| Research & implement of the project "keyword filter firewall in Linux OperationSystem"is supported by the fund of product and development.The construct and implement of this system is based on the firewall frameworkwhich is called "Netfilter", newly added after the kernel version 2.4 of LinuxOperation System. Using the functions which are hooked in the Netfilter framework,we can check the content of the packets go through the network of the host PC. Thepacket with illegal information will trigger corresponding functions in the securitystrategy module; these functions will do the action which is already designed by theuser to deal with this situation. (They may drop this packet, or queue the packets tothe user space.) At the same time, detail information about those packets we areinterested in will also be recorded in the log files. Administrator can check the logfiles to get valuable information later.In the thesis part, I introduce ISO seven layer models and TCP/IP networkmodels first. And then I give a presentation about some popular firewall model. It isuseful for us to understand the keyword filter firewall framework. After this, I showthe scene how is the packets received and sent by the network stack in LinuxOperation System. At last, it is the introduction of the work flow of Netfilter firewallframework in Linux.In the following section, I describe how to implement the keyword filter firewallin four parts. The first part is register model, it mainly focuses on the initializationwork, including hook the functions on the Netfilter firewall framework andconstructing the most important data structure in the firewall. Next part is namedcharacter device driver module, which is the gate between user space and kernel space.All the data transmission between user space and kernel space must go through it, itworks as an interface. The core part of the firewall is security strategy module, everypacket go through the network protocol stack will be checked by it. It will checkwhether the contents in the packet has illegal information, if do so, the packet willtrigger some functions which dealing with packet contains illegal information; if donot, the packet will be delivered to its original destination. The fourth module is thelog file module; of course, we can know what it does by its name. It logs theinformation we are interested in, and supplies them to the administrator. Last module Iwould introduce is called daemon module, which does many things. For example, if... |
PDF Full Text Request