memory.
  • the firewall provisioning verification program is executed by the processor, the following steps are implemented:
  • A2 traversing the pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address mapped to the source IP address and the source port information in the firewall whitelist respectively.
  • target port information
  • the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding thread number is started according to the target IP address and the target port information, and the verification firewall is opened. Instructions.
  • the present application further provides a firewall opening verification method, which includes the following steps:
  • the present application further provides a firewall provisioning verification system, where the system includes an acquisition module, a query module, and an identification module;
  • the acquiring module is configured to obtain a source IP address and source port information of the client after receiving the request for acquiring service data sent by the client;
  • the querying module is configured to traverse the pre-generated firewall whitelist based on the source IP address and the source port information, and query the firewall whitelist to map with the source IP address and the source port information respectively.
  • Target IP address and destination port information
  • the identification module is configured to start a corresponding thread according to the target IP address and the target port information, if the target IP address and the target port information mapped to the source IP address and the source port information are queried
  • the number executes the instructions that verify the firewall is turned on.
  • the present application further provides a computer readable storage medium storing a firewall provisioning verification program, the firewall provisioning verification program being executable by at least one processor to enable The at least one processor performs the following steps:
  • firewall whitelist Querying a pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address and a target mapped between the source IP address and the source port information in the firewall whitelist respectively Port information;
  • the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding number of threads is started according to the target IP address and the target port information, and the instruction for verifying the opening of the firewall is executed. .
  • the electronic device, the firewall opening verification method, the system, and the storage medium provided by the application obtain the source IP address and the source port information of the client after receiving the request for obtaining the service data sent by the client; based on the source IP
  • the address and the source port information traverse the pre-generated firewall whitelist, and query the target IP address and the target port information respectively mapped to the source IP address and the source port information in the firewall whitelist; And to the target IP address and the target port information mapped to the source IP address and the source port information, the corresponding firewall number is started according to the target IP address and the target port information, and the verification firewall opening instruction is executed.
  • FIG. 1 is a schematic diagram of an optional hardware architecture of an electronic device proposed by the present application.
  • FIG. 2 is a schematic diagram of a program module of a firewall opening verification program in an embodiment of an electronic device of the present application
  • FIG. 3 is a flow chart showing an implementation of a preferred embodiment of the firewall provisioning verification method of the present application.
  • the electronic device 10 may include, but is not limited to, the memory 11, the processor 12, and the network interface 13 being communicably connected to each other through the communication bus 14. It should be noted that FIG. 1 only shows the electronic device 10 having the components 11-14, but it should be understood that not all illustrated components may be implemented, and more or fewer components may be implemented instead.
  • the memory 11 includes at least one type of computer readable storage medium including a flash memory, a hard disk, a multimedia card, a card type memory (for example, SD or DX memory, etc.), a random access memory (RAM), and a static memory.
  • the memory 11 may be an internal storage unit of the electronic device 10, such as a hard disk or memory of the electronic device 10.
  • the memory 11 may also be an outsourced storage device of the electronic device 10, such as a plug-in hard disk equipped on the electronic device 10, a smart memory card (SMC), and a secure digital (Secure Digital) (SD). Card, flash card, etc.
  • the memory 11 can also include both an internal storage unit of the electronic device 10 and an external storage device thereof.
  • the memory 11 is generally used to store an operating system installed on the electronic device 10 and various types of application software, such as a firewall provisioning verification program. Further, the memory 11 can also be used to temporarily store various types of data that have been output or are to be output.
  • Processor 12 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments.
  • the processor 12 is typically used to control the overall operation of the electronic device 10.
  • the processor 12 is configured to run program code or processing data stored in the memory 11, such as a running firewall provisioning verification program.
  • the network interface 13 may include a wireless network interface or a wired network interface, which is typically used to establish a communication connection between the electronic device 10 and other electronic devices.
  • Communication bus 14 is used to implement a communication connection between components 11-13.
  • Figure 1 shows only the electronic device 10 with components 11-14 and a firewall provisioning verification procedure, but it should be understood that not all illustrated components may be implemented and that more or fewer components may be implemented instead.
  • the electronic device 10 may further include a user interface (not shown in FIG. 1), and the user interface may include a display, an input unit such as a keyboard, wherein the user interface may further include a standard wired interface, a wireless interface, and the like.
  • the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED touch device, or the like. Further, the display may also be referred to as a display screen or display unit for displaying information processed in the electronic device 10 and a user interface for displaying visualizations.
  • firewall provisioning verification program stored in the memory 11 when executed by the processor 12, the following operations are implemented:
  • firewall whitelist Querying a pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address and a target mapped between the source IP address and the source port information in the firewall whitelist respectively Port information;
  • the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding number of threads is started according to the target IP address and the target port information, and an instruction for verifying the opening of the firewall is executed.
  • the target IP address and the target port information respectively mapped to the source IP address and the source port information are larger, and exceeds a preset threshold. For convenience, generate a corresponding firewall port information list according to the mutually mapped relationship; and start a corresponding thread number according to the generated firewall port information list to execute an instruction for verifying the firewall opening, and verify each target IP address and target port and the source IP address. Whether the firewall between the address and the source port is open.
  • the firewall opening verification command is sent to the predetermined server node.
  • the firewall whitelist includes a mapping relationship between the source IP address and the source port information and the target IP address and the target port information.
  • the predetermined client is monitored in real time or periodically within a preset time. If the client launches the application, the request message sent by the client is monitored, and the request message includes the service code information and the target service system. Describe a target IP address corresponding to the service code information;
  • the preset time may be automatically set according to a predetermined service type of the client. For example, if the predetermined client is a mail service system, the preset time may be set to be within the last 3 months, or Within one month, or if the predetermined client is a web browser of the World Wide Web, the preset time may be set to the most recent week, etc.; the service code information of the target service system is a predetermined readable string.
  • firewall white list is stored in a predetermined database.
  • obtaining the source IP address of the client is 192.168.0.1
  • the source port information is 8080, and traversing based on the source IP address and the source port information.
  • the pre-generated firewall whitelist is assumed to be queried in the whitelist of the firewall.
  • the destination IP addresses mapped to the source IP address are 192.168.1.1 and 192.168.1.2
  • the destination port information mapped to the source port information is 8080.
  • the list of firewall port information that needs to be opened for the client is as follows:
  • the first group (192.168.0.1 to 192.168.1.1 8080)
  • the second group (192.168.0.1 to 192.168.1.2 8080)
  • the corresponding multi-thread is started to generate a plurality of http requests for linking the source IP address, and the source IP address is 192.168.0.1; if the login success information returned by the client is received, the generated The telnet commands of the target IP addresses 192.168.1.1 8080 and 192.168.1.1 8080 are respectively linked, and if the information about the successful link returned by the service system corresponding to the target IP address is received, it is determined that the firewall is enabled.
  • the electronic device proposed by the present application obtains the source IP address and source port information of the client after receiving the request for acquiring the service data sent by the client; based on the source IP address and the source
  • the port information traverses the pre-generated firewall whitelist, and queries the target IP address and the target port information respectively mapped to the source IP address and the source port information in the firewall whitelist; if the source and the source are queried
  • the target IP address and the target port information mapped to each other by the IP address and the source port information are used to execute a verification firewall opening command according to the target IP address and the target port information.
  • the firewall provisioning verification program of the present application may be described by using a program module having the same function according to different functions implemented by the various parts thereof.
  • FIG. 2 is a schematic diagram of a program module of a mutual firewall opening verification program in an embodiment of the electronic device of the present application.
  • the firewall provisioning verification program may be divided into the obtaining module 201, the query module 202, and the verification module 203 according to different functions implemented by the respective parts.
  • the program module referred to in the present application refers to a series of computer program instruction segments capable of performing a specific function, and is more suitable than the program to describe the execution process of the firewall provisioning verification program in the electronic device 10.
  • the functions or operational steps implemented by the modules 201-203 are similar to the above, and are not described in detail herein, by way of example, for example:
  • the obtaining module 201 is configured to obtain the source IP address and the source port information of the client after receiving the request for acquiring the service data sent by the client.
  • the querying module 202 is configured to traverse the pre-generated firewall whitelist based on the source IP address and the source port information, and query the mapping between the source IP address and the source port information in the firewall whitelist.
  • Target IP address and destination port information Target IP address and destination port information
  • the identification module 203 is configured to: if the target IP address and the target port information mapped to the source IP address and the source port information are queried, start the verification firewall according to the target IP address and the target port information to start the corresponding thread number. Open the order.
  • the present application also provides a firewall provisioning verification method.
  • the firewall provisioning verification method includes the following steps:
  • Step S301 after receiving the request for acquiring service data sent by the client, acquiring source IP address and source port information of the client;
  • Step S302 traversing the pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP mapped between the source IP address and the source port information in the firewall whitelist. Address and destination port information;
  • Step S303 if the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding thread number is started according to the target IP address and the target port information, and the verification firewall opening instruction is executed. .
  • the target IP address and the target port information respectively mapped to the source IP address and the source port information are larger, and exceeds a preset threshold. For convenience, generate a corresponding firewall port information list according to the mutually mapped relationship; and start a corresponding thread number according to the generated firewall port information list to execute an instruction for verifying the firewall opening, and verify each target IP address and target port and the source IP address. Whether the firewall between the address and the source port is open.
  • the firewall opening verification command is sent to the predetermined server node.
  • the firewall whitelist includes a mapping relationship between a source IP address and source port information and a target IP address and target port information
  • the firewall provisioning verification method further includes The step of generating the firewall whitelist, the step of pre-generating the firewall whitelist includes:
  • the predetermined client is monitored in real time or periodically within a preset time. If the client launches the application, the request message sent by the client is monitored, and the request message includes the service code information and the target service system. Describe a target IP address corresponding to the service code information;
  • the preset time may be automatically set according to a predetermined service type of the client. For example, if the predetermined client is a mail service system, the preset time may be set to be within the last 3 months, or Within one month, or if the predetermined client is a web browser of the World Wide Web, the preset time may be set to the most recent week, etc.; the service code information of the target service system is a predetermined readable string.
  • firewall white list is stored in a predetermined database.
  • obtaining the source IP address of the client is 192.168.0.1
  • the source port information is 8080, and traversing based on the source IP address and the source port information.
  • the pre-generated firewall whitelist is assumed to be queried in the whitelist of the firewall.
  • the destination IP addresses mapped to the source IP address are 192.168.1.1 and 192.168.1.2
  • the destination port information mapped to the source port information is 8080.
  • the list of firewall port information that needs to be opened for the client is as follows:
  • the first group (192.168.0.1 to 192.168.1.1 8080)
  • the second group (192.168.0.1 to 192.168.1.2 8080)
  • the corresponding multi-thread is started to generate a plurality of http requests for linking the source IP address, and the source IP address is 192.168.0.1; if the login success information returned by the client is received, the generated The telnet commands of the target IP addresses 192.168.1.1 8080 and 192.168.1.1 8080 are respectively linked, and if the information about the successful link returned by the service system corresponding to the target IP address is received, it is determined that the firewall is enabled.
  • the firewall provisioning verification method of the present application obtains the source IP address and source port information of the client after receiving the request for obtaining the service data sent by the client; based on the source IP address and the location
  • the source port information traverses the pre-generated firewall whitelist, and queries the target IP address and the target port information respectively mapped to the source IP address and the source port information in the firewall whitelist; Determining the target IP address and the target port information that the source IP address and the source port information are mutually mapped, and starting the corresponding thread number according to the target IP address and the target port information to execute the verification firewall opening instruction.
  • the present application further provides a computer readable storage medium on which a firewall provisioning verification program is stored, and when the firewall provisioning verification program is executed by the processor, the following operations are implemented:
  • firewall whitelist Querying a pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address and a target mapped between the source IP address and the source port information in the firewall whitelist respectively Port information;
  • the corresponding thread number is started according to the target IP address and the target port information, and the verification firewall opening instruction is executed at the same time. Verify that the firewall between each target IP address and destination port and the source IP address and the source port is open.
  • firewall provisioning verification program when executed by the processor, the following operations are also implemented:
  • the firewall opening verification command is sent to the predetermined server node.
  • firewall provisioning verification program when executed by the processor, the following operations are also implemented:
  • the predetermined client is monitored in real time or periodically within a preset time. If the client launches the application, the request message sent by the client is monitored, and the request message includes the service code information and the target service system.
  • the foregoing embodiment method can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is better.
  • Implementation Based on such understanding, the technical solution of the present application, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the methods described in various embodiments of the present application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed in the present application are an electronic device, a firewall provisioning verification method, a system and a storage medium. Said method comprises acquiring, upon reception of a request sent by a client for acquiring service data, a source IP address and source port information of the client; and traversing, on the basis of the source IP address and the source port information, a pre-generated firewall white list, and querying, in the firewall white list, a target IP address and target port information which correspond to the source IP address and the source port information, respectively; and if the corresponding target IP address and target port information are obtained by querying, activating, according to the corresponding target IP address and target port information, a corresponding thread count to execute a firewall provisioning verification instruction. This invention improves the efficiency of verifying whether a firewall is provisioned, and improves the verification accuracy.

