CHX-I防火墙官方教程-附带翻译.doc

CHX-I DocumentationIntroduction 介绍In its default configuration the packet/payload filter does not impose any security restrictions on any type of traffic. 默认配置下，包过滤器和负载过滤器没有任何规则，可以允许任何数据包通过。The CHX suite of tools is not a personal firewall and should not be used by those expecting out-of-the box security configurations or unfamiliar with TCP/IP networking and IP security in general. Several configuration templates are provided to assist first time users in grasping CHX-I filtering concepts. These templates can be obtained in the download area. CHX不是防火墙软件，如果你对TCP/IP协议和IP安全方面的知识不了解，而且希望CHX是傻瓜型的防火墙经过简单配置就可以使用的话，那我们建议你还是不要使用CHX了。我们在网站的下载中心提供了几个配置模板，初学者可以通过研究这些模板来搞清CHX-I的过滤思想。First time users are encouraged to make extensive use of the available logging features (and the GoTo Related Filter feature) when debugging their CHX IP security policies. 首次使用CHX的用户，在编辑和调试自己的IP过滤策略之前，建议您认真研究一下CHX的日志（利用日志的跳转功能，查找对应的过滤器规则，并研究他）。The packet filter cannot facilitate address/port translation in gateway environments. The CHX-I NAT module was designed to provide this functionality as either a stand alone or add-on to the packet filter management console. 对于通过在网关模式下上网的用户要注意：包过滤器没有地址/端口转换功能。但是，CHX-I的NAT模块可以完成这个功能，而且不管是单独使用该模块，还是把它添加到包过滤器的管理单元内。The payload filter extends the functionality of the packet filter by inspecting and editing TCP/UDP/ICMP data. The payload filter can trigger permissive or prohibitive packet filter rules as well as other payload rules (chained payload rule sets). 负载过滤器负责检查和编辑TCP/UDP/ICMP数据，从而扩展了包过滤器的功能。一个负载过滤器规则能够触发其他负载过滤器规则（可设置成链式过滤器规则），也能触发包过滤器规则，从而达到禁止或允许数据包通过的目的。The CHX suite of network and security tools can be deployed on gateways (e.g. bridge, router, NAT) or distributed on servers/workstations.CHX网络和安全软件包可以被配置在网关模式下（如：桥接、路由、NAT模式），也可以在服务器/工作站上使用。Upgrades From 2.x NotesGeneral upgrade(from 2.x) notes: 升级到3.0的注意事项：- prior to installing CHX 3.0 please un-install any previous versions of the packet filter. - 请先卸载原来版本的包过滤器，再直接安装CHX3.0即可- you can import 2.x filter sets (.sfd or .cff files) - 可以直接把2.x版的过滤规则导入到3.0中（从2.x中导出的*.sfd或者*.cff文件）- If Allow or Deny All was used in the previous versions policies then an additional packet filter rule MUST be added allowing ARP traffic. - 如果Allow All或者Deny All这两个规则在早期版本中被使用了，那么在3.0中，必须增加一个allow ARP的过滤规则。- A Dial-up or VPN node was created with a public node for dial-up interfaces (e.g. modems) and a private node for VPN - 通过拨号上网的用户，CHX将创建一个public node，对于VPN为private node。- The CHX RMC is now part of the main management console- CHX 的 RMC现在是主管理单元的一部分Packet Filter Module Overview 包过滤器模块总览The Packet Filter module offers a simple, flexible, high performance IP filtering mechanism. The CHX stateful implementation is fully documented and all internal state table details can be viewed via the CHX State Table application.包过滤器模块提供了一个简单、灵活、高性能的IP过滤机制。CHX可以完整记录运行状态，并且所有运行状态的细节可以通过CHX的状态表程序（CHX State Table application）来查看。 Must Read 必读Several rules of thumb that should be understood when creating packet filter policies: 几则在创建过滤策略时需要注意理解的概念1. All traffic is first checked against static packet filter rules. If allowed - the traffic is then analyzed by the stateful inspection engine provided the state analysis options are enabled. 1.所有的数据首先要被静态包过滤规则检测。如果设置成“允许”，且状态分析选项被打开，那么CHX的“状态检测引擎”SPI就会对数据包进行分析。2. Allow rules are Prohibitive. This means anything not specified in the Allow rules is automatically dropped. 2. 默认情况下“Allow”规则是被禁止的。这就意味着，任何未在“Allow”规则内指定的数据包都将被丢弃。3. If the UDP pseudo-stateful option is enabled a Force Allow must be used when running UDP servers (e.g. DNS). 3. 如果 UDP的“伪状态”选项被打开，而且你的机器上需要运行UDP协议的服务器软件（如：DNS服务器软件），那么，你必须建立一条“强制允许”的规则，否则你的UDP服务器将不能正常运行。4. If the ICMP pseudo-stateful option is enabled a Force Allow must be used when unsolicited ICMP traffic is allowed. 4、如果ICMP的“伪状态”选项被打开，而且你需要允许任意ICMP通信，那么你也需要建立一条“强制允许”的规则。5. A Force Allow acts as a trump card only within the same priority context. 5、“强制允许”规则在相同优先级的情况下是张王牌（可以破例，可以打破前面的禁止规则）。6. With no static rules loaded TCP stateful inspection and UDP/ICMP pseudo state analysis is performed (if the state options are enabled) 6、如果没有静态规则，那么CHX将调用TCP状态检测（SPI）和UDP/ICMP伪状态分析（如果状态分析选项被打开的话）7. TCP stateful inspection does not prevent new TCP sessions from being created. 7、TCP状态检测并不能够阻止创建新的TCP会话。8. UDP/ICMP pseudo-states will discard unsolicited UDP/ICMP datagrams. 8、UDP/ICMP伪状态下，会丢弃未经许可的UDP/ICMP数据报。9. Any datagram discarded by the packet filter driver will have a corresponding entry in the log files(unless logging is explicitly disabled).9、任意被包过滤器规则丢弃的数据报，在日志中都有相应的记载（除非日志功能被关闭）Packet Filter Basics 包过滤基础知识Generally speaking there are two approaches when defining an IP filter policy for a host or network: 通常情况下，为主机或者网络定义的IP过滤策略，只有两种处理办法：l PROHIBITIVE - That which is not expressly allowed is prohibitedl 禁止-没有明确指出“允许”的，就被禁止l PERMISSIVE - That which is not expressly prohibited is allowed l 允许-没有明确指出“禁止”的，就被允许。The CHX Packet Filter architecture incorporates four Actions that can be performed within the same priority level: 在相同优先级下，CHX包过滤体系对数据包有4种可能的处理行为：1.Allow 允许2.Deny 丢弃3.Force Allow 强制允许4.Log Only 仅记录The Following holds true within the same priority context:1) If only one or more Allow-rules are used, all the rest is prohibited. 2) If only one or more Deny-rules are used, all the rest is allowed. 3) If there are Allow-rules and Deny-rules, all traffic NOT specified in the Allow rules is dropped as well as traffic specified in the Deny rules. (Deny rules can overlap a space permitted by an Allow rule). 4) To allow something or part of something which has been prohibited by an Allow or Deny-rule, a Force-Allow-rule must be used. 在相同优先级下，以下结论正确：1）如果仅有1个或多个“允许”规则起作用，那么其他所有行为都是禁止的2）如果仅有1个或多个“禁止”规则起作用，那么其他所有行为都是允许的3）如果既有“允许”规则也有“禁止”规则，所有没在“允许”规则里面定义的数据包都会被丢弃，就像在“禁止”规则里面定义一样（“禁止”规则可以覆盖“允许”规则）。