import of old now defunct presentation slides svn repo

2 files changed, 293 insertions, 0 deletions

diff --git a/2003/netfilter-free-openfest2003/abstract b/2003/netfilter-free-openfest2003/abstract
new file mode 100644
index 0000000..bf8daa2
--- /dev/null
+++ b/2003/netfilter-free-openfest2003/abstract
@@ -0,0 +1,73 @@
+
+0 - introduction/definition: Firewalls, Proxies, Packet Filters
+- present myself and my function within the netfilter coreteam
+- what is a firewall
+	- packet filters at networking layer
+		- inspect each packet and make a choice based on the packet
+		- traditionally don't know about connections (== layer 4)
+		- advantage: fast, transparent
+		- disadvantage: filtering limited to l3+l4 (sometimes l2)
+	- proxies at application layer
+		- terminate two connections (client->proxy and proxy->server)
+		- advantage: can base policy decision on application protocol
+		- disadvantage: not transparent at all (not even transparent proxies)
+	- result: both of them have their application.
+	- history of linux packet filtering
+		- ipfwadm (2.0)
+		- ipchains (2.2)
+		- iptables (2.4+2.6)
+		- pkttables (2.6+)
+	- iptables was developed together with netfilter in the 2.3.x kernel series
+	
+1 - Why a free software firewall? 
+	- the internet was built on free/open standards and software
+	- security relevant open sourcecode gets more auditing because more people read it (and thus report bugs)
+	- users can put more trust in FOSS, since they can check for hidden backdoors
+	- packet filters are used like routers.  They are core infrastructure of the internet.  Infrastructure should be open/free for the public, just like roads.  
+	- Everybody should be able to learn and understand how packet filtering works
+	- Infrastructure should not depend on monopolistic companies.  
+		- problem if company goes bankrupt
+		- dependent on 'upgrade pressure' and future license changes
+		- no possibility to adopt it to new standards if vendor doesn't want to support it
+
+2 - What can you do with netfilter/iptables
+	- stateless packet filtering
+		- matches: mac, src/dst ip, src/dst port, 
+	- stateful packet filtering by using connection tracking
+		- keeps state table about all ongoing connections
+		- supports l4  TCP,UDP,ICMP,GRE,PPTP
+		- supports l5+ complex protocols like ftp,pptp,h323,talk,...
+	- IP accounting (every rule has a packet/byte counter)
+	- Network Adress Translation (NAT/NAPT)
+		- Stateful, based on Connection tracking
+		- Source NAT / Masquerading
+		- Destination NAT / Redirect
+		- 1:1 NAT of whole networks (NETMAP)
+		- supports l5+ complex protocols like ftp,pptp,h323,talk,...
+	- Packet Mangling
+		- Clamp TCP MSS to PMTU
+		- Manipulate packet header (TTL, ECN, DSCP, ...)
+		- Combine with policy routing / traffic shaping systems
+	- stateless IPv6 packet filtering using ip6tables
+
+3 - Who is behind the project? How to get involved?
+	- started by Paul 'Rusty' Russell from Australia (co-author of ipchains)
+	- Marc Boucher (Canada) and James Morris (Australia) dropped in
+	- Harald Welte (Germany), Jozsef Kadlecsik (Hungary), Martin Josefsson (Sweden) joined coreteam
+	- Countless contributions from hundreds of poeple all over the world
+	- used to keep a scoreboard, but it was eating too much time
+	- Project internet presence:
+		- HTTP (www.netfilter.org)
+		- FTP (ftp.netfilter.org)
+		- RSYNC (rsync.netfilter.org)
+		- CVS (pserver.netfilter.org)
+		- 5 mailinglists (lists.netfilter.org)
+		- Bugzilla (bugzilla.netfilter.org)
+		- CVSweb (http://cvs.netfilter.org)
+	- Anybody can contribute, as long as the contribution is GPL licensed
+	- development happens on netfilter-devel@lists.netfilter.org
+	- user questions belong to netfilter@lists.netfilter.org
+	- security relevant findings to coreteam@netfilter.org
+
+Iptables is used by a lot of commercial [and also proprietary] products.  Companies like Astaro and Smoothwall are offering iptables-based firewall appliances.  Other companies (like Linksys, Belkin, ...) are embedding iptables into their wavelan access points - and users don't even know that they are using iptables.
+
diff --git a/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp b/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp
new file mode 100644
index 0000000..7a549ff
--- /dev/null
+++ b/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp
@@ -0,0 +1,220 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+The netfilter/iptables project
+
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Contents
+
+	Introduction: Firewalls, Proxies, Packet Filters
+
+	Why a free software firewall?
+
+	What can you do with netfilter/iptables?
+
+	Who is behind the project? How to get involved?
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Introduction: Firewalls, Proxies, Packet Filters 
+
+	Firewalls are security gateways between networks
+
+	Can be implemented in different ways, at different layers
+
+		Packet filters at networking layer (3)
+			inspect each packet and make decision based on the packet contents
+			traditionally don't know about connections
+			advantage: fast, transparent
+			disadvantage: filtering limited to l3 and l4 headers
+
+		Proxies at application layer (5-7)
+			terminate two connections (client->proxy and proxy->server)
+			advantage: can base decision on application protocol
+			disadvantage: not transparent, need application support
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Introduction: Firewalls, Proxies, Packet Filters 
+
+	However, the world is not that easy anymore since new techniques are blending those two concepts
+
+		stateful packet filters
+			keep state about existing connections/flows
+			allow even state tracking beyond l4 state
+			thus give packet filters some features of proxies
+
+		transparent proxies
+			can be implemented without application support
+			how 'transparent' do you want to be? to the client? the server? the network?