Description

电子装置、防火墙开通验证方法、系统及存储介质Electronic device, firewall opening verification method, system and storage medium
本申请要求于2018年3月23日提交中国专利局、申请号为2018102469623,发明名称为“电子装置、防火墙开通验证方法、系统及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 2018102469623, entitled "Electronic Device, Firewall Opening Verification Method, System and Storage Medium", filed on March 23, 2018, the entire contents of which are incorporated by reference. Combined in this application.
技术领域Technical field
本申请涉互联网安全领域,尤其涉及一种电子装置、防火墙开通验证方法、系统及存储介质。The present application relates to the field of Internet security, and in particular, to an electronic device, a firewall opening verification method, a system, and a storage medium.
背景技术Background technique
随着网络技术的发展及应用,网络安全问题也变得日益严重。为了增加网络数据交互的安全,在内部网络与外部网络之间通常设置有防火墙。而内部系统在调用外部系统的数据时,需要验证该内部系统与需调用的各个外部系统之间的防火墙是否开通。With the development and application of network technology, network security issues have become increasingly serious. In order to increase the security of network data interaction, a firewall is usually provided between the internal network and the external network. When the internal system calls the data of the external system, it needs to verify whether the firewall between the internal system and each external system to be called is enabled.
目前,常用的验证防火墙是否开通的方法需要借助人工查询内部系统需调用的各个外部系统的目的IP地址、以及目的端口,并模拟Http请求建立内部系统与外部系统的通信通道之后,依次执行telnet命令,远程登录查询到的各个目的IP地址和目的端口对应的外部系统来验证对应的防火墙是否开通。由于整个过程中需要借助人工进行查询,因此存在容易出错、准确率不高,且验证效率低下的问题。At present, the commonly used method for verifying whether the firewall is turned on requires manual query of the destination IP address and destination port of each external system to be called by the internal system, and simulates the Http request to establish a communication channel between the internal system and the external system, and then executes the telnet command in sequence. Remote login to query the destination IP address and the external system corresponding to the destination port to verify whether the corresponding firewall is enabled. Since the entire process requires manual query, there is a problem that error is easy, the accuracy is not high, and the verification efficiency is low.
发明内容Summary of the invention
有鉴于此,本申请提出一种电子装置、防火墙开通验证方法及存储介质,能够提高验证防火墙是否开通的准确率及效率。In view of this, the present application provides an electronic device, a firewall opening verification method, and a storage medium, which can improve the accuracy and efficiency of verifying whether a firewall is turned on.
首先,为实现上述目的,本申请提出一种电子装置,所述电子装置包括存储器、及与所述存储器连接的处理器,所述处理器用于执行所述存储器上 存储的防火墙开通验证程序,所述防火墙开通验证程序被所述处理器执行时实现如下步骤:First, in order to achieve the above object, the present application provides an electronic device including a memory and a processor connected to the memory, where the processor is configured to execute a firewall opening verification program stored on the memory. When the firewall provisioning verification program is executed by the processor, the following steps are implemented:
A1、接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;A1. After receiving the request for obtaining the service data sent by the client, obtaining the source IP address and source port information of the client;
A2、基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;A2, traversing the pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address mapped to the source IP address and the source port information in the firewall whitelist respectively. And target port information;
A3、若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及所述目标端口信息启动对应的线程数执行验证防火墙开通的指令。A3. If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding thread number is started according to the target IP address and the target port information, and the verification firewall is opened. Instructions.
此外,为实现上述目的,本申请还提供一种防火墙开通验证方法,该方法包括如下步骤:In addition, to achieve the above object, the present application further provides a firewall opening verification method, which includes the following steps:
S1、接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;S1. After receiving the request for obtaining service data sent by the client, obtain the source IP address and source port information of the client.
S2、基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;S2, traversing the pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address mapped to the source IP address and the source port information in the firewall whitelist respectively. And target port information;
S3、若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及所述目标端口信息启动对应的线程数执行验证防火墙开通的指令。S3. If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding thread number is started according to the target IP address and the target port information, and the verification firewall is activated. Instructions.
此外,为实现上述目的,本申请还提供一种防火墙开通验证系统,该系统包括获取模块、查询模块以及识别模块;In addition, to achieve the above object, the present application further provides a firewall provisioning verification system, where the system includes an acquisition module, a query module, and an identification module;
所述获取模块用于接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;The acquiring module is configured to obtain a source IP address and source port information of the client after receiving the request for acquiring service data sent by the client;
所述查询模块用于基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口 信息之间相互映射的目标IP地址及目标端口信息;The querying module is configured to traverse the pre-generated firewall whitelist based on the source IP address and the source port information, and query the firewall whitelist to map with the source IP address and the source port information respectively. Target IP address and destination port information;
所述识别模块用于在若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及所述目标端口信息启动对应的线程数执行验证防火墙开通的指令。此外,为实现上述目的,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质存储有防火墙开通验证程序,所述防火墙开通验证程序可被至少一个处理器执行,以使所述至少一个处理器执行如下步骤:The identification module is configured to start a corresponding thread according to the target IP address and the target port information, if the target IP address and the target port information mapped to the source IP address and the source port information are queried The number executes the instructions that verify the firewall is turned on. In addition, in order to achieve the above object, the present application further provides a computer readable storage medium storing a firewall provisioning verification program, the firewall provisioning verification program being executable by at least one processor to enable The at least one processor performs the following steps:
接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;After receiving the request for obtaining service data sent by the client, obtaining the source IP address and source port information of the client;
基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;Querying a pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address and a target mapped between the source IP address and the source port information in the firewall whitelist respectively Port information;
若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及所述目标端口信息启动对应的线程数执行验证防火墙开通的指令。If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding number of threads is started according to the target IP address and the target port information, and the instruction for verifying the opening of the firewall is executed. .
本申请所提出的电子装置、防火墙开通验证方法、系统及存储介质,通过在接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及目标端口信息启动对应的线程数执行验证防火墙开通指令。提高了验证防火墙是否开通的效率,并提高了验证准确率。The electronic device, the firewall opening verification method, the system, and the storage medium provided by the application obtain the source IP address and the source port information of the client after receiving the request for obtaining the service data sent by the client; based on the source IP The address and the source port information traverse the pre-generated firewall whitelist, and query the target IP address and the target port information respectively mapped to the source IP address and the source port information in the firewall whitelist; And to the target IP address and the target port information mapped to the source IP address and the source port information, the corresponding firewall number is started according to the target IP address and the target port information, and the verification firewall opening instruction is executed. Improves the efficiency of verifying the firewall's provisioning and improves verification accuracy.
附图说明DRAWINGS
图1是本申请提出的电子装置一可选的硬件架构的示意图;1 is a schematic diagram of an optional hardware architecture of an electronic device proposed by the present application;
图2是本申请电子装置一实施例中防火墙开通验证程序的程序模块示意图;2 is a schematic diagram of a program module of a firewall opening verification program in an embodiment of an electronic device of the present application;
图3是本申请防火墙开通验证方法较佳实施例的实施流程图。3 is a flow chart showing an implementation of a preferred embodiment of the firewall provisioning verification method of the present application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The implementation, functional features and advantages of the present application will be further described with reference to the accompanying drawings.
