| With the rapid development of Information Technology (IT), the computer network will be more widely used in the politics, military, finance, business, traffic, telecom and education, especially the more the society depends on Internet, the more the significance of the network and its influence are. The Internet brings the society great contributions and advantages. Meantime, because of its distinct limits, there are many risks and hidden troubles in the information security, and the security problems of Internet have stood out. Therefore, the research of Internet security technique has been one of focuses in the communication and an important research area of the information science. Firewall is the fundamental device of network security. Its function is separating the unwelcome visit from the special network. So it is the boundary defense system of the enterprise network. Firewall divides the network into several independent subnets according to the levels of network security and trusty relationships, the in and out subnets are controlled by the firewall. It can permit the pass of special users and data packs and inhibit the inadmissible users and data packets in order to protect the subnets of high secure level, prevent the attack of the hacker and control the spread of intrusion. Firewall can be located between the local area network (LAN) and Internet, or LAN and LAN. Firewall system mainly includes: the Packet Filter technique, monitors and filters the input and output packet on the net and refuses to send the doubtful data packets, but it cannot separate effectively the same IP address; Proxy Server technique, through the application of proxy programs on the gateway, proxy programs replace the origin client programs to receive the demands of client ports, repeat them and contact with the outside servers of firewall; Port Mapping technique, it maps the port of outside network card address on the service port of inside server, then the users can get the service of inside server as long as visiting the special port of outside network card address; Network Address Transferring technique, firewall can use it to transfer all inside address into the firewall IP address, meantime, in the communication in the inside network, it still uses each own IP addresses, there is no conflict, the firewall can record detailedly the channel of every computer to guarantee the transfer, then the inside network is transparent for the outside network. Firewall system also includes group filter, gateway application and multipolar filter of electric gateway. With the perfect performance of network and open-source characteristic, Linux has been selected by more and more people for firewall operation platform. The firewall system permits network administrator to define a central "control point" to prevent unlawful users, such as hackers, network destroyers from entering inside network. And it also can avoid services with security frangibilities passing in and out network, and oppugn the attacks coming from various connections. Furthermore, the firewall can be logical address for deploy NAT to cover-up private network and solve the short of IP address.The Linux firewall system develops very fast. From the beginning, it is Ipfwadm in Linux 2.0 kernel and later Ipchains in 2.2 kernel, and now it is Netfilter/Iptables combination in 2.4. In this development process, many changes occur with the basic concept and entire design.Ipfwadm in Linux 2.0 kernel is the early days in development. It is transplanted from the kernel code of FreeBSD, and it is basic administrator tools of firewall. Later, Ipchains in 2.2 kernel implements three chains: INPUT, OUTPUT and FORWARD which seperately carry out the rules matching for incoming packets, outgoing packets and forwarding packets.Ipchains basically implements packet filtering, address translating. But Netfilter replaces Ipchains finally, and the main reason is it does not provide the framework for passing packets to userspace, and it must be through kernel programming to...
|
PDF Full Text Request