subject_38150.htm

vc

<p>
序号：38150 发表者：xiongli 发表日期：2003-05-01 01:29:07
<br>主题：几个问题，关于网络的
<br>内容：几个问题，关于网络的<BR>几个问题哈，谢谢<BR>1,防火墙跟路由器有什么差别<BR>注意，我这里定义的路由器是能够在两个子网里面交换数据的东西．如果你有一个router,这个router的两个ip是202.120.80.1 192.168.1.1，那么，这个router就不是真正的路由器．因为192.168.1.xxx这个子网的数据永远都不会发送到lan外面去的．但是这个router却可是是一个防火墙，192.168.1.xxx的电脑都可以通过这个防火墙上网．那么，也就是说，这个防火墙，这个router，其实也就是一个代理服务器。好，问题是，防火墙跟路由器有什么差别<BR><BR>２，防火墙跟代理服务器有什么差别？<BR><BR>３，网关是什么？跟代理服务器，路由器，防火墙有什么差别？<BR>网关是不是就是default router?<BR>如果我电脑ip:192.168.1.2,我在这块网卡上指定网关192.168.1.1,这个192.168.1.1的确切含义是什么？一般来说，每台上网的电脑都有一个ip，同时有一个default router地址，这个地址是要手动设定的．有时候拨号程序帮你设定好了．那么，我填写的网关地址是不是其实就是指的这个default router的地址？但是，如果遇上我的ip是192.168.1.2的情况，我填写的网关是192.168.1.1，上面说了，192.168.1.1这台电脑其实不是real router，那么系统是不是把这个所谓的网关悄悄解释成我指定的代理服务器？但是如果我不设定这个网关，我在ie的代理服务器设置里面去设定地址为192.168.1.1，就不能上网，这说明这两个还是有区别的，区别是什么呢？<BR><BR>４，主要问题就上面的。剩下的问题是，代理服务器是可以级联的，我在win2k server里面应该如何设置。比如我win2k server有两个ip,同时我有一个可以上网的router，router的其中一个ip是192.168.1.1，我的win2k的两个ip 是192.168.1.2 192.168.2.1。我在192.168.1.2的默认网关上设定为192.168.1.1，那么我的win2k server就可以上网了，但是如果我连接的192.168.2.xxx的客户要上网，我在客户端就因该设定网关是192.168.2.1，但是我在win2k server上应该如何设定？<BR><BR>
<br><a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p>
<hr size=1>
<blockquote><p>
回复者：neilgan 回复日期：2003-05-01 08:20:09
<br>内容：I don't have any network administration experience, so, I know very little of real world router/proxy/firewall. If anyone finds any mistakes, please let me know, thanks.<BR><BR>According to my text book, "gateway" and "router" are different. But many people say "gateway" while they mean "router", In the following I only use the term "router".<BR><BR>Router is a network layer device, it connects two or more subnets and forward ip datagrams among them. A IP datagram travels this way: sender -&gt; router -&gt; router -&gt; ... -&gt; router -&gt; receiver.<BR><BR>Using a example. A client(192.168.0.2) sends a http "get" command to a server "10.0.0.1" through a router (192.168.0.1), then: { IpHeader: Snder= 192.168.0.2, receiver= 10.0.0.1 {TcpHeader: SrcPort=12345, DestPort=80 {Data:"Get..."}}}. The client checks its route table and decides this datagram should be sent to 192.168.0.1. When 192.168.0.1 receives it, it DOESN'T CHANGE the datagram(except the TimeToLive and ip header checksum, which we don't consider here), it just checks its route table and decide which is the next hop, that is, which should be the next router. When the server receives the datagram, it is just the same as what the client sent(still, not consider the TimeToLive and ip header checksum).<BR><BR>Proxy is an agent. It does the request ITSELF on behalf of the client. It has at least two IP addresses, one is a local address( private, known only locally), the other is a public address (known by all over the world).<BR><BR>Using the same example, this time 192.168.0.1 is a proxy, which has a public address 202.0.0.1. The client sends the IP datagram the same way. The proxy, however, receives the datagram, writes a record in the memory, sends ANOTHER request: {IPHeader: Snder= 202.0.0.1, Rcver= 10.0.0.1 {TcpHeader: SrcPort=23456, DstPort=80 { Data: "Get..."}}}. Once the server gets this datagram, it will think that a computer with ip addr (202.0.0.1) sent a request, it sends response to this address: {10.0.0.1 -&gt; 202.0.0.1 {80 -&gt; 23456 {"..."}}}. When the proxy receives the response, it checks its memory and finds there was a request sent to this server, then it sends this IP Datagram to the client: {10.0.0.1 -&gt; 192.168.0.2 {80 -&gt; 12345 {"..."}}}. Work done.<BR><BR>The most significant difference is: for a router, the server receives a datagram whose src ip is the client's ip. for a proxy, the server receives a datagram whose src ip is the proxy's ip, the sever know nothing of the real client, it just thinks the proxy sent the request.<BR><BR>A proxy can be transparent, that is, the client just thinks it is a router. In the above examples, the client does the same thing, it doesn't know whether 192.168.0.1 is a proxy or a router.<BR><BR>A proxy can NOT be transparent in some cases. Using a proxy, you can only be a CLIENT, not a SERVER. You cann't say to your friend in another city "well, I am listening in port 2345 and my ip address is 192.168.0.1, please connect to me.", because your ip address is only meaningful locally. Other part of the Internet don't know the ip address.