2007年4月5日 星期四

Netfilter related research

NUFW:
http://www.nufw.org/-English-.html
可應用於Single Sign On(SSO), 的一種solution, 補足Netfilter 在authentication 部分的不足
認證的內容可以根據user的
* IP
* LDAP account
* OS
* Application
* User ID

nf-HiPAC:
http://www.hipac.org/
使用 HiPAC 的強大功能和彈性所設計出來的一套packet filter for linux

HIPAC 是一套新穎的 packet classification 架構, 它使用先進的演算法來降低 kernel 查詢每個packet 所需要花費的memory 數量, 特別是針對高network throughput 並且需要大量ruleset 的情況

使用nf-HIPAC 的優點如下
Performance:
iptables 使用的是線性rules traversal 比對 packet 的方式, 這種方式通常是比較沒有效率的, nf-HiPAC 在效能上是超越 iptables 並且對於 rules 的數量並沒有做限制. 簡單來說, HIPAC 的分類引擎, 即使在很大的 rule sets 之下也不會有很大的overhead.
測試數據
http://www.hipac.org/performance_tests/results.html

Scalability to large rulesets:
nf-HIPAC 的 performance是獨立於 rules 的數量, 即使 nf-HIPAC 有數千條的 rules 需要做 traversal, 它的效能仍然要比 iptables 20 條 rules 的performance 來的好。

Dynamic rulesets:
nf-HiPAC 允許 user 即時更新它的ruleset, 並且不用把 packet queue 起來, 讓 packet 停止做分類的動作, 而 iptables 在更新rules set 的時候, 需要把packet 分類的動作暫停, 亦即 packets 需要停止, 待更新iptables rules 的動作完成後, 才會恢復 packet 的繼續分類 (packet traversal the ruleset chain)

ipset

http://ipset.netfilter.org/

超棒的一個 project, 可以大量且快速的在iptables framework 當中比對ip, port 等資料,
是值得一試的一個計畫

IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set.

If you want to

store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
dynamically update iptables rules against IP addresses or ports without performance penalty;
express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets
then ipset may be the proper tool for you.

tproxy
http://www.balabit.com/products/oss/tproxy/

SIP A: MAC a ---> (Bridged port): MAC m ---- Device ----- (Bridged port):MAC n -----> DIP W:MAC:w

the pair physical port of device was bridged, call br0, and have a IP (P)

Features
* Remember the original sourc ip (A), remember the original MAC (a)
* Send the packet from device to destination (Second segment), original ip:mac P:n
* Replace the P:n with A:a (this is the main task of tproxy

沒有留言: