The firewall policies or Access Control List (ACL) of today's technologies can use the lower level properties of a data flow to determine whether or not to permit the data flow to pass through. Under normal circumstances, the lower level properties on which the firewall policy is based can include but are not limited to at least one of the following: source address, source port, destination address, destination port, protocol number, and application type. Ingress interface and egress interface are often a part of the properties on which a firewall policy is based.
With the rapid development of science and technology, domestic and foreign firms are including more factors in firewall policies. For example: some firms have included the concept of security zones—that is, using ingress interface security zones or egress interface security zones to determine whether or not to permit a data flow to pass through; some firms are gradually introducing the concept of user-based access control or role-based access control (RBAC) to the existing firewall policy foundation; and some firms have introduced the concept of authentication groups to the existing firewall policy foundation, first matching the detected data flow to the lower level properties on which the firewall policy is based (including: source address, source port, destination address, destination port, and protocol number), then using matching authentication to determine the subgroup to which this data flow belongs, and finally using the first match principle to judge whether or not to permit the data flow to pass through.
Below, we use two specific application examples to further describe the firewall policies of the related technologies.