+			thus give proxies some of the transparency of packet filters
+
+	In reality it is sometimes hard to tell.  netfilter/iptables implements a packet filter (stateless/stateful) and some support for transparent proxying.
+
+
+			
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+History of linux packet filtering
+
+%size 3
+		1994: kernel 1.2.x (BSD4.4 ipfw)
+			first packet filter in the linux kernel
+%size 3
+		1995: kernel 2.0.x (ipfwadm)
+			enhanced version of the old ipfw
+			first support for masquerading
+%size 3
+		1997: kernel 2.2.x (ipchains)
+			enhanced version of ipfwadm
+			support for multiple lists of rules (chains)
+			support for transparent proxying
+			masquerading helpers for ftp/irc/quake/...
+%size 3
+		2000: kernel 2.4.x (iptables)
+			totally new implementation (based on netfilter API)
+			allows for multiple tables (which each have multiple chains)
+			first support for stateful packet filtering
+			support for fully symmetric NAT (SNAT/DNAT/...)
+%size 3
+		2003: kernel 2.6.0-testX (iptables)	
+			breaking a tradition: no new packet filter (not yet...)
+			support for non-linear skb's (zerocopy TCP path)
+%size 3
+		2003/4: kernel 2.7.x and later 2.6.x backport (pkttables)
+			totally new implementation
+			layer 3 independent packet filtering framework
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Why a free software firewall?
+
+	Tradition
+		The internet was builton free/open standards and software
+	Code Quality
+		Security relevant open sourcecode gets more auditing because more people read it (and thus report/fix bugs)
+	Trust
+		Users can have more trust in FOSS, since they can check for hidden backdoors
+	Public infrastructure
+		Packet Filters (like routers) are core infrastructure of the internet.
+		Infrastructure should be open/free for the public, just like roads.
+	Arguments against proprietary software in infrastructure
+		What if the vendor of your product goes bankrupt?
+		Users are dependent on 'upgrade pressure' and future license changes
+		No possibility to adopt new standards if Vendor has no interest
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+The netfilter/iptables project
+What can you do using netfilter/iptables?
+
+	stateless packet filtering
+		provides matches for almost any criteria in the universe
+	stateful packet filtering (using connection tracking)
+		keeps state table about all ongoing connections
+		currently supports TCP/UDP/ICMP/GRE
+		currently supports l5+ helpers for ftp,irc,pptp,h323,talk,mms,tftp,...
+	network address translation
+		stateful, based on connection tracking
+		source NAT / Masquerading
+		destination NAT / redirect
+		1:1 nat of whole networks (NETMAP)
+	packet mangling
+		clamp TCP MSS to PMTU for broken PMTU discovery
+		manipulate packet header (TTL, ECN, DSCP, ...)
+		combine with policy routing / traffic shaping
+	stateless IPv6 packet filtering (ip6tables)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Who is behind netfilter/iptables?
+
+	Project started by Paul 'Rusty' Russell
+	Coreteam
+		Rusty, Marc Boucher, James Morris, Harald Welte, Jozsef Kadlecsik, Martin Josefsson
+		Elects a head of coreteam
+	Countless contributions from hundreds of people all over the world
+	In the past we had a scoreboard to keep track of the contributions
+
+	We are always in lack of volunteers, even for listadmin/webmaster/...
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+The netfilter/iptables project
+How to get involved?
+
+	Internet services:
+		Homepage - http://www.netfilter.org/
+		FTP Server - ftp://ftp.netfilter.org/
+		rsync server - rsync.netfilter.org
+		CVS server - pserver.netfilter.org
+		Bugzilla - http://bugzilla.netfilter.org/
+		CVSweb - http://cvs.netfilter.org/
+		Mailinglist - http://lists.netfilter.org/
+	Anybody can contribute, code has to be GPL licensed
+	Development discussion at netfilter-devel@lists.netfilter.org
+	User questions at netfilter@lists.netfilter.org
+	Security relevant issues at coreteam@netfilter.org
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+The netfilter/iptables project
+Areas of current development
+
+	pkttables (kernel part, pkttnetlink, libpkttnetlink, libpkttables)
+	make ULOG and ip_queue l3 independent (and move to nfnetlink)
+	optimizing connection tracking SMP performance
+	conntrack: support for more protocols (SCTP,...)
+	nf-hipac: highly optimized packet matching engine
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Thanks
+
+%size 4
+		The slides of this presentation are available at http://www.gnumonks.org/
+		Visit the netfilter homepage http://www.netfilter.org/
+	Thanks to
+		the BBS people, Z-Netz, FIDO, ...
+			for heavily increasing my computer usage in 1992
+		KNF (http://www.franken.de/)
+			for bringing me in touch with the internet as early as 1994
+			for providing a playground for technical people
+			for telling me about the existance of Linux!
+		Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+			for implementing (one of?) the world's best TCP/IP stacks
+		Paul 'Rusty' Russell
+			for starting the netfilter/iptables project
+			for trusting me to maintain it today
+		Astaro AG
+			for sponsoring most of my current netfilter work
+