具体实施方式detailed description
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the objects, technical solutions, and advantages of the present application more comprehensible, the present application will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.
需要说明的是,在本申请中涉及“第一”、“第二”等的描述仅用于描述目的,而不能理解为指示或暗示其相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。另外,各个实施例之间的技术方案可以相互结合,但是必须是以本领域普通技术人员能够实现为基础,当技术方案的结合出现相互矛盾或无法实现时应当认为这种技术方案的结合不存在,也不在本申请要求的保护范围之内。It should be noted that the descriptions of "first", "second" and the like in the present application are for the purpose of description only, and are not to be construed as indicating or implying their relative importance or implicitly indicating the number of technical features indicated. . Thus, features defining "first" or "second" may include at least one of the features, either explicitly or implicitly. In addition, the technical solutions between the various embodiments may be combined with each other, but must be based on the realization of those skilled in the art, and when the combination of the technical solutions is contradictory or impossible to implement, it should be considered that the combination of the technical solutions does not exist. Nor is it within the scope of protection required by this application.
参阅图1所示,是本申请提出的电子装置一可选的硬件架构示意图。本实施例中,电子装置10可包括,但不仅限于,可通过通信总线14相互通信连接存储器11、处理器12、网络接口13。需要指出的是,图1仅示出了具有组件11-14的电子装置10,但是应理解的是,并不要求实施所有示出的组件,可以替代的实施更多或者更少的组件。Referring to FIG. 1 , it is an optional hardware architecture diagram of the electronic device proposed by the present application. In this embodiment, the electronic device 10 may include, but is not limited to, the memory 11, the processor 12, and the network interface 13 being communicably connected to each other through the communication bus 14. It should be noted that FIG. 1 only shows the electronic device 10 having the components 11-14, but it should be understood that not all illustrated components may be implemented, and more or fewer components may be implemented instead.
其中,存储器11至少包括一种类型的计算机可读存储介质,计算机可读存储介质包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器 等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘等。在一些实施例中,存储器11可以是电子装置10的内部存储单元,例如电子装置10的硬盘或内存。在另一些实施例中,存储器11也可以是电子装置10的外包存储设备,例如电子装置10上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(SecureDigital,SD)卡,闪存卡(Flash Card)等。当然,存储器11还可以既包括电子装置10的内部存储单元也包括其外部存储设备。本实施例中,存储器11通常用于存储安装于电子装置10的操作系统和各类应用软件,例如防火墙开通验证程序等。此外,存储器11还可以用于暂时地存储已经输出或者将要输出的各类数据。The memory 11 includes at least one type of computer readable storage medium including a flash memory, a hard disk, a multimedia card, a card type memory (for example, SD or DX memory, etc.), a random access memory (RAM), and a static memory. Random access memory (SRAM), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), programmable read only memory (PROM), magnetic memory, magnetic disk, optical disk, and the like. In some embodiments, the memory 11 may be an internal storage unit of the electronic device 10, such as a hard disk or memory of the electronic device 10. In other embodiments, the memory 11 may also be an outsourced storage device of the electronic device 10, such as a plug-in hard disk equipped on the electronic device 10, a smart memory card (SMC), and a secure digital (Secure Digital) (SD). Card, flash card, etc. Of course, the memory 11 can also include both an internal storage unit of the electronic device 10 and an external storage device thereof. In this embodiment, the memory 11 is generally used to store an operating system installed on the electronic device 10 and various types of application software, such as a firewall provisioning verification program. Further, the memory 11 can also be used to temporarily store various types of data that have been output or are to be output.
处理器12在一些实施例中可以是中央处理器(Central Processing Unit,CPU)、控制器、微控制器、微处理器、或其他数据处理芯片。处理器12通常用于控制电子装置10的总体操作。本实施例中,处理器12用于运行存储器11中存储的程序代码或者处理数据,例如运行的防火墙开通验证程序等。 Processor 12 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor 12 is typically used to control the overall operation of the electronic device 10. In this embodiment, the processor 12 is configured to run program code or processing data stored in the memory 11, such as a running firewall provisioning verification program.
网络接口13可包括无线网络接口或有线网络接口,网络接口13通常用于在电子装置10与其他电子设备之间建立通信连接。The network interface 13 may include a wireless network interface or a wired network interface, which is typically used to establish a communication connection between the electronic device 10 and other electronic devices.
通信总线14用于实现组件11-13之间的通信连接。 Communication bus 14 is used to implement a communication connection between components 11-13.
图1仅示出了具有组件11-14以及防火墙开通验证程序的电子装置10,但是应理解的是,并不要求实施所有示出的组件,可以替代的实施更多或者更少的组件。Figure 1 shows only the electronic device 10 with components 11-14 and a firewall provisioning verification procedure, but it should be understood that not all illustrated components may be implemented and that more or fewer components may be implemented instead.
可选地,电子装置10还可以包括用户接口(图1中未示出),用户接口可以包括显示器、输入单元比如键盘,其中,用户接口还可以包括标准的有线接口、无线接口等。Optionally, the electronic device 10 may further include a user interface (not shown in FIG. 1), and the user interface may include a display, an input unit such as a keyboard, wherein the user interface may further include a standard wired interface, a wireless interface, and the like.
可选地,在一些实施例中,显示器可以是LED显示器、液晶显示器、触控式液晶显示器以及OLED触摸器等。进一步地,显示器也可称为显示屏或 显示单元,用于显示在电子装置10中处理信息以及用于显示可视化的用户界面。Optionally, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED touch device, or the like. Further, the display may also be referred to as a display screen or display unit for displaying information processed in the electronic device 10 and a user interface for displaying visualizations.
在一实施例中,存储器11中存储的防火墙开通验证程序被处理器12执行时,实现如下操作:In an embodiment, when the firewall provisioning verification program stored in the memory 11 is executed by the processor 12, the following operations are implemented:
接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;After receiving the request for obtaining service data sent by the client, obtaining the source IP address and source port information of the client;
基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;Querying a pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address and a target mapped between the source IP address and the source port information in the firewall whitelist respectively Port information;
若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及目标端口信息启动对应的线程数执行验证防火墙开通的指令。If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding number of threads is started according to the target IP address and the target port information, and an instruction for verifying the opening of the firewall is executed.
需要说明的是,在本申请的一些实施例中,若分别与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息的数量较大,且超过预设的阈值时,为了方便则根据相互映射的关系生成对应的防火墙端口信息列表;并根据生成的防火墙端口信息列表启动对应的线程数执行验证防火墙开通的指令,验证各个目标IP地址及目标端口与所述源IP地址及所述源端口之间的防火墙是否打开。It should be noted that, in some embodiments of the present application, if the number of the target IP address and the target port information respectively mapped to the source IP address and the source port information is larger, and exceeds a preset threshold, For convenience, generate a corresponding firewall port information list according to the mutually mapped relationship; and start a corresponding thread number according to the generated firewall port information list to execute an instruction for verifying the firewall opening, and verify each target IP address and target port and the source IP address. Whether the firewall between the address and the source port is open.
或者,在本申请的另一种实施方式中,若查询不到所述源IP地址及所述源端口信息对应的目标IP地址及目标端口信息,则向预先确定的服务器节点发送防火墙开通验证指令。Or, in another implementation manner of the present application, if the source IP address and the target IP address and the target port information corresponding to the source port information are not queried, the firewall opening verification command is sent to the predetermined server node. .
需要说明的是,所述防火墙白名单包括源IP地址及源端口信息与目标IP地址及目标端口信息之间的映射关系,存储器11中存储的防火墙开通验证程序被处理器12执行时,还包括预先生成所述防火墙白名单的步骤,所述预先生成所述防火墙白名单的步骤包括:It should be noted that the firewall whitelist includes a mapping relationship between the source IP address and the source port information and the target IP address and the target port information. When the firewall provisioning verification program stored in the memory 11 is executed by the processor 12, the method further includes The step of generating the firewall whitelist in advance, the step of generating the firewall whitelist in advance includes:
在预设时间内实时或定时监测预先确定的客户端,若监测到有客户端启 动应用程序,则监听该客户端发送的请求消息,所述请求消息中包括目标服务系统的服务编码信息及所述服务编码信息对应的目标IP地址;The predetermined client is monitored in real time or periodically within a preset time. If the client launches the application, the request message sent by the client is monitored, and the request message includes the service code information and the target service system. Describe a target IP address corresponding to the service code information;
在本实施例中,所述预设时间根据预先确定的客户端的服务类型可自动设置,例如若预先确定的客户端为邮件服务系统,则预设时间可以设置为最近3个月内,或者最近一个月内,或者若预先确定的客户端为万维网的网页浏览器,则预设时间可以设置为最近一周等;所述目标服务系统的服务编码信息为预先确定的可读字符串。In this embodiment, the preset time may be automatically set according to a predetermined service type of the client. For example, if the predetermined client is a mail service system, the preset time may be set to be within the last 3 months, or Within one month, or if the predetermined client is a web browser of the World Wide Web, the preset time may be set to the most recent week, etc.; the service code information of the target service system is a predetermined readable string.
获取监听到的服务编码信息对应的目标IP地址对应的目标端口信息,生成监听到的目标IP地址及获取的目标端口信息与该客户端的源IP地址及源端口信息之间的映射关系,将该映射关系写入所述防火墙白名单。Obtaining a target port information corresponding to the target IP address corresponding to the monitored service code information, and generating a mapping relationship between the monitored target IP address and the obtained target port information and the source IP address and the source port information of the client, The mapping relationship is written to the firewall whitelist.
进一步地,将所述防火墙白名单存入预先确定的数据库中。Further, the firewall white list is stored in a predetermined database.
例如,在一实施例中,在接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址为192.168.0.1,源端口信息为8080,基于该源IP地址及源端口信息遍历预先生成的防火墙白名单,假设在防火墙白名单中查询到该源IP地址相互映射的目标IP地址为192.168.1.1、及192.168.1.2,与该源端口信息相互映射的目标端口信息为8080,则生成该客户端对应的需要打开的防火墙端口信息列表如下:For example, in an embodiment, after receiving the request for obtaining the service data sent by the client, obtaining the source IP address of the client is 192.168.0.1, the source port information is 8080, and traversing based on the source IP address and the source port information. The pre-generated firewall whitelist is assumed to be queried in the whitelist of the firewall. The destination IP addresses mapped to the source IP address are 192.168.1.1 and 192.168.1.2, and the destination port information mapped to the source port information is 8080. The list of firewall port information that needs to be opened for the client is as follows:
第一组(192.168.0.1到192.168.1.1 8080)The first group (192.168.0.1 to 192.168.1.1 8080)
第二组(192.168.0.1到192.168.1.2 8080)The second group (192.168.0.1 to 192.168.1.2 8080)
根据该防火墙端口信息列表,启动对应的多线程同时生成多个链接所述源IP地址的http请求,登录所述源IP地址192.168.0.1;若接收到该客户端返回的登录成功信息,则生成分别链接所述目标IP地址192.168.1.1 8080、及192.168.1.1 8080的telnet命令,若接收到所述目标IP地址对应的服务系统返回的链接成功的信息,则确定防火墙开通。According to the firewall port information list, the corresponding multi-thread is started to generate a plurality of http requests for linking the source IP address, and the source IP address is 192.168.0.1; if the login success information returned by the client is received, the generated The telnet commands of the target IP addresses 192.168.1.1 8080 and 192.168.1.1 8080 are respectively linked, and if the information about the successful link returned by the service system corresponding to the target IP address is received, it is determined that the firewall is enabled.
通过上述实施例可知,本申请提出的电子装置,通过在接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;基于 所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及目标端口信息启动对应的线程数执行验证防火墙开通指令。提高了验证防火墙是否开通的效率,并提高了验证准确率。According to the above embodiment, the electronic device proposed by the present application obtains the source IP address and source port information of the client after receiving the request for acquiring the service data sent by the client; based on the source IP address and the source The port information traverses the pre-generated firewall whitelist, and queries the target IP address and the target port information respectively mapped to the source IP address and the source port information in the firewall whitelist; if the source and the source are queried The target IP address and the target port information mapped to each other by the IP address and the source port information are used to execute a verification firewall opening command according to the target IP address and the target port information. Improves the efficiency of verifying the firewall's provisioning and improves verification accuracy.
进一步需要说明的是,本申请的防火墙开通验证程序依据其各部分所实现的功能不同,可用具有相同功能的程序模块进行描述。请参阅图2所示,是本申请电子装置一实施例中互防火墙开通验证程序的程序模块示意图。本实施例中,防火墙开通验证程序依据其各部分所实现的功能的不同,可以被分割成获取模块201、查询模块202、验证模块203。由上面的描述可知,本申请所称的程序模块是指能够完成特定功能的一系列计算机程序指令段,比程序更适合于描述防火墙开通验证程序在电子装置10中的执行过程。所述模块201-203所实现的功能或操作步骤均与上文类似,此处不再详述,示例性地,例如其中:It should be further noted that the firewall provisioning verification program of the present application may be described by using a program module having the same function according to different functions implemented by the various parts thereof. Please refer to FIG. 2 , which is a schematic diagram of a program module of a mutual firewall opening verification program in an embodiment of the electronic device of the present application. In this embodiment, the firewall provisioning verification program may be divided into the obtaining module 201, the query module 202, and the verification module 203 according to different functions implemented by the respective parts. As can be seen from the above description, the program module referred to in the present application refers to a series of computer program instruction segments capable of performing a specific function, and is more suitable than the program to describe the execution process of the firewall provisioning verification program in the electronic device 10. The functions or operational steps implemented by the modules 201-203 are similar to the above, and are not described in detail herein, by way of example, for example:
获取模块201用于在接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;The obtaining module 201 is configured to obtain the source IP address and the source port information of the client after receiving the request for acquiring the service data sent by the client.
查询模块202用于基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;The querying module 202 is configured to traverse the pre-generated firewall whitelist based on the source IP address and the source port information, and query the mapping between the source IP address and the source port information in the firewall whitelist. Target IP address and destination port information;
识别模块203用于若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及目标端口信息启动对应的线程数执行验证防火墙开通指令。The identification module 203 is configured to: if the target IP address and the target port information mapped to the source IP address and the source port information are queried, start the verification firewall according to the target IP address and the target port information to start the corresponding thread number. Open the order.
此外,本申请还提出一种防火墙开通验证方法,请参阅图3所示,所述防火墙开通验证方法包括如下步骤:In addition, the present application also provides a firewall provisioning verification method. Referring to FIG. 3, the firewall provisioning verification method includes the following steps:
步骤S301,接收到客户端发送的获取服务数据的请求后,获取该客户端 的源IP地址及源端口信息;Step S301, after receiving the request for acquiring service data sent by the client, acquiring source IP address and source port information of the client;
步骤S302,基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;Step S302, traversing the pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP mapped between the source IP address and the source port information in the firewall whitelist. Address and destination port information;
步骤S303,若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及目标端口信息启动对应的线程数执行验证防火墙开通指令。Step S303, if the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding thread number is started according to the target IP address and the target port information, and the verification firewall opening instruction is executed. .
需要说明的是,在本申请的一些实施例中,若分别与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息的数量较大,且超过预设的阈值时,为了方便则根据相互映射的关系生成对应的防火墙端口信息列表;并根据生成的防火墙端口信息列表启动对应的线程数执行验证防火墙开通的指令,验证各个目标IP地址及目标端口与所述源IP地址及所述源端口之间的防火墙是否打开。It should be noted that, in some embodiments of the present application, if the number of the target IP address and the target port information respectively mapped to the source IP address and the source port information is larger, and exceeds a preset threshold, For convenience, generate a corresponding firewall port information list according to the mutually mapped relationship; and start a corresponding thread number according to the generated firewall port information list to execute an instruction for verifying the firewall opening, and verify each target IP address and target port and the source IP address. Whether the firewall between the address and the source port is open.
或者,在本申请的另一种实施方式中,若查询不到所述源IP地址及所述源端口信息对应的目标IP地址及目标端口信息,则向预先确定的服务器节点发送防火墙开通验证指令。Or, in another implementation manner of the present application, if the source IP address and the target IP address and the target port information corresponding to the source port information are not queried, the firewall opening verification command is sent to the predetermined server node. .
需要说明的是,在本申请的各个实施例中,所述防火墙白名单包括源IP地址及源端口信息与目标IP地址及目标端口信息之间的映射关系,所述防火墙开通验证方法还包括预先生成所述防火墙白名单的步骤,所述预先生成所述防火墙白名单的步骤包括:It should be noted that, in various embodiments of the present application, the firewall whitelist includes a mapping relationship between a source IP address and source port information and a target IP address and target port information, and the firewall provisioning verification method further includes The step of generating the firewall whitelist, the step of pre-generating the firewall whitelist includes:
在预设时间内实时或定时监测预先确定的客户端,若监测到有客户端启动应用程序,则监听该客户端发送的请求消息,所述请求消息中包括目标服务系统的服务编码信息及所述服务编码信息对应的目标IP地址;The predetermined client is monitored in real time or periodically within a preset time. If the client launches the application, the request message sent by the client is monitored, and the request message includes the service code information and the target service system. Describe a target IP address corresponding to the service code information;
获取监听到的服务编码信息对应的目标IP地址的目标端口信息,生成监听到的目标IP地址及获取的目标端口信息与该客户端的源IP地址及源端口信息之间的映射关系,将该映射关系写入所述防火墙白名单。Obtaining the target port information of the target IP address corresponding to the monitored service code information, and generating a mapping relationship between the monitored target IP address and the obtained target port information and the source IP address and source port information of the client, and mapping the mapping The relationship is written to the firewall whitelist.
在本实施例中,所述预设时间根据预先确定的客户端的服务类型可自动设置,例如若预先确定的客户端为邮件服务系统,则预设时间可以设置为最近3个月内,或者最近一个月内,或者若预先确定的客户端为万维网的网页浏览器,则预设时间可以设置为最近一周等;所述目标服务系统的服务编码信息为预先确定的可读字符串。In this embodiment, the preset time may be automatically set according to a predetermined service type of the client. For example, if the predetermined client is a mail service system, the preset time may be set to be within the last 3 months, or Within one month, or if the predetermined client is a web browser of the World Wide Web, the preset time may be set to the most recent week, etc.; the service code information of the target service system is a predetermined readable string.
进一步地,将所述防火墙白名单存入预先确定的数据库中。Further, the firewall white list is stored in a predetermined database.
例如,在一实施例中,在接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址为192.168.0.1,源端口信息为8080,基于该源IP地址及源端口信息遍历预先生成的防火墙白名单,假设在防火墙白名单中查询到该源IP地址相互映射的目标IP地址为192.168.1.1、及192.168.1.2,与该源端口信息相互映射的目标端口信息为8080,则生成该客户端对应的需要打开的防火墙端口信息列表如下:For example, in an embodiment, after receiving the request for obtaining the service data sent by the client, obtaining the source IP address of the client is 192.168.0.1, the source port information is 8080, and traversing based on the source IP address and the source port information. The pre-generated firewall whitelist is assumed to be queried in the whitelist of the firewall. The destination IP addresses mapped to the source IP address are 192.168.1.1 and 192.168.1.2, and the destination port information mapped to the source port information is 8080. The list of firewall port information that needs to be opened for the client is as follows:
第一组(192.168.0.1到192.168.1.1 8080)The first group (192.168.0.1 to 192.168.1.1 8080)
第二组(192.168.0.1到192.168.1.2 8080)The second group (192.168.0.1 to 192.168.1.2 8080)
根据该防火墙端口信息列表,启动对应的多线程同时生成多个链接所述源IP地址的http请求,登录所述源IP地址192.168.0.1;若接收到该客户端返回的登录成功信息,则生成分别链接所述目标IP地址192.168.1.1 8080、及192.168.1.1 8080的telnet命令,若接收到所述目标IP地址对应的服务系统返回的链接成功的信息,则确定防火墙开通。According to the firewall port information list, the corresponding multi-thread is started to generate a plurality of http requests for linking the source IP address, and the source IP address is 192.168.0.1; if the login success information returned by the client is received, the generated The telnet commands of the target IP addresses 192.168.1.1 8080 and 192.168.1.1 8080 are respectively linked, and if the information about the successful link returned by the service system corresponding to the target IP address is received, it is determined that the firewall is enabled.
通过上述实施例可知,本申请提出的防火墙开通验证方法,通过在接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及目标端口信息启动对应的线程数执行验证防火墙开通指令。提高了验证防火墙是否 开通的效率,并提高了验证准确率。According to the foregoing embodiment, the firewall provisioning verification method of the present application obtains the source IP address and source port information of the client after receiving the request for obtaining the service data sent by the client; based on the source IP address and the location The source port information traverses the pre-generated firewall whitelist, and queries the target IP address and the target port information respectively mapped to the source IP address and the source port information in the firewall whitelist; Determining the target IP address and the target port information that the source IP address and the source port information are mutually mapped, and starting the corresponding thread number according to the target IP address and the target port information to execute the verification firewall opening instruction. Improves the efficiency of verifying the firewall's provisioning and improves verification accuracy.
此外,本申请还提出一种计算机可读存储介质,所述计算机可读存储介质上存储有防火墙开通验证程序,所述防火墙开通验证程序被处理器执行时实现如下操作:In addition, the present application further provides a computer readable storage medium on which a firewall provisioning verification program is stored, and when the firewall provisioning verification program is executed by the processor, the following operations are implemented:
接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;After receiving the request for obtaining service data sent by the client, obtaining the source IP address and source port information of the client;
基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;Querying a pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address and a target mapped between the source IP address and the source port information in the firewall whitelist respectively Port information;
若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及目标端口信息启动对应的线程数,同时执行验证防火墙开通指令,验证各个目标IP地址及目标端口与所述源IP地址及所述源端口之间的防火墙是否打开。If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding thread number is started according to the target IP address and the target port information, and the verification firewall opening instruction is executed at the same time. Verify that the firewall between each target IP address and destination port and the source IP address and the source port is open.
进一步地,所述防火墙开通验证程序被处理器执行时还实现如下操作:Further, when the firewall provisioning verification program is executed by the processor, the following operations are also implemented:
若查询不到所述源IP地址及所述源端口信息对应的目标IP地址及目标端口信息,则向预先确定的服务器节点发送防火墙开通验证指令。If the source IP address and the target IP address and the target port information corresponding to the source port information are not queried, the firewall opening verification command is sent to the predetermined server node.
进一步地,所述防火墙开通验证程序被处理器执行时还实现如下操作:Further, when the firewall provisioning verification program is executed by the processor, the following operations are also implemented:
在预设时间内实时或定时监测预先确定的客户端,若监测到有客户端启动应用程序,则监听该客户端发送的请求消息,所述请求消息中包括目标服务系统的服务编码信息及所述服务编码信息对应的IP地址;The predetermined client is monitored in real time or periodically within a preset time. If the client launches the application, the request message sent by the client is monitored, and the request message includes the service code information and the target service system. The IP address corresponding to the service code information;
获取监听到的服务编码信息对应的IP地址的端口信息,生成监听到的IP地址及获取的端口信息与该客户端的源IP地址及源端口信息之间的映射关系,将该映射关系写入所述防火墙白名单。Obtaining the port information of the IP address corresponding to the monitored service code information, and generating a mapping relationship between the monitored IP address and the obtained port information and the source IP address and the source port information of the client, and writing the mapping relationship The firewall whitelist.
本申请计算机可读存储介质具体实施方式与上述电子装置以及防火墙开通验证方法各实施例基本相同,在此不作累述。The specific embodiment of the computer readable storage medium of the present application is substantially the same as the foregoing embodiments of the electronic device and the firewall opening verification method, and is not described herein.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the embodiments of the present application are merely for the description, and do not represent the advantages and disadvantages of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the foregoing embodiment method can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is better. Implementation. Based on such understanding, the technical solution of the present application, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the methods described in various embodiments of the present application.
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above is only a preferred embodiment of the present application, and is not intended to limit the scope of the patent application, and the equivalent structure or equivalent process transformations made by the specification and the drawings of the present application, or directly or indirectly applied to other related technical fields. The same is included in the scope of patent protection of this application.

