diff options
author | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
commit | fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 (patch) | |
tree | a2011270df48d3501892ac1a56015c8be57e8a7d /2003/netfilter-free-openfest2003 |
import of old now defunct presentation slides svn repo
Diffstat (limited to '2003/netfilter-free-openfest2003')
-rw-r--r-- | 2003/netfilter-free-openfest2003/abstract | 73 | ||||
-rw-r--r-- | 2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp | 220 |
2 files changed, 293 insertions, 0 deletions
diff --git a/2003/netfilter-free-openfest2003/abstract b/2003/netfilter-free-openfest2003/abstract new file mode 100644 index 0000000..bf8daa2 --- /dev/null +++ b/2003/netfilter-free-openfest2003/abstract @@ -0,0 +1,73 @@ + +0 - introduction/definition: Firewalls, Proxies, Packet Filters +- present myself and my function within the netfilter coreteam +- what is a firewall + - packet filters at networking layer + - inspect each packet and make a choice based on the packet + - traditionally don't know about connections (== layer 4) + - advantage: fast, transparent + - disadvantage: filtering limited to l3+l4 (sometimes l2) + - proxies at application layer + - terminate two connections (client->proxy and proxy->server) + - advantage: can base policy decision on application protocol + - disadvantage: not transparent at all (not even transparent proxies) + - result: both of them have their application. + - history of linux packet filtering + - ipfwadm (2.0) + - ipchains (2.2) + - iptables (2.4+2.6) + - pkttables (2.6+) + - iptables was developed together with netfilter in the 2.3.x kernel series + +1 - Why a free software firewall? + - the internet was built on free/open standards and software + - security relevant open sourcecode gets more auditing because more people read it (and thus report bugs) + - users can put more trust in FOSS, since they can check for hidden backdoors + - packet filters are used like routers. They are core infrastructure of the internet. Infrastructure should be open/free for the public, just like roads. + - Everybody should be able to learn and understand how packet filtering works + - Infrastructure should not depend on monopolistic companies. + - problem if company goes bankrupt + - dependent on 'upgrade pressure' and future license changes + - no possibility to adopt it to new standards if vendor doesn't want to support it + +2 - What can you do with netfilter/iptables + - stateless packet filtering + - matches: mac, src/dst ip, src/dst port, + - stateful packet filtering by using connection tracking + - keeps state table about all ongoing connections + - supports l4 TCP,UDP,ICMP,GRE,PPTP + - supports l5+ complex protocols like ftp,pptp,h323,talk,... + - IP accounting (every rule has a packet/byte counter) + - Network Adress Translation (NAT/NAPT) + - Stateful, based on Connection tracking + - Source NAT / Masquerading + - Destination NAT / Redirect + - 1:1 NAT of whole networks (NETMAP) + - supports l5+ complex protocols like ftp,pptp,h323,talk,... + - Packet Mangling + - Clamp TCP MSS to PMTU + - Manipulate packet header (TTL, ECN, DSCP, ...) + - Combine with policy routing / traffic shaping systems + - stateless IPv6 packet filtering using ip6tables + +3 - Who is behind the project? How to get involved? + - started by Paul 'Rusty' Russell from Australia (co-author of ipchains) + - Marc Boucher (Canada) and James Morris (Australia) dropped in + - Harald Welte (Germany), Jozsef Kadlecsik (Hungary), Martin Josefsson (Sweden) joined coreteam + - Countless contributions from hundreds of poeple all over the world + - used to keep a scoreboard, but it was eating too much time + - Project internet presence: + - HTTP (www.netfilter.org) + - FTP (ftp.netfilter.org) + - RSYNC (rsync.netfilter.org) + - CVS (pserver.netfilter.org) + - 5 mailinglists (lists.netfilter.org) + - Bugzilla (bugzilla.netfilter.org) + - CVSweb (http://cvs.netfilter.org) + - Anybody can contribute, as long as the contribution is GPL licensed + - development happens on netfilter-devel@lists.netfilter.org + - user questions belong to netfilter@lists.netfilter.org + - security relevant findings to coreteam@netfilter.org + +Iptables is used by a lot of commercial [and also proprietary] products. Companies like Astaro and Smoothwall are offering iptables-based firewall appliances. Other companies (like Linksys, Belkin, ...) are embedding iptables into their wavelan access points - and users don't even know that they are using iptables. + diff --git a/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp b/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp new file mode 100644 index 0000000..7a549ff --- /dev/null +++ b/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp @@ -0,0 +1,220 @@ +%include "default.mgp" +%default 1 bgrad +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + +%center +%size 7 + + +The netfilter/iptables project + + + +%center +%size 4 +by + +Harald Welte <laforge@netfilter.org> + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Contents + + Introduction: Firewalls, Proxies, Packet Filters + + Why a free software firewall? + + What can you do with netfilter/iptables? + + Who is behind the project? How to get involved? + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Introduction: Firewalls, Proxies, Packet Filters + + Firewalls are security gateways between networks + + Can be implemented in different ways, at different layers + + Packet filters at networking layer (3) + inspect each packet and make decision based on the packet contents + traditionally don't know about connections + advantage: fast, transparent + disadvantage: filtering limited to l3 and l4 headers + + Proxies at application layer (5-7) + terminate