NUFW:
可應用於Single Sign On(SSO), 的一種solution, 補足Netfilter 在authentication 部分的不足
認證的內容可以根據user的
* IP
* LDAP account
* OS
* Application
* User ID
nf-HiPAC:
使用 HiPAC 的強大功能和彈性所設計出來的一套packet filter for linux
HIPAC
是一套新穎的 packet classification 架構, 它使用先進的演算法來降低 kernel 查詢每個packet
所需要花費的memory 數量, 特別是針對高network throughput 並且需要大量ruleset 的情況
使用nf-HIPAC 的優點如下
- Performance:
- iptables
使用的是線性rules traversal 比對 packet 的方式, 這種方式通常是比較沒有效率的, nf-HiPAC 在效能上是超越
iptables 並且對於 rules 的數量並沒有做限制. 簡單來說, HIPAC 的分類引擎, 即使在很大的 rule sets
之下也不會有很大的overhead.
測試數據
performance_tests/results.html
- Scalability to large rulesets:
- nf-HIPAC 的 performance是獨立於 rules 的數量, 即使 nf-HIPAC 有數千條的 rules 需要做 traversal, 它的效能仍然要比 iptables 20 條 rules 的performance 來的好。
- Dynamic rulesets:
-
nf-HiPAC 允許 user 即時更新它的ruleset, 並且不用把 packet queue 起來, 讓 packet
停止做分類的動作, 而 iptables 在更新rules set 的時候, 需要把packet 分類的動作暫停, 亦即 packets
需要停止, 待更新iptables rules 的動作完成後, 才會恢復 packet 的繼續分類 (packet traversal the
ruleset chain)
ipset
超棒的一個 project, 可以大量且快速的在iptables framework 當中比對ip, port 等資料,
是值得一試的一個計畫
IP
sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can
be administered by the ipset utility. Depending on the type, currently
an IP set may store IP addresses, (TCP/UDP) port numbers or IP
addresses with MAC addresses in a way, which ensures lightning speed
when matching an entry against a set.
If you want to
store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
dynamically update iptables rules against IP addresses or ports without performance penalty;
express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets
then ipset may be the proper tool for you.
tproxy
SIP A: MAC a ---> (Bridged port): MAC m ---- Device ----- (Bridged port):MAC n -----> DIP W:MAC:w
the pair physical port of device was bridged, call br0, and have a IP (P)
Features
* Remember the original sourc ip (A), remember the original MAC (a)
* Send the packet from device to destination (Second segment), original ip:mac P:n
* Replace the P:n with A:a (this is the main task of tproxy
阅读(1497) | 评论(0) | 转发(0) |