Claims (20)

  1. 一种电子装置,其特征在于,所述电子装置包括存储器、及与所述存储器连接的处理器,所述处理器用于执行所述存储器上存储的防火墙开通验证程序,所述防火墙开通验证程序被所述处理器执行时实现如下步骤:An electronic device, comprising: a memory, and a processor connected to the memory, wherein the processor is configured to execute a firewall provisioning verification program stored on the memory, and the firewall opening verification program is The processor implements the following steps when executed:
    A1、接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;A1. After receiving the request for obtaining the service data sent by the client, obtaining the source IP address and source port information of the client;
    A2、基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;A2, traversing the pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address mapped to the source IP address and the source port information in the firewall whitelist respectively. And target port information;
    A3、若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及所述目标端口信息启动对应的线程数执行验证防火墙开通的指令。A3. If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding thread number is started according to the target IP address and the target port information, and the verification firewall is opened. Instructions.
  2. 如权利要求1所述的电子装置,其特征在于,所述步骤A3可替换为如下步骤:The electronic device according to claim 1, wherein the step A3 is replaced by the following steps:
    若查询不到所述源IP地址及所述源端口信息对应的目标IP地址及目标端口信息,则向预先确定的服务器节点发送防火墙开通验证指令。If the source IP address and the target IP address and the target port information corresponding to the source port information are not queried, the firewall opening verification command is sent to the predetermined server node.
  3. 如权利要求1所述的电子装置,其特征在于,所述步骤A3可替换为如下步骤:The electronic device according to claim 1, wherein the step A3 is replaced by the following steps:
    若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述源IP地址、所述源端口信息、查询到的目标IP地址及目标端口信息生成防火墙端口信息列表,根据生成的防火墙端口信息列表启动对应的线程数执行验证防火墙开通的指令。If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the source IP address, the source port information, the queried target IP address, and the target port information are obtained according to the source IP address and the target port information. Generate a firewall port information list, and start the corresponding number of threads according to the generated firewall port information list to execute the instruction to verify the firewall opening.
  4. 如权利要求1所述的电子装置,其特征在于,在所述步骤A2中,所述防火墙白名单包括源IP地址及源端口信息与目标IP地址及目标端口信息之间的映射关系,所述防火墙开通验证程序被所述处理器执行时还实现如下步骤:The electronic device according to claim 1, wherein in the step A2, the firewall whitelist includes a mapping relationship between a source IP address and source port information and a target IP address and target port information, When the firewall provisioning verification program is executed by the processor, the following steps are also implemented:
    在预设时间内实时或定时监测预先确定的客户端,若监测到有客户端启动应用程序,则监听该客户端发送的请求消息,所述请求消息中包括目标服务系统的服务编码信息及所述服务编码信息对应的目标IP地址;The predetermined client is monitored in real time or periodically within a preset time. If the client launches the application, the request message sent by the client is monitored, and the request message includes the service code information and the target service system. Describe a target IP address corresponding to the service code information;
    获取监听到的目标IP地址对应的目标端口信息,生成监听到的目标IP地址及获取的目标端口信息与该客户端的源IP地址及源端口信息之间的映射关系,将该映射关系写入所述防火墙白名单。Obtaining the target port information corresponding to the monitored target IP address, and generating a mapping relationship between the monitored target IP address and the obtained target port information and the source IP address and the source port information of the client, and writing the mapping relationship The firewall whitelist.
  5. 如权利要求4所述的电子装置,其特征在于,所述目标服务系统的服务编码信息为预先确定的可读字符串。The electronic device according to claim 4, wherein the service code information of the target service system is a predetermined readable character string.
  6. 一种防火墙开通验证方法,其特征在于,所述方法包括如下步骤:A firewall provisioning verification method, characterized in that the method comprises the following steps:
    S1、接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;S1. After receiving the request for obtaining service data sent by the client, obtain the source IP address and source port information of the client.
    S2、基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;S2, traversing the pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address mapped to the source IP address and the source port information in the firewall whitelist respectively. And target port information;
    S3、若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及所述目标端口信息启动对应的线程数执行验证防火墙开通的指令。S3. If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding thread number is started according to the target IP address and the target port information, and the verification firewall is activated. Instructions.
  7. 如权利要求6所述的防火墙开通验证方法,其特征在于,所述步骤S3可替换为如下步骤:The method for verifying the opening of a firewall according to claim 6, wherein the step S3 is replaced by the following steps:
    若查询不到所述源IP地址及所述源端口信息对应的目标IP地址及目标端口信息,则向预先确定的服务器节点发送防火墙开通验证指令。If the source IP address and the target IP address and the target port information corresponding to the source port information are not queried, the firewall opening verification command is sent to the predetermined server node.
  8. 如权利要求6所述的防火墙开通验证方法,其特征在于,所述步骤S3可替换为如下步骤:The method for verifying the opening of a firewall according to claim 6, wherein the step S3 is replaced by the following steps:
    若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述源IP地址、所述源端口信息、查询到的目标IP地址及目标端口信息生成防火墙端口信息列表,根据生成的防火墙端口信息列表 启动对应的线程数执行验证防火墙开通的指令。If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the source IP address, the source port information, the queried target IP address, and the target port information are obtained according to the source IP address and the target port information. Generate a firewall port information list, and start the corresponding number of threads according to the generated firewall port information list to execute the instruction to verify the firewall opening.
  9. 如权利要求6所述的防火墙开通验证方法,其特征在于,在所述步骤S2中,所述防火墙白名单包括源IP地址及源端口信息与目标IP地址及目标端口信息之间的映射关系,所述方法还包括如下步骤:The firewall provisioning verification method according to claim 6, wherein in the step S2, the firewall white list includes a mapping relationship between a source IP address and source port information, a target IP address, and target port information, The method further includes the following steps:
    在预设时间内实时或定时监测预先确定的客户端,若监测到有客户端启动应用程序,则监听该客户端发送的请求消息,所述请求消息中包括目标服务系统的服务编码信息及所述服务编码信息对应的目标IP地址;The predetermined client is monitored in real time or periodically within a preset time. If the client launches the application, the request message sent by the client is monitored, and the request message includes the service code information and the target service system. Describe a target IP address corresponding to the service code information;
    获取监听到的目标IP地址对应的目标端口信息,生成监听到的目标IP地址及获取的目标端口信息与该客户端的源IP地址及源端口信息之间的映射关系,将该映射关系写入所述防火墙白名单。Obtaining the target port information corresponding to the monitored target IP address, and generating a mapping relationship between the monitored target IP address and the obtained target port information and the source IP address and the source port information of the client, and writing the mapping relationship The firewall whitelist.
  10. 如权利要求4所述的防火墙开通验证方法,其特征在于,所述目标服务系统的服务编码信息为预先确定的可读字符串。The firewall provisioning verification method according to claim 4, wherein the service coding information of the target service system is a predetermined readable character string.
  11. 一种防火墙开通验证系统,其特征在于,所述系统包括获取模块、查询模块以及识别模块;A firewall provisioning verification system, characterized in that the system comprises an acquisition module, a query module and an identification module;
    所述获取模块用于接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;The acquiring module is configured to obtain a source IP address and source port information of the client after receiving the request for acquiring service data sent by the client;
    所述查询模块用于基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;The querying module is configured to traverse the pre-generated firewall whitelist based on the source IP address and the source port information, and query the firewall whitelist to map with the source IP address and the source port information respectively. Target IP address and destination port information;
    所述识别模块用于在若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及所述目标端口信息启动对应的线程数执行验证防火墙开通的指令。The identification module is configured to start a corresponding thread according to the target IP address and the target port information, if the target IP address and the target port information mapped to the source IP address and the source port information are queried The number executes the instructions that verify the firewall is turned on.
  12. 如权利要求6所述的防火墙开通验证系统,其特征在于,所述识别模块还用于在若查询不到所述源IP地址及所述源端口信息对应的目标IP地址及目标端口信息,则向预先确定的服务器节点发送防火墙开通验证指令。The firewall provisioning verification system according to claim 6, wherein the identification module is further configured to: if the source IP address and the destination port address and the target port information corresponding to the source port information are not queried, A firewall provisioning verification command is sent to the predetermined server node.
  13. 如权利要求10所述的防火墙开通验证系统,其特征在于,所述识别 模块还用于在若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述源IP地址、所述源端口信息、查询到的目标IP地址及目标端口信息生成防火墙端口信息列表,根据生成的防火墙端口信息列表启动对应的线程数执行验证防火墙开通的指令。The firewall provisioning verification system according to claim 10, wherein the identification module is further configured to: if the target IP address and the target port information mapped to the source IP address and the source port information are queried, And generating a firewall port information list according to the source IP address, the source port information, the queried target IP address, and the target port information, and starting the corresponding thread number according to the generated firewall port information list to execute an instruction for verifying the firewall opening.
  14. 如权利要求10所述的防火墙开通验证方法,其特征在于,所述防火墙白名单包括源IP地址及源端口信息与目标IP地址及目标端口信息之间的映射关系,所述系统还包括监听模块,所述监听模块用于在预设时间内实时或定时监测预先确定的客户端,若监测到有客户端启动应用程序,则监听该客户端发送的请求消息,所述请求消息中包括目标服务系统的服务编码信息及所述服务编码信息对应的目标IP地址;The firewall provisioning verification method according to claim 10, wherein the firewall whitelist includes a mapping relationship between a source IP address and source port information and a target IP address and target port information, and the system further includes a monitoring module. The monitoring module is configured to monitor a predetermined client in real time or periodically within a preset time. If a client launch application is detected, the request message sent by the client is monitored, and the request message includes a target service. a service coded information of the system and a target IP address corresponding to the service coded information;
    获取监听到的目标IP地址对应的目标端口信息,生成监听到的目标IP地址及获取的目标端口信息与该客户端的源IP地址及源端口信息之间的映射关系,将该映射关系写入所述防火墙白名单。Obtaining the target port information corresponding to the monitored target IP address, and generating a mapping relationship between the monitored target IP address and the obtained target port information and the source IP address and the source port information of the client, and writing the mapping relationship The firewall whitelist.
  15. 如权利要求14所述的防火墙开通验证方法,其特征在于,所述目标服务系统的服务编码信息为预先确定的可读字符串。The firewall provisioning verification method according to claim 14, wherein the service encoding information of the target service system is a predetermined readable character string.
  16. 一种计算机可读存储介质,所述计算机可读存储介质存储有防火墙开通验证程序,所述防火墙开通验证程序可被至少一个处理器执行,以使所述至少一个处理器执行如下步骤:A computer readable storage medium storing a firewall provisioning verification program, the firewall provisioning verification program being executable by at least one processor to cause the at least one processor to perform the following steps:
    接收到客户端发送的获取服务数据的请求后,获取该客户端的源IP地址及源端口信息;After receiving the request for obtaining service data sent by the client, obtaining the source IP address and source port information of the client;
    基于所述源IP地址及所述源端口信息遍历预先生成的防火墙白名单,查询所述防火墙白名单中分别与所述源IP地址及所述源端口信息之间相互映射的目标IP地址及目标端口信息;Querying a pre-generated firewall whitelist based on the source IP address and the source port information, and querying a target IP address and a target mapped between the source IP address and the source port information in the firewall whitelist respectively Port information;
    若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及所述目标端口信息启动对应的线程数执行验证防火墙开通的指令。If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the corresponding number of threads is started according to the target IP address and the target port information, and the instruction for verifying the opening of the firewall is executed. .
  17. 如权利要求16所述的存储介质,其特征在于,所述若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及所述目标端口信息启动对应的线程数执行验证防火墙开通的指令的步骤A3可替换为如下步骤:The storage medium according to claim 16, wherein the source IP address and the target port information mapped to the source IP address and the source port information are queried according to the target IP address and The step A3 of the instruction that the target port information starts the corresponding thread number to execute the verification firewall opening may be replaced by the following steps:
    若查询不到所述源IP地址及所述源端口信息对应的目标IP地址及目标端口信息,则向预先确定的服务器节点发送防火墙开通验证指令。If the source IP address and the target IP address and the target port information corresponding to the source port information are not queried, the firewall opening verification command is sent to the predetermined server node.
  18. 如权利要求16所述的存储介质,其特征在于,所述若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述目标IP地址及所述目标端口信息启动对应的线程数执行验证防火墙开通的指令的步骤可替换为如下步骤:The storage medium according to claim 16, wherein the source IP address and the target port information mapped to the source IP address and the source port information are queried according to the target IP address and The step of the target port information initiating the corresponding number of threads to execute the instruction to verify the firewall opening may be replaced by the following steps:
    若查询到与所述源IP地址及所述源端口信息相互映射的目标IP地址及目标端口信息,则根据所述源IP地址、所述源端口信息、查询到的目标IP地址及目标端口信息生成防火墙端口信息列表,根据生成的防火墙端口信息列表启动对应的线程数执行验证防火墙开通的指令。If the target IP address and the target port information mapped to the source IP address and the source port information are queried, the source IP address, the source port information, the queried target IP address, and the target port information are obtained according to the source IP address and the target port information. Generate a firewall port information list, and start the corresponding number of threads according to the generated firewall port information list to execute the instruction to verify the firewall opening.
  19. 如权利要求16所述的存储介质,其特征在于,所述防火墙白名单包括源IP地址及源端口信息与目标IP地址及目标端口信息之间的映射关系,所述防火墙开通验证程序被所述处理器执行时还实现如下步骤:The storage medium according to claim 16, wherein the firewall whitelist comprises a mapping relationship between a source IP address and source port information and a target IP address and target port information, and the firewall provisioning verification procedure is The processor also implements the following steps when executed:
    在预设时间内实时或定时监测预先确定的客户端,若监测到有客户端启动应用程序,则监听该客户端发送的请求消息,所述请求消息中包括目标服务系统的服务编码信息及所述服务编码信息对应的目标IP地址;The predetermined client is monitored in real time or periodically within a preset time. If the client launches the application, the request message sent by the client is monitored, and the request message includes the service code information and the target service system. Describe a target IP address corresponding to the service code information;
    获取监听到的目标IP地址对应的目标端口信息,生成监听到的目标IP地址及获取的目标端口信息与该客户端的源IP地址及源端口信息之间的映射关系,将该映射关系写入所述防火墙白名单。Obtaining the target port information corresponding to the monitored target IP address, and generating a mapping relationship between the monitored target IP address and the obtained target port information and the source IP address and the source port information of the client, and writing the mapping relationship The firewall whitelist.
  20. 如权利要求19所述的存储介质,其特征在于,所述目标服务系统的服务编码信息为预先确定的可读字符串。The storage medium according to claim 19, wherein the service encoding information of the target service system is a predetermined readable character string.
PCT/CN2018/102094 2018-03-23 2018-08-24 Electronic device, firewall provisioning verification method, system and storage medium WO2019179027A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810246962.3A CN108494771B (en) 2018-03-23 2018-03-23 Electronic device, firewall opening verification method and storage medium
CN201810246962.3 2018-03-23