4）对于某个已经被“禁止”规则禁止的数据包，如果想允许其通过或者部分允许通过，可以通过设定“强制允许”规则来达到目的。There are two possible approaches when defining prohibitive rule sets：有2种可行的方法来定义“禁止”规则：a) Enter a Deny ALL rule then specify permitted traffic with Force Allow rules. OR b) Define permitted traffic with a combination of Allow rules. (everything not specified in the Allow rules will be Blocked) a) 建立一条“禁止所有”的规则，然后用“强制允许”规则来排除某些特定的数据包。或者b) 在“允许”规则中允许特定的数据通过。(没在“允许”规则中定义的，全部被禁止)Permissive policies should be avoided in general, but they are accomplished by making exclusive use of Deny filters.一般来说，最好不要用允许策略，而是在禁止规则里排除。Filter Priorities 过滤器属性The priority context allows - among other things - cascading of Deny/Force Allow combinations to achieve a greater flexibility. 通过优先级功能，可以实现“禁止”和“强制允许”在功能上的重叠，从而提供了非常大的灵活性。Within the same priority context an Allow rule can be negated with a Deny rule, and a Deny rule can be negated by a Force Allow rule. However, this approach is now extended to allow a higher priority Deny to negate a Force Allow.在相同优先级的情况下，被“允许”规则放行的数据包能被“禁止”规则阻止，而被“禁止”规则阻止的数据包又能被“强制允许规则”放行。但是，如果“禁止”规则的优先级较高的话，优先级低的“强制允许”规则就失去作用了。所以，在设置“强制允许”规则时，要注意优先级。43210Force Allow ruleAllow ruleForce Allow ruleAllow ruleForce Allow ruleAllow ruleForce Allow ruleAllow ruleForce Allow ruleAllow ruleDeny ruleDeny ruleDeny ruleDeny ruleDeny rule“禁止”/“允许”/“强制允许”规则与优先级关系的示意图图中，粉色带箭头直线表示数据包的走向。在没有设定CHX过滤规则的情况下，数据包应该从左侧流入，一直到右侧流出。即最上面一条粉色直线所指的流向。如果设定了CHX规则，则有可能会按照朝下方的粉色箭头所指方向流动。5个方框代表5种优先级。分别对应：4Highest 3High 2Normal 1Low 0Lowest Consider the example of a DNS server CHX-I policy that makes use of a Force Allow rule to allow ANY incoming DNS queries over TCP/UDP port 53. Prior to version 2.5 the Force Allow action represented the trump card , taking away the flexibility of specifying a particular IP or range of IPs that should be prohibited from accessing the same public server. This can be now achieved by creating a Deny rule with a higher priority than the Force Allow rule. 以DNS服务器为例，建立一个策略，利用“强制允许”规则来允许任何入站DNS请求（TCP/UDP的53号端口）。在CHX2.5版本以前，“强制允许”行为代表着“特权”，牺牲了灵活性，因为他是在所有访问同一个服务器的用户中指定应该禁止的IP或IP范围（如果被禁止的IP很多，且这些IP还有可能发生变化的话，那简直不是人干的活）。而在CHX3.0中，可以通过建立一条优先级高于“强制允许”规则的“禁止”规则来实现。这里有个问题，如果有入侵者通过53端口入侵，怎么办？呵呵，后面的负载过滤可以对每个协议进行过滤，从而可以区分开哪些数据包是正常的，哪些数据包是不正常的（通过建立标准数据包的模板pattern）。据本人理解：CHX的包过滤是面向连接的，即对连接（协议+端口）设置过滤规则，从而确定哪些协议、哪些端口的数据可以通行。而负载过滤则是面向协议的，针对不同的协议，设置不同的数据包模板，某个数据包即使通过了包过滤，但有可能因为注入了邪恶的数据，而造成与标准数据包模板不匹配，就会被负载过滤阻止。有人说负载过滤是应用层的，其实本人感觉还是包过滤，跟应用层无关，应用层的数据归根结底还要变成数据包进行传输。Another critical factor in designing priority based rule sets is the order in which the rules are applied. If a Deny rule is set with the highest priority, and there are no Force Allows within the same context - then any packet matching the Deny rule is automatically dropped and the remaining rules are ignored. Conversely, if a rule has the Force Allow with the highest priority flag set then any incoming packets matching the Force Allow rule will be automatically passed and the remaining rules discarded. 