防火墙

The graphics management tool of Iptables can manage the Iptables firewall on website. The Iptables firewall not only provides function to filter data, but also provides a function to transfer package as well as NAT.

Netfilter/Iptables防火墙是Linux平台下的包过滤防火墙，Iptables防火墙不仅提供了强大的数据包过滤能力，而且还提供转发，NAT映射等功能，是个人及企业级Linux用户构建网络安全平台的首选工具。

Finally, the paper introduces the affect of the firewall in the safeness of the network, and the god point and the weak point of the firewall. It emphasizes the policy of firewall's project.

最后介绍了防火墙的在网络安全中所起的作用，以及防火墙的优点和不足之处；重点讲了防火墙技术的设计策略。

Weighted hashing could distribute appropriate flow according to enable firewall component, to improve overall efficiency. In the fault-tolerant mechanism, transition hashing table was used to record unstable connection when firewall component came into failure or came back to work, which could avoid existed connections broken due to the transformation of algorithm parameter.

加权处理根据防火墙组件的不同处理能力调度访问请求，保证处理能力强的防火墙组件处理更多的访问流量，提高了系统的整体效率；容错机制在防火墙组件失效或恢复正常时利用基于连接调度的过渡散列表记录不稳定连接，避免已有连接因算法参数改变而失效。

Then, we gove the fundamental and the products of distributed firewalls. The principle of host firewall in the distributed firewalls system is mainly analyzed.

然后提出了分布式防火墙的基本原理，并给出了分布式防火墙的产品，重点分析了分布式防火墙产品中的主机防火墙原理

For the safety of LAN and using firewall thriftily,the authors analyze the architecture of Netfilter in Linux2.4 kernel.Then the authors implement the firewall system based on embedded Linux OS,which has basic functions as Package Filtration,URL filtration,NAT and log.And,the firewall system integrates with DMZ which establishes a buffer zone between Internet and Intranet to make the Intranet safer,and connection tracking which maintains a table for connection track in order to get the more safer than package filtration.

为了构建安全可靠的网络，同时降低使用防火墙的成本，对Linux2.4内核防火墙结构Netfilter的实现机制进行了深入的研究和分析，并利用该机制设计实现了一个嵌入式Linux防火墙系统，该防火墙实现完善了包过滤、URL过滤、NAT和日志等防火墙基本功能，同时集成了非军事区，为Internet和Intranet之间建立了缓冲地带，以保证Intranet的安全。

This paper describs particularly on penetrating the software-based firewalls,the new attacking methods that the in existence Firewalls and Anti-Virus can't defend,and the principle of the software-based firewalls,then a design of newer Secruity system that can crush up all kinds of threat from Internet will appear from a depth-defending view.The new firewall is a fuse of software-based firewall,HIPS,HIDS,and so on.

本文先详细讲述了各种突破软件防火墙的高级技术、现有软件防火墙以及杀毒软件不能防范的各种新式黑客攻击手段、软件防火墙的实现原理及技术；然后从纵深防御的高度进行新式安全系统的设计，给出了能适应新型黑客攻击的，可以防御目前各种网络安全威胁的新型软件防火墙设计方案。

This paper describs particularlyon penetrating the software-based firewalls,the new attackingmethods that the in existence Firewalls and Anti-Virus can'tdefend,and the principle of the software-based firewalls,then adesign of newer Secruity system that can crush up all kinds ofthreat from Internet will appear from a depth-defending view.Thenew firewall is a fuse of software-based firewall,HIPS,HIDS,and soon.

本文先详细讲述了各种突破软件防火墙的高级技术、现有软件防火墙以及杀毒软件不能防范的各种新式黑客攻击手段、软件防火墙的实现原理及技术；然后从纵深防御的高度进行新式安全系统的设计，给出了能适应新型黑客攻击的，可以防御目前各种网络安全威胁的新型软件防火墙设计方案。

This thesis mainly deals with the packet filter firewall by applicating Netfilter on the basis of Linux, consisting of seven parts: first, it generally describes the firewall; second, it introduces the exploiting platform Linux and the software debug environment; third, it simply analyzes some networking protocols; fourth, it analyzes the network attacks and their defensing measures; fifth, it describes the most important part of the thesis--the analysis of netfilter's frame and the exploiting and designing process of the firewall; sixth, it introduces the design of the device drivers of the Linux which is the theory base of exploting the user's interface ; the last part is the applicating guide of its exploiting process.

