ZHANG Guo-qiang,XU Yong-qing,YANG Xiao-hu

2006-01-01

Journal of Computer Applications

Abstract:TCP(Transmission Control Protocol) is a widely used reliable transmission protocol,and it is designed on such assumption that most packet losses are caused by congestion.But in wireless networks,packets are lost usually because of bit-errors,which causes dramatic performance declining.Many current methods to improve TCP performance over wireless networks are TCP-aware.This paper proposed an alternative "TCP-unaware" scheme that is suitable for encrypted TCP traffic.It makes TCP source be capable of differentiating a loss due to congestion in the wired network from a loss due to bit-errors in wireless networks.Simulation results show that the scheme can improve TCP performance significantly in both LAN(Local Area Network) and WAN(Wide Area Network).

Raik Niemann,Udo Pfingst,Richard Göbel

DOI: https://doi.org/10.48550/arXiv.1502.05487

2015-02-19

Abstract:Since GNU/Linux became a popular operating system on computer network routers, its packet routing mechanisms attracted more interest. This does not only concern 'big' Linux servers acting as a router but more and more small and medium network access devices, such as DSL or cable access devices. Although there are a lot of documents dealing with high performance routing with GNU/Linux, only a few offer experimental results to prove the given advices. This study evaluates the throughput performance of Linux' routing subsystem netfilter under various conditions like different data transport protocols in combination with different IP address families and transmission strategies. Those conditions were evaluated with two different types of netfilter rules for a high number in the rule tables. In addition to this, our experiments allowed us to evaluate two prominent client connection handling techniques (threads and the epoll() facility). The evaluation of the 1.260 different combinations of our test parameters shows a nearly linear but small throughput loss with the number of rules which is independant from the transport protocol and framesize. However, this evaluation identifies another issue concerning the throughput loss when it comes to the address family, i.e. IPv4 and IPv6.

Networking and Internet Architecture

RAO Ming,DU Zhonghui,HAN Qi,LI Qiong

DOI: https://doi.org/10.3969/j.issn.2095-2163.2011.05.009

2011-01-01

Abstract:In this paper,a project is designed and tested for embedded Linux firewall.Firstly,a system framework of embedded Linux firewall based on ARM processor is proposed and a scheme of Linux kernel reducing is designed.Secondly,considering the poor performance of Netfilter/Iptables in large number rules set,a method of Iptables combining with NF-hipac and Ipset is introduced,and it is transplanted successfully.Finally,with the accomplished system,the integrated and detailed function and performance tests are provided.The function experiments show the rationality and efficiency of the system design and the performance tests indicate the key parameters influencing the system performance,which provides the reference and basis for further optimizing the system.

YE Zhen-xin,YANG Shu-tang,MA Jin

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.06.019

2009-01-01

Abstract:This paper studies the factors that influence the performance of the firewall, and proposes a method that use the Rule-Set Anomaly Detection to downsize the Rule-Set. With the reordering of the rules according to their matching probability and by keeping the original semantic of the firewall policy unchanged, the firewall performance optimization is realized.

Ren Anxi,Yang Shoubao,Li Hongwei

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.04.050

2006-01-01

Abstract:In order to decrease the rule-matching time and enhance the performance of firewall,this paper presents a statistic-analysis method,which adjust the order of firewall rules dynamically according to the analytic results obtained through analyzing the network flow.The simulation proves that it can improve the performance of firewall in some extent.

杨晓强,朱明,杨坚

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.03.032

2010-01-01

Abstract:Aiming at the network performance of service, this paper proposes and realizes an improved scheme based on the Linux kernel called ONPK. In order to optimize the network performance, it cuts down the times of system call and reduces the times of data copy, changes the way of sending data by rewrite the NIC driver. Experimental results show ONPK can improve the network performance apparently, and reduce the CPU utilization for 11% averagely with a little increase of the sending rate.

郑卫斌,丁会宁,李庆海,张德运

DOI: https://doi.org/10.3321/j.issn:0253-987X.2004.02.004

2004-01-01

Abstract:The forwarding performance of the NAPI mode of SMP(symmetric multiprocessor)Linux running on Gigabit networks are studied by experiments and profiles. It is found that the scalability of SMP Linux is poor; Netfilter is the performance bottleneck; and the synchronization overhead and load imbalance among processors are the main causes that influence the performance of Linux. The static scheduling with interrupt affinity is adopted to balance the load among processors and reduce the cache misses. Two locks are eliminated in Netfilter to reduce the synchronization overhead. Experiments show our proposal can improve the performance and scalability of SMP Linux.