在基于优先级的规则集中，另一个影响规则作用的重要因素是规则被应用的“顺序”。如果一个“禁止”规则被定义成最高优先级，且同一规则集内没有其他不低于该优先级的“强制允许”规则，那么当一个数据包匹配了这条“禁止”规则后，该数据包即被丢弃，就不再用后面的规则检测了。反之，如果一个“强制允许”规则拥有最高优先级，那么任何入站数据包在匹配这条“强制允许”规则后，就会自动进入系统，而不会再继续匹配其后的规则。（可以参看前一页的示意图）总结一下，规则的应用顺序是：先看优先级，先高后低；同一优先级中，“强制允许”“禁止”“允许”。跟定义规则的先后顺序无关。Filter Action Priority 过滤规则中的处理方法及其优先级Four actions can be performed upon a packet matching the filter description: l Deny - The action drops silently the packet l Allow - The action passes the packet and drops everything else not specified by the Allow rule(s) l Log Only - The packet is passed and the event logged l Force Allow - Overrides any other action stating the contrary 数据包匹配规则后，在规则定义中有4种可选处理方法：l 禁止 该数据包悄无声息地被丢弃l 允许 该数据包顺利通过，但没在此规则中定义的其他内容全部被丢弃l 记录 该数据包顺利通过，仅在事件日志中留下痕迹l 强制允许 无视禁止规则Within the same priority level every packet is inspected as follows: 1. If the packet matches one or more Force Allow rules it is passed regardless of any other filters. 2. If the packet matches one or more Allow rules it is then checked against any existing Deny rules. If there are no Deny rules, the packet is passed. 3. If the packet matches one or more Deny rules it is dropped. 在相同优先级下，每个数据包都将按下述顺序进行检测：1. 如果数据包匹配了一个或多个“强制允许”规则，就不会再去匹配其他任何规则。2. 如果数据包匹配了一条或多条“允许”规则，还要继续被其他“禁止”规则检查。如果没有“禁止”规则，则该数据包通过。3. 如果数据包匹配一条或多条“禁止”规则，则该数据包被丢弃。Taking a practical example we create an Allow(deny everything except) filter: ALLOW Incoming TCP dstPort=80 At this point all other incoming traffic is blocked. Within the Allowed space we add the following Deny filter: DENY Incoming TCP srcAddress=/8 dstPort=80The above filter overrides the Allow and blocks packets from the range. To override the Deny filter we create the following Force Allow: FORCE ALLOW Incoming TCP srcAddress=00 dstPort=80作为例子，我们创建一条“允许”过滤规则（在“禁止”规则中进行排除，即“强制允许”）：第一步：在“允许”规则中加入：入站TCP数据包，目标端口80在这条规则后，所有其他的入站通信均被阻止。第二步：在这条“允许”规则后，增加一条“禁止”规则：禁止入站TCP数据包，源地址/8（即A类地址），目标端口80后面的过滤规则覆盖了前面的允许规则，阻止了从网段发来的数据。第三步：为了覆盖这条“禁止”规则，我们再创建如下的“强制允许”规则：“强制允许”入站TCP数据包 源地址为00 目标端口80Conditional Filters 条件过滤Certain network applications require communications on different channels. As an example - an MTA might implement IDENT verification by sending a SYN to the host initiating the SMTP transaction. If an RST or SYN-ACK is received the initial session handshake will quickly complete. If no response is received from the SYN to the IDENT port (113) then the initial session handshake completion will be delayed. 一些网络应用需要在不同的通道上进行通信。比如：一个MTA（邮件传输代理，MTA 从其他服务器接受邮件、读取地址并将送到通往用户邮箱过程中的下一个服务器）需要实现IDENT验证，MTA会发送SYN到主机来初始化这次SMTP事务。如果接收到RST或者SYN-ACK信号，那么初始化握手过程就会很快结束。如果从SYN发送到认证端口（113号端口）后没有应答，那么初始化握手过程就要产生延迟滞后。 Scheduled Filters 定时过滤Any static filter can have a schedule (or lists of schedules) associated. Traffic can be denied or permitted according to a set schedule. 