2020年2月

草稿 用例驱动 讲明白 iptables 防火墙

涉及:
The iptables firewall works by interacting with the packet filtering hooks in the Linux kernel’s networking stack. These kernel hooks are known as the netfilter framework.

Every packet that enters networking system (incoming or outgoing) will trigger these hooks as it progresses through the stack, allowing programs that register with these hooks to interact with the traffic at key points. The kernel modules associated with iptables register at these hooks in order to ensure that the traffic conforms to the conditions laid out by the firewall rules.

Netfilter 的前身(Linux 2.2.x ipchains and Linux 2.0.x ipfwadm),后继 nftables iptables (table, chain, rule, policy)
network offload 到硬件

iptables 防火墙工具 基于 kernel 的netfilter 包过滤框架(package filter framework)
防火墙 policy 对应 iptables rule
iptables 语法:

参考: https://en.wikipedia.org/wiki/Netfilter
https://www.netfilter.org/
https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/

诊断由于 ulimit 设置 core file 为 unlimited 而引起的应用事故

一般情况下, 我们会设置 core file size 的 limit 为0, 通常出于性能(产生 core dump 消耗 CPU), 磁盘空间(core 文件通常特别大), 敏感数据( core dump 包含应用进程运行时很多数据)的原因, 把 core file size 设置为0, 也就是不允许产生 core dump. 有时候为了诊断某些特定的问题, 专门打开这个设置. 对于 Java 应用程序, 如果不涉及 native 代码, 通常 heap dump 就足够了, 所以不需要产生 core dump.

- 阅读剩余部分 -