CHX-I防火墙官方教程-附带翻译借鉴.pdf

－１－

CHX-I Documentation

Introduction 介绍

In its default configuration the packet/payload filter does not impose any security restrictions on

any type of traffic.

默认配置下，包过滤器和负载过滤器没有任何规则，可以允许任何数据包通过。

The CHX suite of tools is not a personal firewall and should not be used by those expecting

out-of-the box security configurations or unfamiliar with TCP/IP networking and IP security in general.

Several configuration templates are provided to assist first time users in grasping CHX-I filtering

GoTo Related Filter feature) when debugging their CHX IP security policies.

首次使用 CHX 的用户，在编辑和调试自己的 IP 过滤策略之前，建议您认真研究一下

CHX 的日志（利用日志的跳转功能，查找对应的过滤器规则，并研究他）。

The packet filter cannot facilitate address/port translation in gateway environments. The CHX-I

NAT module was designed to provide this functionality as either a stand alone or add-on to the packet

filter management console.

对于通过在网关模式下上网的用户要注意：包过滤器没有地址 /端口转换功能。但是，

CHX-I 的 NAT 模块可以完成这个功能，而且不管是单独使用该模块，还是把它添加到包过

滤器的管理单元内。

The payload filter extends the functionality of the packet filter by inspecting and editing

－２－

NAT) or distributed on servers/workstations.

CHX 网络和安全软件包可以被配置在网关模式下（如：桥接、路由、 NAT 模式），也

可以在服务器 /工作站上使用。

Upgrades From 2.x Notes

General upgrade(from 2.x) notes: 升级到 3.0 的注意事项：

- prior to installing CHX 3.0 please un-install any previous versions of the packet filter.

- 请先卸载原来版本的包过滤器，再直接安装 CHX3.0即可

- you can import 2.x filter sets (.sfd or .cff files)

- 可以直接把 2.x 版的过滤规则导入到 3.0 中（从 2.x 中导出的 *.sfd 或者 *.cff 文件）

- If Allow or Deny All was used in the previous version's policies then an additional packet

- The CHX RMC is now part of the main management console

- CHX 的 RMC现在是主管理单元的一部分

Packet Filter Module Overview 包过滤器模块总览

The Packet Filter module offers a simple, flexible, high performance IP filtering mechanism. The

CHX stateful implementation is fully documented and all internal state table details can be viewed via

the CHX State Table application.

包过滤器模块提供了一个简单、灵活、高性能的 IP 过滤机制。 CHX可以完整记录运行

状态，并且所有运行状态的细节可以通过 CHX的状态表程序 （CHX State Table application ）

来查看。

－３－

Must Read 必读

Several rules of thumb that should be understood when creating packet filter policies:

1. All traffic is first checked against static packet filter rules. If allowed - the traffic is then analyzed by

the stateful inspection engine provided the state analysis options are enabled.

1. 所有的数据首先要被静态包过滤规则检测。 如果设置成 “允许”，且状态分析选项被打开，

2. "Allow" rules are Prohibitive. This means anything not specified in the Allow rules is automatically

dropped.

数据包都将被丢弃。

traffic is allowed.

4、如果 ICMP的“伪状态”选项被打开，而且你需要允许任意 ICMP通信，那么你也需要建

5. A Force Allow acts as a trump card only within the same priority context.

5、“强制允许” 规则在相同优先级的情况下是张王牌 （可以破例， 可以打破前面的禁止规则） 。

6. With no static rules loaded TCP stateful inspection and UDP/ICMP pseudo state analysis is

performed (if the state options are enabled)

6、如果没有静态规则，那么 CHX将调用 TCP状态检测（ SPI）和 UDP/ICMP伪状态分析（如

果状态分析选项被打开的话）

7. TCP stateful inspection does not prevent new TCP sessions from being created.

7、TCP状态检测并不能够阻止创建新的 TCP会话。

－４－

9. Any datagram discarded by the packet filter driver will have a corresponding entry in the log

files(unless logging is explicitly disabled).

9、任意被包过滤器规则丢弃的数据报，在日志中都有相应的记载（除非日志功能被关闭）

Packet Filter Basics 包过滤基础知识

Generally speaking there are two approaches when defining an IP filter policy for a host or

network:

通常情况下，为主机或者网络定义的 IP 过滤策略，只有两种处理办法：

PROHIBITIVE - That which is not expressly allowed is prohibited

PERMISSIVE - That which is not expressly prohibited is allowed

The CHX Packet Filter architecture incorporates four "Actions" that can be performed

within the same priority level:

1) If only one or more Allow-rules are used, all the rest is prohibited.

2) If only one or more Deny-rules are used, all the rest is allowed.

dropped as well as traffic specified in the Deny rules. (Deny rules can overlap a space

Deny-rule, a Force-Allow-rule must be used.

1）如果仅有 1 个或多个“允许”规则起作用，那么其他所有行为都是禁止的

4）对于某个已经被“禁止”规则禁止的数据包，如果想允许其通过或者部分允许通过，

有 2 种可行的方法来定义“禁止”规则：

a) Enter a Deny ALL rule then specify permitted traffic with Force Allow rules.

OR

b) Define permitted traffic with a combination of Allow rules. (everything not specified in

the Allow rules will be Blocked)

a) 建立一条“禁止所有”的规则，然后用“强制允许”规则来排除某些特定的数据包。

或者

b) 在“允许” 规则中允许特定的数据通过。 ( 没在“允许” 规则中定义的， 全部被禁止 )

－５－

Permissive policies should be avoided in general, but they are accomplished by making

Filter Priorities 过滤器属性

The priority context allows - among other things - cascading of Deny/Force Allow

combinations to achieve a greater flexibility.

通过优先级功能，可以实现“禁止”和“强制允许”在功能上的重叠，从而提供了非常

高的话，优先级低的“强制允许”规则就失去作用了。所以，在设置“强制允许”规则时，

要注意优先级。

Force

Allow

rule

Allow

rule

Force

Allow

rule

Allow

rule

Force

Allow

rule

Allow

rule

Deny

Deny

Deny

5 个方框代表 5 种优先级。分别对应：

4—— Highest 3 —— High 2 —— Normal 1 —— Low 0 —— Lowest

Consider the example of a DNS server CHX-I policy that makes use of a Force Allow rule

to allow ANY incoming DNS queries over TCP/UDP port 53. Prior to version 2.5 the Force

Allow action represented the "trump card ", taking away the flexibility of specifying a particular

IP or range of IPs that should be prohibited from accessing the same public server. This can

be now achieved by creating a Deny rule with a higher priority than the Force Allow rule.

以 DNS服务器为例，建立一个策略，利用“强制允许”规则来允许任何入站 DNS请求

（TCP/UDP的 53 号端口）。在 CHX2.5 版本以前，“强制允许”行为代表着“特权”，牺牲

了灵活性， 因为他是在所有访问同一个服务器的用户中指定应该禁止的 IP 或 IP 范围（如果