<BR><BR>Sometimes, when using a proxy, even if you are a client, there are problems. The best example is FTP. When you send "Get abc.txt" command, What really happen is this: ftp client open a port (say 5678) and listen on it, then it sends a "PORT IpAddr:Port" cmd to the sever to tell it the Ip address and the port, then it sends a "RETR FileName" command to ask the server to connect to the IpAddr:Port and sends the content of the file. Because the client's ip addr is a local addr, the connection request from the server will fail.<BR><BR>Because FTP is a well known protocal, the proxy can solve this problem by detecting and parsing ftp requests and responses. But if you develop a user protocal, send local ip addr to the server, ask it to connect to you, the proxy can never know this and you will fail.<BR><BR>It is possible that there will be (or already be, I don't know) some kind of "smart" proxy. In this proxy, you can do some config to tell it: "please listen on PortX, and if you get a income connection request, please forward it to x.x.x.x:PortY. Then, you can have a server with a local ip address and can be seen by others on Internet, though using another IpAddr:Port.<BR><BR>A firewall is something like a callback function. Everytime the router is going to forward a ip datagram, it will do {if (FireWall(IpDatagram)) Forward(IpDatagram); else Discard(IpDatagram);}. Then, in function FireWall, you can do anything you like. For example, if you want to block a tcp port 80, you do this in the function: {if ((TCP == IpDatagram.ProtocalType) &amp;&amp; (80 == ((TcpHeader*)IpDatagram.data)-&gt;PortNum)) return false;}<BR><BR>A router is a service provider, so is a proxy. A Firewall, on the other hand, is a guard, it BLOCKS some kind of legal(by the TCP/IP law, not by your boss's law) datagrams from being forwarded.<BR><BR>Sometimes (or mosttimes, or all the time, whatever), router, proxy and firewall are all in one, but they are different things, essentially.<BR><BR>192.x.x.x are reserved for local use, so 192.168.0.1 can never be a public address in Internet. But, you should know the difference: 192.x.x.x are reserved by the Internet adminstration group, not by the TCP/IP protocal. In an intranet, you can use any address you like, though it is not good. Say, you use 10.10.10.x in your LAN, and one day in the future you dicide to connect your LAN to Internet, then if you don't want to change your local ip addresses, you cann't get access to the real 10.10.10.x in the Internet.<BR><BR>Default router: it is NOT a type of router. You cann't say "This is a normal router, and this is a default router". You can only say " Now, this computer uses this router as its default router". Default router does this: if you don't know what to do with an ip package, then forward it to the default server. A router can also has a default router.<BR>
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者：xiongli 回复日期：2003-05-01 11:50:31
<br>内容：A proxy can be transparent, that is, the client just thinks it is a router. In the above examples, the client does the same thing, it doesn't know whether 192.168.0.1 is a proxy or a router<BR><BR>如果我不设定默认网关(default router)ip为192.168.0.1,我而是在ie的选项:<BR>Tool-&gt;Internet Options-&gt;Connections-&gt;Lan Settings-&gt;Proxy Server里面填写192.168.0.1,为什么就不能上网呢?<BR><BR>既然我设定default router为192.168.0.1,这里的这个router其实不是real router,而是个proxy<BR>/*<BR>A proxy can be transparent, that is, the client just thinks it is a router. In the above examples, the client does the same thing, it doesn't know whether 192.168.0.1 is a proxy or a router.<BR>*/<BR>那么我在ie里面设定proxy为192.168.0.1,为什么不能达到相同效果呢?
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者：xiongli 回复日期：2003-05-01 11:57:29
<br>内容：是不是应该这样理解.<BR>在ie上设定的 proxy,这个服务其实是在应用层的,而设定default router,则是在网络层的.虽然都可以叫做proxy,但是实质却不一样<BR>default router的作用是负责路由,无论是他到底是一个real router还是一个proxy<BR>ie上设定的proxy其实是把请求发送到一个主机的某一个端口,那么这是一个上层的服务,要在default router的支持下完成的.<BR>虽然有时候这两个proxy的ip可以是一样的,单实质却不一样<BR>因为我看到ie里面的proxy要填写port,我就这样猜想了
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者：xiongli 回复日期：2003-05-01 11:59:27
<br>内容：感谢<BR>neilgan
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>