The Research And Implementation Of The Compositive Firewall Based On Linux Kernel

As an important technology of network security, Firewall has great research significance. This paper developed a Firewall product with composed capabilities of basic packet filter, dynamic packet filter, content filter and log manage, which applies to medium-sized and small-sized users. This firewall based on the netfilter structure of Linux, It implemented the basic packet filter function using the netfilter of Linux, based on which three basic models are added.1. Dynamic packet filter model: The dynamic packet filter come with netfilter is relatively easy, which only save the source address and port, object address and port in a connection state table with little connection message and low security. Therefore, a new dynamic packet filter model was developed, in which some table items are added, such as sequence number, answer number and the size of the window. It not only can check whether the packet is a legal connection and determine whether the TCP state transformation is right, but also can the check the sequence of the packet and assure that the packet on this connection is the right one. That is to say the packet is not a forgery one. So this model can improve the security of the Firewall.2. Content filter model: This model uses the content filter algorithm based on protocol analysis to filter the packet, which can solve the problem that the packet filter and dynamic packet filter can't resist the attacks based on the content. This algorithm can detect whether the packets contain some dangerous strings on the basis of protocol analysis. It is fast in detection and has little time delay, which is better than common pattern matching algorithm.3. Log manage model: It can separate the firewall's log from others and insert these logs into the log database to save and manage, which makes for later auditing and detection.Also, experiments on the Firewall designed in this paper have been carried out, which proved that the Firewall satisfies the design's requirements. The prospect of the Firewall technique and its relative merits were concluded at last.