| Nowadays Virus attacks, Trojan attacks, hacker attacks and spyware theft are the major threats to the network security. Anti-virus software cannot ensure the systems’ security completely. Traditional firewalls is malfunctioning for the new generation’s network security. Although the UTM(Unified Threat Management) gateway integrates the functions of firewall, antivirus system, the intrusion detection and the monitoring system, it is deficient in internal network security. The UTM indispensably cooperating with application-level firewall can safeguard network security. With the research of the Linux kernel, the theories and techniques of firewall and deep packet inspection technology, the TCP / IP protocol and domestic popular content management system Joomla, a simple firewall is built in the Linux environment. The design of campus firewall provides URL filtering function, which can control the campus users to have an access to the illegal site. It can realize the IP address and MAC address binding,preventing internal campus network users change the IP address and then malicious attack takes place. Now the hardware firewall(RG-WALL 1600-EI)with flow control function in our school can be a reasonable allocation of bandwidth to the campus users.RG-WALL 1600-EI also has the function of protecting a HTTP transparent proxy,NAT and VPN, which can fully meet the needs of the campus network. But these corresponding module must be purchased.The SIPFW firewall contains two parts: the control of user space and the processing module of kernel space. The kernel module can accomplish the works of network data filtering, and can deal with data filtering rules, overall parameter control and logging. The net filter framework has 5 hooks(mount point). When the network data gets into the network protocol stack, the user invokes the callback function which gets into the process of user space. Then the network data, which is in the INPUT chain,OUTPUT chain and FORWARD chain of the net filter framework, is filted. The user space consists of commanded line parsing and kernel communication. Commanded line parsing deals with the input by using the system function of GNU. The communication part transfers the formatted input from the user space to the kernel space and then presents the processing results to the user. With the communication between kernel space and user space, a private Net link socket is created to deal with the filtering rules.The PROC virtual file system in Linux kernel conveys the messages to the user space.The SIPFW firewall can accomplish the simple network data interception, network data interception and designing filtering rules according to the user’s command. It can also record the network data, simple configuration through the configuration file and PROC virtual file system. By the test, the system runs well and has met the expecting effect. |
PDF Full Text Request