【作者】 刘正海；

【导师】 陈林；

【作者基本信息】 重庆大学 ， 计算机软件与理论， 2007， 硕士

【摘要】 防火墙技术是网络安全的基石,本文介绍了防火墙的相关内容,包括防火墙的基本概念、分类、主要技术和体系结构。在此基础上,研究了Linux操作系统下TCP/IP协议的实现,并对Linux防火墙的Netfilter/Iptables进行了研究。最后,本文开发了一个适合中小型用户的具有基本包过滤、动态包过滤、内容过滤,规则设置等功能的防火墙产品。该防火墙以Linux的Netfilter架构为基础,用Netfilter来实现基本包过滤功能。本文在Netfilter的基础上添加了三个功能模块,分别是:动态包过滤模块:Netfilter自带的动态包过滤机制比较简单,只是将源、目的地址和源、目的端口保存在一张连接表中。其检查的连接信息较少,安全性不高。因此,本文重新开发了一个动态包过滤模块,其在连接状态表中增加了连接序号,应答号,窗口大小等表项,不但检测包是否属于合法连接,判断其TCP状态转换是否正确,而且还对包进行序号检查,判断包在这条连接上的合法性,即保证收到的包不是伪造的包,从而增强了防火墙的安全性。内容过滤模块:采用基于协议分析的内容过滤算法对数据包进行内容过滤,解决了包过滤和动态包过滤不能防止基于内容级的攻击问题。该算法在协议分析的基础上检测数据包是否包含危险字符串,其性能优于一般的模式匹配算法,具有检测快,时延较小等特点。Web设置系统:用户可以使用iptables命令来建立防火墙规则,但是iptables的配置所需要的参数很多,使用iptables命令建立防火墙规则相当烦琐。因此,本文开发了Linux防火墙规则的Web设置系统,利用浏览器对防火墙进行可视化配置,同时提出了一些防火墙规则语义完整性检测的方法,以辅助用户输入。最后,本文对论文所作的工作进行了总结并指出了进一步的研究工作。更多还原

【Abstract】 The firewall technology is the footstone of the network security. This paper introduces the relevant contents of the firewall, including the basic conception, classes, technology and system structure. On this basis, the author researches the implementation of TCP/IP in the Linux operating system, and netfilter/iptables of the Linux firewall. Finally, This paper developed a firewall product with composed capabilities of basic packet filter, dynamic packet filter, content filter and web configuration system, which applies to medium-sized and small-sized users. This firewall based on the netfilter structure of Linux, it implemented the basic packet filter function using the netfilter of Linux, based on which three basic modules are added.Dynamic packet filter module: The dynamic packet filter comed with netfilter is relatively easy, which only save the source address and port, object address and port in a connection state table with little connection message and low security. Therefore, a new dynamic packet filter model was developed, in which some table items are added, such as sequence number, answer number and the size of the window. It not only can check whether the packet is a legal connection and determine whether the TCP state transformation is right, but also can the check the sequence of the packet and assure that the packet on this connection is the right one. That is to say the packet is not a forgery one. So this model can improve the security of the firewall.Content filter module: This module uses the content filter algorithm based on protocol analysis to filter the packet, which can solve the problem that the packet filter and dynamic packet filter can’t resist the attacks based on the content. This algorithm can detect whether the packets contain some dangerous strings on the basis of protocol analysis. It is fast in detection and has little time delay, which is better than common patern matching algorithm.Web configuration system: The users may create the rules of firewall by iptables, but much more parameters are needed. So the author developed web configuration system of linux firewall. This system implements the visual configuration by browser. At the same time, the author introduces some methods of check semantic integrality of firewall rules, in order to assist users to input the rules.Finally, this author sums up the research works and points out the further research work.更多还原