Two different design schemes about firewall IPS module are brought up. In the first scheme snot-inline technique and the QUEUE action of netfilter are used to achieve dropping of attack data packet. In the second one, IPS about Denial of Service attack is achieved with the benefit of combination of synccokies, the new netfilter fuzzy match, PSD match, U32 match with an improvement on the firewall kernel. After comprehensive comparison, the module is developed according to the second scheme. The experiment shows that the designed module works well in defending main DOS attack.