Design of a new firewall based on netfilter

1. INDRODUCTION
With the rapid development of computer and Internet, the human has entered into the information-based society with vast amounts of information entering people's life through the Internet. On the one hand, it makes peoples life faster and more convenient; on the other hand, various kinds of undesirable contents are flooding the Internet, such as violence , eroticism, crime, heresy, viruses , junk mails and others, which do great harm to the individual and the whole society. With regard to this phenomenon, the traditional firewalls appear more and more helpless. However, the firewalls of next generation are designed facing to the application. It can accurately identify the users, applications and contents, with the ability of complete safety protection, and it can completely replace the traditional firewalls, with the strong handing ability to the application.

Design of a new firewall based on netfilter

2. FIREWALL
The term firewall originally referred to a wall intended to confine a fire or potential fire within a building. Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment. Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s

A firewall can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A network's firewall builds a bridge between an internal network that is assumed to be secure and trusted, and another network, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted.

Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.

Figure 1. Firewall

Design of a new firewall based on netfilter

2.1.

First generation: packet filters

The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what became a highly involved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based on their original first generation architecture.

Packet filters act by inspecting the "packets" which transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number).

TCP and UDP protocols constitute most communication over the Internet, and because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.

Packet filtering firewalls work mainly on the first three layers of the OSI reference model, which means most of the work is done between the network and physical layers, with a little bit of peeking into the transport layer to figure out source and destination port numbers.[9] When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. When the packet passes through the firewall, it filters the packet on a protocol/port number basis (GSS). For example, if a rule in the firewall exists to block telnet access, then the firewall will block the TCP protocol for port number 23.

Design of a new firewall based on netfilter

2.2.

Second generation: "stateful" filters

From 1989-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto , Janardan Sharma, and Kshitij Nigam, developed the second generation of firewalls, calling them circuit level firewalls.

Second-generation firewalls perform the work of their first-generation predecessors but operate up to layer 4 (transport layer) of the OSI model. This is achieved by retaining packets until enough are available to make a judgment about its state. Known as stateful packet inspection, it records all connections passing through it determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Though static rules are still used, these rules can now contain connection state as one of their test criteria.Certain denial-of-service attacks bombard the firewall with thousands of fake connection packets to in an attempt to overwhelm it by filling up its connection state memory.

2.3.

Third generation: application layer

The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port, or detect if a protocol is being abused in any harmful way. The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion prevention systems (IPS).Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes.

Another axis of development is about integrating identity of users into Firewall rules. Many firewalls provide such features by binding user identities to IP or MAC addresses, which is very approximate and can be easily turned around. The NuFW firewall provides real identity-based firewalling, by requesting the user's signature for each connection. authpf on BSD systems loads firewall rules dynamically per user, after authentication via SSH.

Design of a new firewall based on netfilter

3. TYPES
There are different types of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced.

3.1.

Network layer or packet filters

Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. The firewall administrator may define the rules; or default rules may apply. The term "packet filter" originated in the context of BSD operating systems.

Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing connection, it will be evaluated according to the rule set for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.

Stateless firewalls require less memory, and can be faster for simple filters that require less time to filter than to look up a session. They may also be necessary for filtering stateless network protocols that have no concept of a session. However, they cannot make more complex decisions based on what stage communications between hosts have reached.

Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, of the source, and many other attributes. Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).

Design of a new firewall based on netfilter

3.2.

Application-layer

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender).On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. The additional inspection criteria can add extra latency to the forwarding of packets to their destination.

3.3.

Proxies

A proxy server (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, while blocking other packets. A proxy server is a gateway from one network to another for a specific network application, in the sense that it functions as a proxy on behalf of the network user.

Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network.

Design of a new firewall based on netfilter

TRANDITIONAL GENERATION

FIREWALL

AND

FIREWALL

OF

NEXT

4.1.

Traditional Firewall

Traditional firewall works on network layers, using the port and IP protocol to control and prevent the network from attacking, so it is called firewall of the network layer. Because of working at network layers, it cannot answer the attacks to application layers, including business application, user identify reorganization and others, and cannot bear the changeable threats from application layers. Therefore, the inherent defects and shortage of traditional firewalls in function, management, technology and other aspects have been more and more obvious, and its working manner is shown in Figure 2.

Figure 2. Traditional firewall frame

4.2.

Firewall of Next Generation

Design of a new firewall based on netfilter

The firewall of next generation detects the data of application layer, detects each data packet of the data flow to identify and confirm whether the data content is legal or not, and then decide whether drop the data packet or not. So the firewall of next generation is also called firewall of application layers. The frame is shown in Figure 3.

Figure 3. Firewall of next generation frame

Design of a new firewall based on netfilter

4. REALIZATION OF FIREWALL OF NEXT GENERATION

5.1.

Definition of the Flow

Flow is a set of data packets with certain attributes and the life cycle. Generally we take a series of data packets with the same source IP address, destination IP address, source port number, destination port number and protocol (so-called IP five-tuple array) as a flow.

5.2.

