进化:从孤胆极客到高效团队_极客学校：学习Windows 7

进化:从孤胆极客到高效团队

Come and join us as we make a the world a safer place using our Windows Firewall in this edition of Geek School.

快来加入我们，在此版本的Geek School中使用Windows防火墙使世界变得更安全。

Be sure to check out the previous articles in this Geek School series on Windows 7:

请务必查看Windows 7上此Geek School系列中的先前文章：

And stay tuned for the rest of the series all next week.

下周将继续关注本系列的其余部分。

什么是防火墙？ (What is a Firewall?)

Firewalls can either be implemented as hardware or as software. They were designed to protect networks by stopping network traffic from passing through them, as such they are normally placed on the perimeter of a network where they allow outbound traffic but block inbound traffic. Firewalls are based on rules that you as an administrator would define. There are three types of rules.

防火墙可以实现为硬件或软件。它们旨在通过阻止网络流量通过网络来保护网络，因此通常将它们放置在网络的外围，它们在其中允许出站流量但阻止入站流量。防火墙基于您作为管理员定义的规则。有三种类型的规则。

Inbound rules apply to any traffic that originates from outside of your network and is destined for a device on your network.
入站规则适用于源自网络外部且发往网络中设备的任何流量。
Outbound rules apply to any traffic that originates from a device on your network.
出站规则适用于源自网络上设备的任何流量。
Connection-specific rules enable a computer’s administrator to create and apply custom rules depending on what network you are connected to. In Windows this is also known as Network Location Awareness.
特定于连接的规则使计算机管理员可以根据所连接的网络来创建和应用自定义规则。在Windows中，这也称为网络位置感知。

防火墙类型 (Types of Firewalls)

Typically in a large corporate environment you have a whole security team dedicated to protecting your network. One of the most common methods that can be used to enhance the security of your network is deploying a firewall at the boundary of your network, for example between your corporate intranet and the public internet. These are called perimeter firewalls and can be both hardware based as well as software based.

通常，在大型公司环境中，您有整个安全团队专门致力于保护您的网络。可用于增强网络安全性的最常见方法之一是在网络边界(例如，在公司Intranet和公用Internet之间)部署防火墙。这些称为外围防火墙 ，既可以基于硬件，也可以基于软件。

The problem with perimeter firewalls is that you can’t protect nodes on your network from traffic generated inside your network. As such you will normally have a software based firewall solution running on every node on your network as well. These are called host based firewalls and Windows comes with one out of the box.

外围防火墙的问题在于，您无法保护网络上的节点免受网络内部生成的通信的影响。因此，您通常会在网络上的每个节点上也运行基于软件的防火墙解决方案。这些被称为基于主机的防火墙，而Windows则是现成的。

认识Windows防火墙 (Meet the Windows Firewall)

The first thing you will want to do is check that your firewall is turned on. To do that open the Control Panel and head into the system and security section.

您要做的第一件事是检查防火墙是否已打开。为此，请打开“控制面板”，然后进入“系统和安全性”部分。

Then click on Windows Firewall.

然后单击Windows防火墙。

On the right hand side you will see the two firewall profiles as used by Network Location Awareness.

在右侧，您将看到网络位置感知使用的两个防火墙配置文件。

If the firewall is disabled for a network profile it will be red.

如果为网络配置文件禁用了防火墙，它将为红色。

You can enable it by clicking on the link on the left hand side.

您可以通过单击左侧的链接来启用它。

Here you can easily enable the firewall again by changing the radio button to the enabled setting.

通过将单选按钮更改为启用的设置，您可以在此处轻松地再次启用防火墙。

允许程序通过防火墙 (Allowing a Program Through the Firewall)

By default the Windows Firewall, like most others, drops any unsolicited inbound traffic. To prevent this, you can set up an exception in the Firewall rules. The problem with this approach is it requires you to know port numbers and transport protocols such as TCP and UDP. The Windows Firewall allows users not familiar with this terminology to instead whitelist applications that you want to be able to communicate on the network. To do this again open the Control Panel and head into the System and Security section.

默认情况下，Windows防火墙与大多数其他防火墙一样，会丢弃所有未经请求的入站流量。为防止这种情况，可以在防火墙规则中设置例外。这种方法的问题在于，它要求您知道端口号和传输协议，例如TCP和UDP。 Windows防火墙允许不熟悉此术语的用户将您希望能够在网络上进行通信的应用程序列入白名单。要再次执行此操作，请打开控制面板，然后进入“系统和安全性”部分。

Then click on Windows Firewall.