静态过滤器可以跟一个定时器或定时器列表关联。根据定时器的设定的时间段来决定采用允许规则还是禁止规则，从而决定数据包是通过还是被阻止。定时器的设置很灵活，可以为某个时刻，也可以为某段时间，也可以定义周期时间。这个功能对某些服务器很管用。可以在某个时间段允许某项服务，在另外的时间段允许另外的服务，灵活性很强。 Triggers 触发器Triggers are dormant static filters activated by a payload event. Traffic can be denied or allowed based on the presence of predefined payload conditions. A trigger can have a predefined timeout value set in the parent payload rule. 触发器也是一种静态过滤器，不过他需要被负载过滤事件激活才能发挥作用。在正常情况下，他是“休眠的”，呵呵。通过创建负载过滤器也可以阻止或允许数据包通过。在触发该触发器的负载过滤规则中，可以给该触发器定义超时时间，超过此时间，触发器继续休眠。To create a trigger right-click on the desired interface node and select New Trigger. In the payload rule properties Secondary Action select the newly created trigger and specify its timeout value and related options.创建触发器的步骤：1. 右键单击需要创建触发器的节点，选择“New Trigger”。2. 在负载过滤规则属性“次要动作（Secondary Action）”中选择该触发器，然后设定超时的时间和相关选项。Lists 列表The following lists are supported: - IP addresses - Ports - MAC addresses - Conditions - Schedules - Patterns 支持如下列表：IP地址列表端口列表MAC地址列表条件列表定时器列表模式列表定义好列表后，可以在创建规则时直接调用，方便了创建规则。IP Fragmentation analysis and related logs IP碎片分析及相关日志The default installation of the packet filter enables a series of checks on fragmented packets - and drops packet occurrences with the following characteristics: 在安装CHX后，包过滤器默认打开了一系列碎片包检查功能，如果数据包满足下述特征，则被丢弃： Invalid fragmentation flags/offset - this event is triggered when either the DF and MF flags in the IP header are set to 1 OR if a header contains the DF flag set to 1 and an Offset value different than 0. 非法碎片标志/偏移 - 如果发现此类数据包，则说明要么IP头中的DF和MF标志位被设置成1，要么是DF被设置成1且偏移量不等于0（这两种情况的数据包是不正常的，或者说是错误的数据包）。在此情况下，碎片检查功能就会被触发而执行。小知识：IP数据格式中，MF和DF是关于数据是否被分片和是否最后一个分片的标志位，MF（More Fragment） MF=1，后面还有分片的数据包 MF=0，分片数据包的最后一个DF（Dont Fragment） DF=1，不允许分片 DF=0，允许分片偏移：分片后的分组在原分组中的相对位置 First fragment too small - event triggered when a packet with the MF flag set to 1, the Offset value is at 0 and has total length smaller than 120 bytes. (maximum combined header length) 第一个碎片太小 - 当MF=1，偏移量=0，且总长度小于120字节（头部长度最大120字节），这说明数据包虽然给分组了，但每个数据包都太小，会触发碎片检查功能。 IP fragment out of boundary - event occurs if the value of the Offset flag combined with the total packet length exceeds the maximum datagram length of 65535 bytes. IP碎片越界 偏移量+整个数据包长度超过最大数据报长度（64K），触发碎片检查。 IP fragment offset too small - a non zero Offset flag with a value that is smaller than 60 bytes. IP碎片偏移量太小 非零偏移量的值小于60字节，触发碎片检查If the Deny all incoming fragmented packets option is enabled, all fragmented packets are dropped with the following log entry: 如果“禁止所有入站碎片包”选项打开，所有碎片包都会被丢弃，且在日志中做如下记载： IP fragmented packet. IP碎片包One exception to the above rule is the presence of a packet with a total length smaller than the IP header length , in which case the packet is silently discarded. 上述所有规则没有考虑一个特殊情况：当前的数据包总长度小于IP头中指定的长度，在这种情况下，该包被悄无声息地消灭掉。