two connections (client->proxy and proxy->server) + advantage: can base decision on application protocol + disadvantage: not transparent, need application support + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Introduction: Firewalls, Proxies, Packet Filters + + However, the world is not that easy anymore since new techniques are blending those two concepts + + stateful packet filters + keep state about existing connections/flows + allow even state tracking beyond l4 state + thus give packet filters some features of proxies + + transparent proxies + can be implemented without application support + how 'transparent' do you want to be? to the client? the server? the network? + thus give proxies some of the transparency of packet filters + + In reality it is sometimes hard to tell. netfilter/iptables implements a packet filter (stateless/stateful) and some support for transparent proxying. + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +History of linux packet filtering + +%size 3 + 1994: kernel 1.2.x (BSD4.4 ipfw) + first packet filter in the linux kernel +%size 3 + 1995: kernel 2.0.x (ipfwadm) + enhanced version of the old ipfw + first support for masquerading +%size 3 + 1997: kernel 2.2.x (ipchains) + enhanced version of ipfwadm + support for multiple lists of rules (chains) + support for transparent proxying + masquerading helpers for ftp/irc/quake/... +%size 3 + 2000: kernel 2.4.x (iptables) + totally new implementation (based on netfilter API) + allows for multiple tables (which each have multiple chains) + first support for stateful packet filtering + support for fully symmetric NAT (SNAT/DNAT/...) +%size 3 + 2003: kernel 2.6.0-testX (iptables) + breaking a tradition: no new packet filter (not yet...) + support for non-linear skb's (zerocopy TCP path) +%size 3 + 2003/4: kernel 2.7.x and later 2.6.x backport (pkttables) + totally new implementation + layer 3 independent packet filtering framework + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Why a free software firewall? + + Tradition + The internet was builton free/open standards and software + Code Quality + Security relevant open sourcecode gets more auditing because more people read it (and thus report/fix bugs) + Trust + Users can have more trust in FOSS, since they can check for hidden backdoors + Public infrastructure + Packet Filters (like routers) are core infrastructure of the internet. + Infrastructure should be open/free for the public, just like roads. + Arguments against proprietary software in infrastructure + What if the vendor of your product goes bankrupt? + Users are dependent on 'upgrade pressure' and future license changes + No possibility to adopt new standards if Vendor has no interest + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +What can you do using netfilter/iptables? + + stateless packet filtering + provides matches for almost any criteria in the universe + stateful packet filtering (using connection tracking) + keeps state table about all ongoing connections + currently supports TCP/UDP/ICMP/GRE + currently supports l5+ helpers for ftp,irc,pptp,h323,talk,mms,tftp,... + network address translation + stateful, based on connection tracking + source NAT / Masquerading + destination NAT / redirect + 1:1 nat of whole networks (NETMAP) + packet mangling + clamp TCP MSS to PMTU for broken PMTU discovery + manipulate packet header (TTL, ECN, DSCP, ...) + combine with policy routing / traffic shaping + stateless IPv6 packet filtering (ip6tables) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +HA for netfillter/iptables +Who is behind netfilter/iptables? + + Project started by Paul 'Rusty' Russell + Coreteam + Rusty, Marc Boucher, James Morris, Harald Welte, Jozsef Kadlecsik, Martin Josefsson + Elects a head of coreteam + Countless contributions from hundreds of people all over the world + In the past we had a scoreboard to keep track of the contributions + + We are always in lack of volunteers, even for listadmin/webmaster/... + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +How to get involved? + + Internet services: + Homepage - http://www.netfilter.org/ + FTP Server - ftp://ftp.netfilter.org/ + rsync server - rsync.netfilter.org + CVS server - pserver.netfilter.org + Bugzilla - http://bugzilla.netfilter.org/ + CVSweb - http://cvs.netfilter.org/ + Mailinglist - http://lists.netfilter.org/ + Anybody can contribute, code has to be GPL licensed + Development discussion at netfilter-devel@lists.netfilter.org + User questions at netfilter@lists.netfilter.org + Security relevant issues at coreteam@netfilter.org + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Areas of current development + + pkttables (kernel part, pkttnetlink, libpkttnetlink, libpkttables) + make ULOG and ip_queue l3 independent (and move to nfnetlink) + optimizing connection tracking SMP performance + conntrack: support for more protocols (SCTP,...) + nf-hipac: highly optimized packet matching engine + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Thanks + +%size 4 + The slides of this presentation are available at http://www.gnumonks.org/ + Visit the netfilter homepage http://www.netfilter.org/ + Thanks to + the BBS people, Z-Netz, FIDO, ... + for heavily increasing my computer usage in 1992 + KNF (http://www.franken.de/) + for bringing me in touch with the internet as early as 1994 + for providing a playground for technical people + for telling me about the existance of Linux! + Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen + for implementing (one of?) the world's best TCP/IP stacks + Paul 'Rusty' Russell + for starting the netfilter/iptables project + for trusting me to maintain it today + Astaro AG + for sponsoring most of my current netfilter work + |