宋舜宏,杨寿保,张焕杰

DOI: https://doi.org/10.3969/j.issn.1002-137X.2004.11.011

2004-01-01

Computer Science

Abstract:The resources of network must be used and managed securely and efficiently. So this paper prompts a method based on netfilter/iptables frame in Linux OS to control the network resources,and introduces how to design and implement a Smart-gateway with perfect function,stable performance,high scalability,easy to manage and update.

王莉,黄光明,刘志愚

DOI: https://doi.org/10.3969/j.issn.1673-629x.2004.04.023

2004-01-01

Abstract:With the rapid development of Internet, more and more nets began to connect to it which causes the great increasement of information quantity. While people enjoying the freedom of acquiring and promulgating information, they also in face of threats comes from Internet, which calls network security. Firewall, now has been an efficient measure to prevent destruction from Internet.Introduces the development of firewall in Linux kernel, including ipfwadm, ipchains and iptables. Then discusses the latest technology:Netfilter and the concept of Dimilitary Zone. Finally gives an example to implement the DMZ firewall with iptables on Linux.

田原,云晓春,朱晓晖

DOI: https://doi.org/10.3969/j.issn.1006-9348.2003.07.038

2003-01-01

Abstract:This paper analyzes the influencing factors of performance benchmark and two kinds of benchmarking models , and emphatically discusses the parameters , methods and reporting contents about firewall performance benchmark. Based on the benchmarking principles , it illustrates two classical designing examples of benchmarking system.

LIN Ke,YANG Min,MAO Di-lin

2011-01-01

Abstract:With the quick development of Peer-to-Peer Live Video Streaming(P2PLVS),the traffic of streaming media has taken a great part of Internet traffic,which severely impacts those ISP′s ordinary service.Currently,there is few method which can relieve the traffic stress brought by P2PLVS applications without impacting playback performance of users.In this paper,we first analyze the common working mechanism of Mesh based P2PLVS,and then present an application-level protocol based scheme to improve the overall performance of P2PLVS for LAN users.The scheme can effectively reduce the ISP′s streaming media traffic brought by the P2PLVS peers within the LAN,and meanwhile improve their playback performance in terms of download efficiency and playback delay.Prototype System based experiments prove that for program-concentrated P2PLVS in LAN,this scheme is reliable and effective.

Junfeng Li,Dan Li,Yukai Huang,Yang Cheng,Ruilin Ling

DOI: https://doi.org/10.1109/LANMAN.2017.7972137

2017-01-01

Abstract:NAT gateway is an important network system in today's IPv4 network when translating a private IPv4 address to a public address. However, traditional NAT system based on Linux Netfilter cannot achieve high network throughput to meet modern requirements such as data centers. To address this challenge, we improve the network performance of NAT system by three ways. First, we leverage DPDK to enable polling and zero-copy delivery, so as to reduce the cost of interrupt and packet copies. Second, we enable multiple CPU cores to process in parallel and use lock-free hash table to minimize the contention between CPU cores. Third, we use hash search instead of sequential search when looking up the NAT rule table. Evaluation shows that our Quick NAT system significantly improves the performance of NAT on commodity platforms.

LIAO Xiao-fei,LI Jin-sheng,HONG Pei-lin,SUN Wei-qiang,YUAN Wei

DOI: https://doi.org/10.3969/j.issn.1007-0249.2006.03.012

2006-01-01

Abstract:This article proposes an approach based on active network technology to enhance TCP performance over wireless link aim at the problem of TCP performance degradation in wireless environment. Network simulation proves that this approach has more merits and better performance.

Xiang-dong QIAO,Tong YANG,Jing-wei ZHANG

DOI: https://doi.org/10.3969/j.issn.1009-3516.2007.04.018

2007-01-01

Abstract:Two different design schemes about firewall IPS module are brought up.In the first scheme snot-inline technique and the QUEUE action of netfilter are used to achieve dropping of attack data packet.In the second one,IPS about Denial of Service attack is achieved with the benefit of combination of synccokies,the new netfilter fuzzy match,PSD match,U32 match with an improvement on the firewall kernel.After comprehensive comparison,the module is developed according to the second scheme.The experiment shows that the designed module works well in defending main DOS attack.