然后单击Windows防火墙。

On the left hand side you will see a link to allow a program or feature through the firewall. Click on it.

在左侧，您将看到一个允许程序或功能通过防火墙的链接。点击它。

Here you can enable a firewall exception for a firewall profile by simply ticking a box. For example, if I only wanted remote desktop to be enabled when I was connected to my safe home network, I can enable it for the private network profile.

在这里，您可以通过简单地勾选一个框来为防火墙配置文件启用防火墙例外。例如，如果我只希望在连接到安全家庭网络时启用远程桌面，则可以为专用网络配置文件启用它。

Of course, if you wanted it to be enabled on all networks you would tick both boxes, but really that’s all there is to it.

当然，如果您希望在所有网络上都启用它，则可以在两个方框中打勾，但实际上仅此而已。

认识防火墙经验丰富的兄弟 (Meet the Firewall’s More Experienced Brother)

More experienced user will be pleased to find out about somewhat of a hidden gem, the Windows Firewall with Advanced Security. It allows you to manage the Windows Firewall with more fine grained control. You can do things such as block specific protocols, ports, programs or even a combination of the three. To open it open the start menu and type Windows Firewall with Advanced Security in the search box, then press enter.

经验丰富的用户将很高兴找到隐藏的瑰宝，即具有高级安全性的Windows防火墙。它使您可以通过更精细的控制来管理Windows防火墙。您可以执行某些操作，例如阻止特定的协议，端口，程序，甚至是这三者的组合。要打开它，请打开开始菜单，然后在搜索框中键入具有高级安全性的Windows防火墙，然后按Enter。

The Inbound and Outbound Rules are split up into two sections which you can navigate to from the Console Tree.

入站和出站规则分为两个部分，您可以从控制台树中导航到这些部分。

We are going to be creating an inbound rule, so select Inbound Rules from the Console Tree. On the right hand side you will see a long list of Firewall rules appear.

我们将创建一个入站规则，因此从控制台树中选择“入站规则”。在右侧，您会看到一长串防火墙规则。

Its important to notice that there are duplicate rules which apply to the different firewall profiles.

重要的是要注意，有重复的规则适用于不同的防火墙配置文件。

To create a rule right click on Inbound Rules in the Console Tree and select New Rule… from the context menu.

要创建规则，请在控制台树中右键单击“入站规则”，然后从上下文菜单中选择“新建规则”。

Let’s create a custom rule so we can get a feel for all the options.

让我们创建一个自定义规则，以便我们可以体会所有选项。

The first part of the wizard asks if you want to create the rule for a specific program. This differs slightly from creating a rule for a program using the normal Windows Firewall as demonstrated earlier. Rather, what the wizard is saying is you are about to create an advanced rule such as opening port X, would you like all programs to be able to use port X or would you like to restrict the rule so that only certain programs can use port X? Since the rule we are creating is going to be system wide, leave this section at its defaults and click next.

向导的第一部分询问您是否要为特定程序创建规则。如前所述，这与使用普通Windows防火墙为程序创建规则略有不同。相反，向导的意思是您将要创建一个高级规则，例如打开端口X，您希望所有程序都能够使用端口X，还是希望限制该规则，以便仅某些程序可以使用端口X？由于我们要创建的规则将是系统范围的，因此请保留此部分的默认设置，然后单击“下一步”。

Now you have to configure the actual rule. This is the most important part of the entire wizard. We are going to create a TCP rule for local port 21, as seen in the screenshot below.

现在，您必须配置实际规则。这是整个向导中最重要的部分。我们将为本地端口21创建一个TCP规则，如下面的屏幕快照所示。

Next we have the option of tying this rule to a network card by specifying a specific IP address. We want other computers to communicate with our PC regardless of which network card they contact, so we will leave that section blank and click next.

接下来，我们可以选择通过指定特定的IP地址将此规则绑定到网卡。我们希望其他计算机都可以与我们的PC通信，而不管它们与哪个网卡联系，因此我们将该部分留空，然后单击下一步。

The next section is critical as it asks you want this rule to actually do. You can Allow, Only allow it if the connection is using IPSec or you can simply block Inbound communication on the port we specified. We will go with allow, which is the default.

下一部分至关重要，因为它要求您实际执行此规则。您可以允许，仅在连接使用IPSec时允许它，或者您可以简单地在我们指定的端口上阻止入站通信。我们将使用allow，这是默认设置。

Next you have to choose which firewall profiles this rule is going to apply to. We will allow communication on all networks except those marked as public.

接下来，您必须选择该规则将应用到哪些防火墙配置文件。除了标记为公共的网络之外，我们将允许所有网络上的通信。