Technical Analysis of Netfilter Frame

NetFilter is the set of kernel components that actually executes the firewall rules. iptables is the program that is used to define and insert the rules. Netfilter is the frame for linux2.4 or above kernels to realize data packet filtering, data packet processing, NAT and other functions. The Netfilter frame is realized in the Network stack of IPv4, IPv6 and Decnet, and there are five hooks in Netfilter. The basic frame structure of Netfilter is showed in figure 4.

Figure 4. Basic frame structure of Netfilter Firstly, the packet is inputted from left, and after a simple detection, it is transmitted to the NF_IP_PRE_ROUTING hook of the network filtering frame. And then they entered

Design of a new firewall based on netfilter

into the route selection stage, which will determine whether the packet is sent to another interface or belong to a local process. This stage may drop the packets that cannot conduct the route selection. If the packet is belonged to the local, the NF_IP_LOCAL_IN hook of the network filtering frame will be put into use before the packet is sent into the process. If the packet is sent to another interface, the NF_IP_FORWARD hook of the network filtering frame will be effective. Finally, the packet will be transmitted to the

NF_IP_POST_ROUTING hook before it enters into the network again, while the NF_IP_LOCAL_OUT hook will be used by the packet belonged to the local. Because we are dealing with the transferred data, we use the NF_IP_FORWARD hook.

5.3.

Iptables Introduction

iptables is the program that is used to define and insert the rules. Iptables configuration requires specification of a "table", a "chain" and the rule details. A chain is a group of rules. The rules in a chain are applied in a context defined both by the chain itself and a "table". The table is a group of chains. The table defines a global context and chains define a local context within that table. The simplest example would be to consider the host running the firewall. It can receive packets (input) and send packets (output). Assume we want to filter traffic going in and out of the host. The global context (table) is "filter". The local contexts (chains) are "input" and "output". A Linux host can also operate as a router and forward packets. So, the filter table also has a "forward" chain.

Through the destination action QUEUE, Iptables can transmit the matched data packets to the users space and addthese packets to the queue[5]. Libnetfilter is the development library to process the data packet queue of users space. With the Libnetfilter development library, we can process the data packets of transmitted from the kernel space by Iptables in the users space, and inject them to the kernel. In the actual applications, if some packets need to be sent to the users queue, it can be realized by Iptables commands and QUEUEdestination action. The commands used in this paper are as follows:

#iptables -t filter -N NF_QUEUE_CHAIN

Design of a new firewall based on netfilter

#iptables -t filter -A NF_QUEUE_CHAIN -m mark mark 0 -j NFQUEUE --queue-num 8010 #iptables -t filter -A NF_QUEUE_CHAIN -j MARK setmark 0 #iptables -t filter -I FORWORD -j NF_QUEUE_CHAIN Send the data packet of FORWORD chain in the filter table to the users space queue 8010, waiting for the application program written by the users to process. After the data packet is processed by the programs of the users space, they will be injected in the kernel again. If there is no corresponding program to deal with these packets, they will be dropped .

5.4.

Gateway framework Introduction

Figure 5. Linux Gateway PC of 10.2.0.0/16 network segment sends the data packet to the gateway, and then the gateway transfers the data of 10.2.0.0 to 10.0.0.0 network segment. During the transferring process, it will pass through the FORWORD hook of the kernal, and import the data to users space by Iptables at the location of FORWORD hook.

5.5.

Data Packet Processing Process of Users Space

If make data matching of application layer to the arriving data packet one by one, it will accurately identify each arrived packet (within the supporting protocol). However, it is inefficient to the flow measurement, as the flow measurement requires reducing its effect to the network performance as much as possible. While the heavy matching work will increase the delay and lower the throughput rate, therefore, it is necessary to improve it according to the characteristics of the flow measurement. As we know, general data flow has a long time fixed connection feature. Based on this feature, we adopted the connection tracking

Design of a new firewall based on netfilter

technology, that is, if the first packet of one connection has been identified successfully, we recognize all the data packets aimed at this connection have been identified, with no needs to make the deep matching of application layer. Connection tracking technology is adopted by the NAT module in the Iptables/Netfilter frame, with the purpose of realizing a more effective network address transformation. In this paper, we adopt this technology to achieve a simplified connection tracking. First we should define a structure:

struct ip_conntrack { unsigned long status;// statement of this connection struct ip_conntrackinfo_count { // statistical information of the flow of this connection }conntrackinfo; struct ip_conntrack_tuple_hash { struct list_head list; struct ip_conntrack_tuple tuple; } tuplehash; // time function, if overtime, drop this connection to prevent the hash table growing infinitely struct timer_list timeout; }

The structure member ip_conntrack_tuple adopt the standard definition of Iptables/Netfilter frame, including the five-tuple array information of this connection. As to the data flow leaded into the users space, judge whether it is IP slice. If it is, let it alone; if not, extract its fivetuple array information, hash the five-tuple array information, and then search the hash table. When there exists the five-tuple array, it shows it is the same data flow with the former packet and there is no need to match, but directly collect the data flow and do accept/drop processing. If there does not exist, call the matching function of the application layer. When match successfully, it means the data packet of this type has been

Design of a new firewall based on netfilter

analyzed and processed, and then we should add it to the hash table. When unsuccessfully, record this five-tuple array, capture the data flow for the future analysis. The ip_p2p_conntrack structure marked with a connection is set a timer timer_list, it will periodically (take 5 minutes as a unit in our test) check the statement of this connection through the system clock in calling the time function with a method of interruption. If it is inactive, clear this connection out of the hash table to prevent the hash table infinitely growing.