Zhao Da-yuan,Jiang Yi-xin,Lin Chuang,Li Yan-xi

DOI: https://doi.org/10.1007/bf02828626

2005-01-01

Wuhan University Journal of Natural Sciences

Abstract:We mainly explore two problems when combining IPSec module into TCP/IP stack by porting the famous IPSec software (FreeS/WAN) into a security gateway. One is how to implement the IPSec module based on Netfilter in Linux 2.4. x kernel. The other problem is the performance evaluation. We test the throughput of our security gateway before and after applying IPSec with different encryption/decryption algorithms, including the software-based and hardware-based method. With these testing data, we analyze further system performance bottleneck. In the end, we also infer the quantitative relation between the system throughput and the speed of encryption/decryption algorithm and propose some valuable conclusions for improving performance.

杨琛,杨寿保

DOI: https://doi.org/10.3969/j.issn.1002-137X.2002.12.020

2002-01-01

Computer Science

Abstract:In this paper, we will firstly analyze the design and implementation of Windows Based Firewall. To im-prove the rule matching performance, we introduce a new, high efficient rule matching algorithm and present theWindows 2000 based firewall prototype.

Jia Zongpu,Liu Shufen,Wang Guowei

DOI: https://doi.org/10.1109/SPCA.2006.297482

2006-01-01

Abstract:Firewall has many shortages, such as it cannot keep away interior attacks, it cannot provide a consistent security strategy, and it has a single bottleneck spot and invalid spot, etc. Intrusion Detection System (IDS) also has many defects, such as low detection ability, lack of effective response mechanism, poor manageability, etc. If firewall and IDS are integrated, the cooperation of them can implement the network security to a great extent: on the one hand, IDS monitors the network, provides a real-time detection of attacks from the interior and exterior, and automatically informs firewall and dynamically alters the rules of firewall once an attack is found; on the other hand, firewall loads dynamic rules to hold up the intrusion, controls the data traffic of IDS and provides the security protection of IDS. Based on constructing firewall with Iptables in the environment of Linux OS, the respective characters of firewall and IDS are analyzed. Then, the viewpoint of integrating firewall and IDS to realize the network security is proposed, and the application and algorithm of intrusion detection are systemically analyzed and designed.

Yang Yang,Wang Yonggang

DOI: https://doi.org/10.1109/WCSE.2010.124

2010-01-01

Abstract:We are developing an embedded hybrid firewall prototype which combines an embedded CPU (MPC8260) with a specifically designed FPGA-based packet classification coprocessor. The packet header matching between the input packets and a pre-defined rule set is fully achieved by the hardware coprocessor on-line. The embedded CPU under Linux operation system takes charge of the remaining data-path processing and the management of the firewall, including receiving input packets, sending them to the coprocessor, forwarding the packet according to the classifying results from the coprocessor, and the rule set updating and management. After a brief introduction to our hybrid firewall, we will focus on the software implementation of the firewall. The Linux-2.4.4 has been ported into out system. By modifying the Linux kernel to utilize the hook functions of Linux net filter, input packets are intercepted and their headers are sent to the coprocessor meanwhile the packets are queued in a buffer until the classifying results come out from the coprocessor. A daemon process running at the embedded CPU was designed for updating the filter rule sets so that a remote computer as a client can visit the firewall and manipulate the running of the firewall. A simple demo program running on a PC (under windows OS) was also designed to demonstrate the proper operations of the firewall.

Huafeng Lü,Qiufeng Wu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.08.015

2001-01-01

Abstract:This paper explains the basic theory of the Interbet firewall technology,introduces the architectures of several kinds of firewall,and gives out some firewall softwares under Linux operating system and their applications.

范训礼,景广军

DOI: https://doi.org/10.3969/j.issn.1000-2758.2002.03.011

2002-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:This paper presents a firewall system based on Linux - L-Firewall, which combines packet filter and proxy technology. Proxy and authentication are implemented on B1 level operating system. The paper emphasizes on the L-Firewall frame, especially on the implementation of packet filter module. L-Firewall provides not only HTTP, FTP proxy and packet filter, but also content filter, network address translation to protect network from IP spoofing and IP source route spoofing. L-Firewall tallies with GB/T17900-1999 and GB/T18020-1999.