本文介绍了运用Netfilter防火墙技术，在LINUX环境上实现包过滤防火墙的方法和过程，在内容上主要包括了七个部分：第一部分对防火墙的概述；第二部分则介绍此次开发的平台LINUX和软调环境；第三部分对几种网络协议做了简单的分析；第四部分分析了网络攻击及其防御措施；第五部分则是本次设计的核心部分Netfilter框架分析以及防火墙的开发设计思路；第六部分则介绍LINUX设备驱动程序的设计，它是开发用户接口部分的理论基础；最后则是所开发程序的使用说明部分。

This thesis mainly deals with the packet filter firewall by applicating Netfilter on the basis of Linux, consisting of seven parts: first, it generally describes the firewall; second, it introduces the exploiting platform Linux and the software debug environment; third, it simply analyzes some networking protocols; fourth, it analyzes the network attacks and their defensing measures; fifth, it describes the most important part of the thesis--the analysis of netfilters frame and the exploiting and designing process of the firewall; sixth, it introduces the design of the device drivers of the Linux which is the theory base of exploting the users interface ; the last part is the applicating guide of its exploiting process.

本文介绍了运用Netfilter防火墙技术，在LINUX环境上实现包过滤防火墙的方法和过程，在内容上主要包括了7个部分：第1部分对防火墙的概述；第2部分则介绍此次开发的平台LINUX和软调环境；第3部分对几种网络协议做了简单的分析；第4部分分析了网络攻击及其防御措施；第5部分则是本次设计的核心部分Netfilter框架分析以及防火墙的开发设计思路；第6部分则介绍LINUX设备驱动程序的设计，它是开发用户接口部分的理论基础；最后则是所开发程序的使用说明部分。

This thesis mainly deals with the packet filter firewall by applicating Netfilter on the basis of Linux, consisting of seven parts: first, it generally describes the firewall; second, it introduces the exploiting platform Linux and the software debug environment; third, it simply analyzes some networking protocols; fourth, it analyzes the network attacks and their defensing measures; fifth, it describes the most important part of the thesis--the analysis of netfilters frame and the exploiting and designing process of the firewall; sixth, it introduces the design of the device drivers of the Linux which is the theory base of exploting the users interface ; the last part is the applicating guide of its exploiting process.

本文介绍了运用Netfilter防火墙技术，在LINUX环境上实现包过滤防火墙的方法和过程，在内容上主要包括了七个部分：第一部分对防火墙的概述；第二部分则介绍此次开发的平台LINUX和软调环境；第三部分对几种网络协议做了简单的分析；第四部分分析了网络攻击及其防御措施；第五部分则是本次设计的核心部分Netfilter框架分析以及防火墙的开发设计思路；第六部分则介绍LINUX设备驱动程序的设计，它是开发用户接口部分的理论基础；最后则是所开发程序的使用说明部分。

We have no common name for a mime of Sophron or Xenarchus and a Socratic Conversation; and we should still be without one even if the imitation in the two instances were in trimeters or elegiacs or some other kind of verse--though it is the way with people to tack on 'poet' to the name of a metre, and talk of elegiac-poets and epic-poets, thinking that they call them poets not by reason of the imitative nature of their work, but indiscriminately by reason of the metre they write in.

索夫农 、森那库斯和苏格拉底式的对话采用的模仿没有一个公共的名称；三音步诗、挽歌体或其他类型的诗的模仿也没有——人们把&诗人&这一名词和格律名称结合到一起，称之为挽歌体诗人或者史诗诗人，他们被称为诗人，似乎只是因为遵守格律写作，而非他们作品的模仿本质。

The relationship between communicative competence and grammar teaching should be that of the ends and the means.

交际能力和语法的关系应该是目标与途径的关系。