Figure 6. Data Packet Processing Process flow chart of Users Space

Design of a new firewall based on netfilter

5. EXPERIMENT RESULT
This paper takes the most frequently used instant messaging software QQ as the experimental object. The main work mode of the instant messaging system is: C/S mode, that is, the sending terminal and receiving terminal must exchange through the server. Each instant messaging client terminal logins the server by registered users ID and password, and usually the password is sent after encrypting. When got through the server authentication, the server will return the authentication information to the client terminal, adding the information of server IP responsible for the transit connection, port number, friends of the client terminal and other information. The client terminal will utilize the returned authentication information from the server, IP address and port number to establish TCP connection with the interim server. When successfully, send messages mutually with online friends through interim servers. For QQ, if you want to communicate with each other, you must login first, so it is important to research the login of QQ. After installing the QQ client terminal to PC, use the network protocol analysis software Wireshark to capture the information packet during the process of QQ login, the figure is as follows:

Figure 7. Data Packet During QQ Login

Design of a new firewall based on netfilter

Through the data analysis, we know: when login QQ for the first time, it needs DNS querying for Tencent realm name; select one randomly from the queried IP addresses as login server; send login request data packet to this server; the server responses to this message packet, which indicates QQ is logined successfully. If QQ cannot login in this server, the server will send the login request to next new server to complete the login process of QQ.

Figure 8. QQ Login Result

From the above figure, we see the client terminal is always trying to login QQ server through many server IP, however, because the firewall keeps on dropping this data packet, QQ will be in the statement of Being Logining. After several failures of connection, it failed due to logining overtime finally, which effectively prevent QQ login.

Design of a new firewall based on netfilter

6. CONCLUSION
On basis of analysis of the traditional firewalls, a new content filtering firewall based on the Iptables/Netfilter frame in Linux is realized this paper. We adopt the connection tracking technology which improves the efficiency of flow matching, reduces the delay and increases the network throughput. This firewall plays a good role in plugging SNS, QQ and other instant messaging services, and greatly improves the work efficiency of the staffs.

Design of a new firewall based on netfilter

REFERENCES
1. ICOLL J R, BATEMAN M, RUDDLE A, et al., Challenges in measurement and analysis of the BitTorrent content distribution model, Proc of International Postgraduate Symposium on the Convergence of Telecommunications, Networking and Broadcasting. Liverpool John Moores University, 2004. 2. J.Y. Zhang, L. Liu, H.H. Li, et al., Quantitative QoS Management Implement Mechanism in IP-DiffServ, Journal of Computer Science and Technology,2005, vol. 20(6), pp. 831-835. 3. Y. Kuwata and A. Shinjoh, Design of Robocup-rescue Viewerstowards A Real World Emergency System, Lecture Notes in Computer Science, 2001. 4. Y.Chen, L.M.Ni and M.Y.Yang, CoStore: A Storage Cluster Architecture Using Network Attached Storage Devices (Dissert), East Lansing, USA:Michigan State University, 2002. 5. G. Chen, G.X. Wu, S.F. Zhang, et al., Dynamic Band Width Allocation and Rate Coordination for DiffServ Environment, Wuhan University Joumal of Natural Sciences,2006, vol. 11(1) , pp. 248-252. 6. [6] L.E. Robert, W.D. John, Preparing for An Emergency: COOP Planning for State Agencies, Maryland State Agencies Continuity of Operations Planning Manual, 2004. 7. B.J.Liu, F.Cao, M.Z.Zhou, G.Mogel and L.Documet, Trends in PACS Image Storage Andarchive,Computerized Medical Imaging and Graphics, 2003. 8. LI C F, YE M, CHEN G H, et al., An energy-efficient unequal clustering mechanism for wireless sensor network, Proc. of the 2th IEEE International Conference on Mobile Ad hot and Sensor Systems, Washington DC, IEEE Computer Society, 2005, pp. 597- 604. 9. L. Li, M.L. GAO, et al., An adaptive dynamic arbiter for multiprocessor SoC, Proc. of the 8th International Conference on Solid- State and Integrated Circuit Technology, Shanghai, IEEE Press, 2006, pp. 1993-1996. 10. M. LI, Q.A. ZENG, W.B. JONE, DyXY: a proximity congestionaware deadlock free dynamic routing method for network on chip, Proc. of DAC 2006 San Francisco, California, IEEE Press, 2006, pp. 849-852.