Research And Implementation Of State Inspection Firewall Based On Linux 2.6

Firewall technology is a relatively mature network security technology, and untile now a lot of today's network also use this. It has developed into a multi-function security gateway, and to become indispensable to modern Internet network infrastructure settings. Under decades of development, firewall technology has become increasingly mature.The difference between firewall and router is: the router is responsible for forwarding packets of network equipment, while the firewall is responsible for dropping packets of network equipment. For receiving packets, the firewall is also responsible for sending to the corresponding port, in this sense, firewall (security gateway) can replace the role of the router to complete the network connection. State detection technology is an advanced packet filtering technology, which uses the characteristics of the TCP / IP protocol, only do necessary testing of network messages. It greatly reduced the number of matching rules. It's a milestone for improving the data throughput with Firewall.As the recently rising operating system, Linux have a user base gradually expand whether desktop or server applications and embedded development. The android system of Google is developed based on linux. Since Linux has been generated, it's excellently network support can meet a variety of network environments, and provides TCP / IP protocol full support. Since Linux kernel 2.4, the netfilter framework joined into the kernel, and a complete realization of the state detection technology added into it. Netfilter connection tracking module has opened to users as linux kernel-level API, so you can use this technology to develop a firewall with stateful inspection capabilities. It can be said that most of the current firewall products on the market are developed on linux kernel. Even some directly developed on iptables configuration tools.Based on the analysis of linux network packet forwarding process and connection tracking technology for practical applications, this paper proposed the automatic flow control sub connections concepts firstly. It has broad implications for the linux kernel network module study. This realization of the state inspection firewall can run on embedded systems. As a simple security gateway, it can be used directly to protect a small network. It provides a set of reference models for Linux kernel developer and open source community.