| Virus attacks, Trojan attacks, hacker attacks and spyware theft are the major threats to the network security presently. Anti-virus software cannot ensure the security of systems alone. Traditional firewalls is malfunctioning for the new generation threats to network security, and although the UTM(Unified Threat Management) gateway integrates the functions of firewall, antivirus system, and the intrusion detection and monitoring system, it is deficient in performance and internal network security The UTM indispensably cooperate with application-level firewall to jointly safeguard network security and. Through the research of the Linux kernel, the theories and techniques of firewall, deep packet inspection technology, the TCP / IP protocol and domestic popular content management system Joomla, a simple firewall is built in the Linux environment. The design of the campus firewall provides URL filtering function,can control the campus users access to the illegal site. It can realize the IP address and MAC address binding, preventing internal campus network users change the IP address,malicious attack. The hardware firewall with flow control function, can be a reasonable allocation of bandwidth to the campus users. RG-WALL 1000 also has a HTTP transparent proxy, NAT function and VPN function, can fully meet the needs of the campus network.The SIPFW firewall consists of two parts: user interface of the user space and the processing module of kernel spac. The kernel module accomplishes the works of network data filtering, dealing with data filtering rules, overall parameter control and logging. The netfilter framework has 5 hooks(mount point). When the network data get into the network protocol stack, the user invokes the callback function to get into the process of the user spac. The network data in the INPUT chain, the OUTPUT chain and FORWARD chain of the netfilter framework is filted. The user space consists of the command line parsing and kernel communication. Command line parsing deals with the input by using the system function of GNU, and the communication part transfer the formated input from the user space to the kernel space and present the processing results to the user. For the communication between kernel space and user space, a private Netlink socket is created to deal with the filtering rules. The PROC virtual file system in Linux kernel conveys the messages of the firewall to the user space.The SIPFW firewall can accolplish the simple network data interception,network data interception, designing filtering rules according to the user’s command,recording the processing the network data, and simple configuration through the configuration file and PROC virtual file system.Through the test, the system runs well and has met the expectation. |
PDF Full Text Request