The Research And Realization Of Firewall Based On Embedded Linux Technology

The firewall technology is the footstone of the network security. This paper introduces the relevant contents of the firewall, including the basic conception, classes, technology and system structure. On this basis, the author researches the implementation of TCP/IP in the Linux operating system, and netfilter/iptables of the Linux firewall. Finally, This paper developed a firewall product with composed capabilities of basic packet filter, dynamic packet filter, content filter and web configuration system, which applies to medium-sized and small-sized users. This firewall based on the netfilter structure of Linux, it implemented the basic packet filter function using the netfilter of Linux, based on which three basic modules are added.Dynamic packet filter module: The dynamic packet filter comed with netfilter is relatively easy, which only save the source address and port, object address and port in a connection state table with little connection message and low security. Therefore, a new dynamic packet filter model was developed, in which some table items are added, such as sequence number, answer number and the size of the window. It not only can check whether the packet is a legal connection and determine whether the TCP state transformation is right, but also can the check the sequence of the packet and assure that the packet on this connection is the right one. That is to say the packet is not a forgery one. So this model can improve the security of the firewall.Content filter module: This module uses the content filter algorithm based on protocol analysis to filter the packet, which can solve the problem that the packet filter and dynamic packet filter can't resist the attacks based on the content. This algorithm can detect whether the packets contain some dangerous strings on the basis of protocol analysis. It is fast in detection and has little time delay, which is better than common patern matching algorithm.Web configuration system: The users may create the rules of firewall by iptables, but much more parameters are needed. So the author developed web configuration system of linux firewall. This system implements the visual configuration by browser. At the same time, the author introduces some methods of check semantic integrality of firewall rules, in order to assist users to input the rules.Finally, this author sums up the research works and points out the further research work.