Abstract: The principle of attack defense realized in a firewall embedded in Linux kernel has been discussed. Based on the analysis of characteristic of network attack, the mechanism and architecture of attack defense are built in accordance. Through the introduce of stateful detection, the attack defense framework is built to determine and prevent the deportment of various attack. Thereafter, the architecture of attack-removed system can be expected to be general-purpose and easy to be extended. The performance of the whole firewall system is enhanced because the attack defense system effectively overcomes the limitation of conventional packet-filtering firewall. The experiments for validating the improvement of IP security are given as well as the research work.