Import-Export rules 导入/导出规则Highlight the desired filters, right-click and select the desired export option: 导出：选择需要导出的过滤器，右键单击，选择需要导出的选项，如图：Importing a filter set is achieved by right-clicking on the desired network interface node followed by selecting Import Filters From File: 导入：右键单击需要导入规则的节点，选择“Import Filters From File”Copy And Paste Filters 复制/粘贴过滤器You can copy and/or paste selected filters by right clicking the selected filter(s) and choosing copy or paste from the menu. Alternatively you can drag and drop on or more selected filters(holding the CTRL key while performing a drag and drop operation to achieve the copy effect). These operations can be performed across any nodes and across any active remote hosts.过滤规则是可以被复制和粘贴的，只需右键单击相应的规则，选择复制/粘贴即可。甚至，你还可以拖动规则到指定的节点下，拖动时要按住Ctrl键，否则为移动。复制/粘贴可以在节点之间，甚至在在线的远程主机之间进行。Stateful Options 状态检测选项As opposed to the classic static packet filtering methodology where each packet is inspected on an individual basis, the CHX-I stateful mechanism tries to analyze each packet in the context of traffic history, correctness of IP/TCP header values and TCP connection state transitions. In the case of stateless protocols (e.g. UDP) a pseudo-stateful mechanism is implemented based on historical traffic analysis. 以前的包过滤方法仅检查每个数据包的独立的基本信息。与此对比，CHX-I使用状态检测机制（SPI），在数据包的上下文或数据包传输历史中，分析每个数据包的IP/TCP头信息的正确性和TCP连接状态的变化。对于没有状态信息的协议（如UDP协议），可以采用“伪状态”机制-基于分析历史数据包而产生的“状态”-伪状态。While an exhaustive analysis of TCP state transitions and behavior correctness is beyond the scope of this manual, the CHX-I stateful mechanism generally acts the following way: 至于如何详尽分析TCP状态转换和行为正确性的问题，不是本手册需要探讨的。CHX-I状态检测机制（SPI）通常通过如下渠道实现：- A packet is passed through the stateful routine if it is explicitly allowed via static filters. - The packet is examined if it belongs to an existing connection by checking the CHX-I connection table for matching end points - The TCP header is examined for correctness (e.g. sequence numbers, flag combination) Once enabled, the stateful engine is applied to all traffic traversing the interface. - 除非在静态过滤规则中明确被允许，否则，数据包就要被SPI例程检测。- 一个数据包在CHX-I的历史连接表（一个记载数据包历史连接的表）中没有找到相应的匹配项，那么该数据包就要被检测。- 一旦“允许”检查TCP 头信息的正确性（如检查顺序号、标志组合等），那么所有通过该接口的数据全部都要经过SPI引擎的检查。The UDP pseudo-stateful mechanism - by default - simply rejects any incoming unsolicited UDP packets. If the packet filter operator is running a legit UDP server, she MUST explicitly allow (via static filters) traffic to that particular service. For instance, in a non-prohibitive IP policy, if there is a DNS server running, a Force Allow rule permitting UDP traffic to port 53 is required. UDP“伪状态”机制 默认情况下，SPI只是简单地丢弃一些入站的“未经请求”的UDP包。如果安装CHX的机器需要运行合法使用UDP协议的服务器软件（如：DNS服务器），那么务必在静态过滤规则中，明确对这项服务建立“允许”规则。例如：在一个“非禁止”（允许或强制允许）IP规则中，如果该机是DNS 服务器，就需要建立一条在53端口允许UDP服务的“强制允许”规则。The ICMP pseudo-stateful mechanism - by default - simply rejects any incoming unsolicited ICMP request-reply and error type pack