以Linux核心模組實作一個具內容過濾功能之狀態檢測防火牆

Abstract

網際網路是個處處充滿不安全的領域，為了有效控制組織網路的存取權限，並保護內部網路避免受到外來的攻擊與破壞，本文中採用Linux開發一個低成本、高效能、具內容過濾功能的狀態檢測防火牆。Linux核心本身提供Netfilter模組，讓防火牆的開發者，可以實作一個外掛的核心模組來建構符合自訂需求的防火牆。透過狀態檢測技術，本文分別實現了HTTP、FTP、SMTP、POP3、DNS、ICMP的協定過濾機制、協定指令過濾機制、協定內容過濾機制、動態埠口過濾機制。此外，經由Linux核心網路參數的設定，可以預防防火牆本身遭受各種DoS攻擊，讓防火牆本身更具安全性。

In order to control the network of organization and protect the internal network against the attack from external, we implement a stateful inspection firewall based on Linux. This firewall has the advantage of low cost, high performance, and the capability of filtering the packet content. The firewall developers may implement a custom firewall by netfilter module of Linux kernel. Using the technology of stateful inspection, we implement the protocol filtering mechanism, protocol command filtering mechanism, protocol content filtering mechanism, dynamic port filtering mechanism of HTTP, FTP, SMTP, POP3, DNS, ICMP. Besides, we can defense DoS attack by setting the Linux kernel network parameters to enhance the security of firewall.