基于LINUX平台的防火墙研究与实现

针对目前的防火墙技术不能有效地解决网络内部安全问题，提出一种结合包过滤和代理技术，并将代理服务器与认证系统建立在B1级操作系统上的防火墙系统。所开发的基于Linux平台的防火墙系统不仅实现了HTTP代理，FTP代理和包过滤功能，还实现了内容过滤，地址翻译以及对IP地址欺骗，IP源路由欺骗等攻击的防范。符合国际GB／T17900－1999，GB／T18020－1999，通过了公安部安全产品检测，Intel性能测试表明，100M网络环境下包过滤可达到线速，HTTP代理为30％。

On the Implementation of a Firewall Based on Linux Platform

As TCP/IP protocol is being used more and more widely, the security risk becomes more and more severe and the loss caused by security flaws becomes greater and greater. Now, the security of Internet has become the focus of global attention. The main radical solution for globally protecting enterprise networks against malicious traffic is to enforce some network security measures, such as cryptography, firewall etc, on the existing Internet environment. Unfortunately, the current firewall technology does not solve the inner security completely. To solve this problem, this paper presents a firewall system based on Linux--L Firewall, which combined packet filter and proxy technology. Proxy and authentication is implemented on B1 level operating system. The paper emphasizes on the frame of L Firewall, especially on the implementation of packet filter module. L Firewall not only provides HTTP, FTP proxy and packet filter, but also provides content filter, network address translation to protect network from IP spoofing and IP source route spoofing. L Firewall tallies with GB/T17900-1999 and GB/T18020-1999. It passed the security test of Ministry of Public Security of China. The performance test executed by Intel Corporation shows that the flow of packet filter is near to that of network, and the flow of HTTP is 30% under 100M network environment.