Publications (1)

Publication Number Publication Date
WO2019179027A1 true WO2019179027A1 (en) 2019-09-26

Family

ID=63319543

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/102094 WO2019179027A1 (en) 2018-03-23 2018-08-24 Electronic device, firewall provisioning verification method, system and storage medium

Country Status (2)

Country Link
CN (1) CN108494771B (en)
WO (1) WO2019179027A1 (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110035086A (en) * 2019-04-19 2019-07-19 平安科技(深圳)有限公司 Firewall verification method, device, computer equipment and storage medium
CN110247896B (en) * 2019-05-22 2022-06-14 深圳壹账通智能科技有限公司 Information processing method and device based on firewall opening and computer equipment
CN110300185B (en) * 2019-07-12 2022-06-07 苏州浪潮智能科技有限公司 NTB communication method, device, equipment and storage medium
US20210073027A1 (en) * 2019-09-11 2021-03-11 Silicon Laboratories Inc. Multi-Thread Wireless Communications Processor with Granular Thread Processes
CN110798340B (en) * 2019-10-10 2022-11-25 平安普惠企业管理有限公司 Port information combing method, device and server
CN111866096A (en) * 2020-07-02 2020-10-30 广州市挖米科技有限责任公司 Load balancing method and device for medical system
CN112383536B (en) * 2020-11-10 2022-11-04 平安普惠企业管理有限公司 Firewall verification method and device, computer equipment and storage medium
CN112468455B (en) * 2020-11-10 2023-04-07 山石网科通信技术股份有限公司 User identification method, device and system
CN112448948B (en) * 2020-11-12 2023-04-18 平安普惠企业管理有限公司 Firewall opening result verification method, device, equipment and storage medium
CN113630331B (en) * 2021-10-11 2021-12-28 北京金睛云华科技有限公司 Processing method for parent-child connection in full-flow storage backtracking analysis system
CN113965374A (en) * 2021-10-20 2022-01-21 平安普惠企业管理有限公司 Firewall verification method based on intranet and storage medium
CN114417336B (en) * 2022-01-24 2022-11-01 北京新桥信通科技股份有限公司 Application system side safety management and control method and system
CN114584411B (en) * 2022-02-25 2024-04-02 山东云海国创云计算装备产业创新中心有限公司 PCIe multicast verification method and device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140157356A1 (en) * 2012-11-30 2014-06-05 Electronics And Telecommunications Research Institute Firewall policy inspection apparatus and method
CN105071991A (en) * 2015-08-11 2015-11-18 携程计算机技术(上海)有限公司 Method for testing IP (Internet Protocol) connectivity of plurality of firewalls
CN107786636A (en) * 2017-09-26 2018-03-09 平安科技(深圳)有限公司 Private line network building method and system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090070853A1 (en) * 2007-09-12 2009-03-12 International Business Machines Corporation Security Policy Validation For Web Services
CN103905406B (en) * 2012-12-28 2017-09-12 中国移动通信集团公司 A kind of detection method and device of the firewall policy that fails
CN103905407A (en) * 2012-12-28 2014-07-02 中国移动通信集团公司 Method and device for firewall access control strategy analysis
CN105245393B (en) * 2014-06-30 2018-11-02 中国移动通信集团公司 A kind of fire wall performance test method and device
CN104580157B (en) * 2014-12-14 2017-12-12 中国航天科工集团第二研究院七〇六所 A kind of tactful validity intelligent verification method based on dynamic construction message technology
US9843560B2 (en) * 2015-09-11 2017-12-12 International Business Machines Corporation Automatically validating enterprise firewall rules and provisioning firewall rules in computer systems
CN105871919A (en) * 2016-06-12 2016-08-17 北京六间房科技有限公司 Network application firewall system and realization method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140157356A1 (en) * 2012-11-30 2014-06-05 Electronics And Telecommunications Research Institute Firewall policy inspection apparatus and method
CN105071991A (en) * 2015-08-11 2015-11-18 携程计算机技术(上海)有限公司 Method for testing IP (Internet Protocol) connectivity of plurality of firewalls
CN107786636A (en) * 2017-09-26 2018-03-09 平安科技(深圳)有限公司 Private line network building method and system

Also Published As

Publication number Publication date
CN108494771A (en) 2018-09-04
CN108494771B (en) 2021-04-23

Similar Documents

Publication Publication Date Title
WO2019179027A1 (en) Electronic device, firewall provisioning verification method, system and storage medium
WO2019140828A1 (en) Electronic apparatus, method for querying logs in distributed system, and storage medium
WO2019148722A1 (en) Electronic device, data migrating and calling method and storage medium
WO2019100605A1 (en) Platform-as-a-service paas container platform construction method, server, system, and storage medium
CN108462760B (en) Electronic device, automatic cluster access domain name generation method and storage medium
US20150249617A1 (en) Enrolling a mobile device with an enterprise mobile device management environment
WO2021013033A1 (en) File operation method, apparatus, device, and system, and computer readable storage medium
WO2019127864A1 (en) Electronic device, springmvc-based data interface and automatic description generation method therefor, and storage medium
WO2019169763A1 (en) Electronic apparatus, service system risk control method, and storage medium
WO2019148721A1 (en) Electronic device, risk early warning method for internet service system, and storage medium
WO2017167208A1 (en) Method and apparatus for recognizing malicious website, and computer storage medium
US11928449B2 (en) Information processing method, device, apparatus and system, medium, andprogram
WO2019100690A1 (en) Electronic device, testing method, system and computer readable storage medium
US8813029B2 (en) Remote card content management using synchronous server-side scripting
WO2019140829A1 (en) Electronic device, method for releasing application update version, and storage medium
WO2019169771A1 (en) Electronic device, access instruction information acquisition method and storage medium
CN108900482B (en) Script execution method, server management system, and storage medium
WO2019024238A1 (en) Range value data statistical method and system, electronic device, and computer readable storage medium
US8498622B2 (en) Data processing system with synchronization policy
US20210218801A1 (en) Method, apparatus and storage medium for resource configuration
JP5884566B2 (en) Batch processing system, progress confirmation device, progress confirmation method, and program
CN113595762B (en) Network card configuration storage method and device
CN111447080B (en) Private network decentralization control method, device and computer readable storage medium
CN111654398B (en) Configuration updating method and device, computer equipment and readable storage medium
CN108566293B (en) Electronic device, zk node information notification method, and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18911004

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 18/01/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18911004

Country of ref document: EP

Kind code of ref document: A1