summaryrefslogtreecommitdiff
path: root/2004/firewall-vpn-gse2004
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2015-10-25 21:00:20 +0100
committerHarald Welte <laforge@gnumonks.org>2015-10-25 21:00:20 +0100
commitfca59bea770346cf1c1f9b0e00cb48a61b44a8f3 (patch)
treea2011270df48d3501892ac1a56015c8be57e8a7d /2004/firewall-vpn-gse2004
import of old now defunct presentation slides svn repo
Diffstat (limited to '2004/firewall-vpn-gse2004')
-rw-r--r--2004/firewall-vpn-gse2004/firewall-vpn-gse2004.mgp281
-rw-r--r--2004/firewall-vpn-gse2004/firewall-vpn-gse2004.pdfbin0 -> 26830 bytes
-rw-r--r--2004/firewall-vpn-gse2004/firewall-vpn-gse2004_2.pdfbin0 -> 23901 bytes
3 files changed, 281 insertions, 0 deletions
diff --git a/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.mgp b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.mgp
new file mode 100644
index 0000000..a43909c
--- /dev/null
+++ b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.mgp
@@ -0,0 +1,281 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Firewalls, IPsec and Linux
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Contents
+
+
+ Introduction
+ Highly Scalable Linux Network Stack
+ Netfilter Hooks
+ Packet selection based on IP Tables
+ The Connection Tracking Subsystem
+ The NAT Subsystem
+ IPsec with Free S/WAN
+ IPsec with Kernel 2.6.x
+ Cipe, vtun, openvpn and others
+ Traffic Shaping, QoS, Policy Routing
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Introduction
+
+What this is:
+ A broad overview about the advanced Linux networking features
+ Intended for a network savyy audience that has little Linux background
+
+What this presentation is not:
+ A tutorial on how to use iptables, tc, iproute2, brctl
+ An introduction into the cool code we write every day ;)
+
+It will try to show you what you can do with Linux networking, not how.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Introduction
+
+Linux and Networking
+ Linux is a true child of the Internet
+ Early adopters: ISP's, Universities
+ Lots of work went into a highly scalable network stack
+ Not only for client/server, but also for routers
+ Features unheared of in other OS's
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Introduction
+
+Did you know, that a stock 2.6.5 linux kernel can provide
+
+ a stateful packet filter ?
+ fully symmetric NA(P)T ?
+ policy routing ?
+ QoS / traffic shaping ?
+ IPv6 firewalling ?
+ packet filtering, NA(P)T on a bridge ?
+ layer 2 (mac) address translation ?
+
+If not, chances are high that this presentation will tell you something new.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Netfilter Hooks
+
+ What is netfilter?
+
+ System of callback functions within network stack
+ Callback function to be called for every packet traversing certain point (hook) within network stack
+ Protocol independent framework
+ Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP)
+ Multiple kernel modules can register with each of the hooks
+
+Traditional packet filtering, NAT, ... is implemented on top of this framework
+
+Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+IP tables
+
+ Packet selection using IP tables
+
+ The kernel provides generic IP tables support
+
+ Each kernel module may create it's own IP table
+
+ The three major parts of 2.4 firewalling subsystem are implemented using IP tables
+ Packet filtering table 'filter'
+ NAT table 'nat'
+ Packet mangling table 'mangle'
+
+ Could potentially be used for other stuff, e.g. IPsec SPDB
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+IP Tables
+
+ Managing chains and tables
+
+ An IP table consists out of multiple chains
+ A chain consists out of a list of rules
+ Every single rule in a chain consists out of
+ match[es] (rule executed if all matches true)
+ target (what to do if the rule is matched)
+
+%size 4
+matches and targets can either be builtin or implemented as kernel modules
+
+%size 5
+ The userspace tool iptables is used to control IP tables
+ handles all different kinds of IP tables
+ supports a plugin/shlib interface for target/match specific options
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Connection Tracking Subsystem
+
+ Connection tracking...
+ implemented seperately from NAT
+ enables stateful filtering
+ protocol modules (currently TCP/UDP/ICMP/GRE/SCTP)
+ application helpers (currently FTP,IRC,H.323,talk,SNMP,RTSP)
+ does _NOT_ filter packets itself
+ can be utilized by iptables using the 'state' match
+ is used by NAT Subsystem
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Network Address Translation
+
+ Network Address Translation
+
+ Previous Linux Kernels only implemented one special case of NAT: Masquerading
+ Linux 2.4.x / 2.6.x can do any kind of NAT.
+ NAT subsystem implemented on top of netfilter, iptables and conntrack
+ Following targets available within 'nat' Table
+ SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
+ DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
+ MASQUERADE is a special case of SNAT
+ REDIRECT is a special case of DNAT
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Packet Mangling
+
+ Purpose of mangle table
+ packet manipulation except address manipulation
+ Targets specific to the 'mangle' table:
+ DSCP - manipulate DSCP field
+ IPV4OPTSSTRIP - strip IPv4 options
+ MARK - change the nfmark field of the skb
+ TCPMSS - set TCP MSS option
+ TOS - manipulate the TOS bits
+ TTL - set / increase / decrease TTL field
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux Bridging
+
+ Bridging (brctl)
+ Includes support for Spanning Tree
+ Fully supports packet filtering and NAT (!) on a bridge
+ Can also filter and translate layer 2 MAC addresses
+ Can implement a 'brouter' (bridge certain traffic, route other)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux Policy Routing
+
+ Policy Routing (iproute2)
+ Allows routing decisions on arbitrary information
+ Provides up to 255 different routing tables within one system
+ By combining via nfmark with iptables, any matches of the packet filter can be used for the routing decision
+ Very useful in complex setups with mutiple links (e.g. multiple DSL uplinks with dynamic addresses, asymmetric routing, ...)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux Traffic Shaping
+
+ Traffic Control (tc)
+ Framework for lots of algorithms like RED,SFQ,TBF,CBQ,CSZ,GRED,HTB
+ Very granular control, especially for very low bandwidth links
+ Present since Linux 2.2.x but still not used widely
+ Lack of documentation, but situation is improving (www.lartc.org)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Free S/WAN
+
+ Free S/WAN
+ Was a politically motivated effort to provide IPsec for Linux 2.0+
+ Goal was to encrypt as much Internet Traffic as possible
+ Software architecture didn't fit very well with Linux 2.4/2.6 network stack
+ Project has been shut down, however Open S/WAN continues support
+ Is in widespread production use and has received a lot of testing
+ Political motivation prevented any U.S. citizen to contribute code
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux 2.6.x IPsec
+
+ Linux 2.6.x IPsec
+ Linux networking gods disaproved Free S/WAN political restrictions and software design
+ Thus, they decided to write their own IPsec stack
+ Result is in the stock 2.6.x kernel series
+ Offers complete support for transport and tunnel mode
+ Can be used with FreeSWAN (pluto) or KAME (isakmpd) userspace
+ Remaining problems
+ No integration with hardware crypto accelerators yet
+ No implementation of NAT traversal yet
+ Interaction with iptable_nat still has to be sorted out
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+cipe, vtun, openswan and others
+
+ Other VPN protocols/programs
+ Evolved as linux specific VPN implementations since the Linux Kernel was lacking stock IPsec support for a long time
+ Are totally incompatible to IPsec and only compatible to themselves
+ Are of questionable security (at least in case of cipe, vtun)
+ Are mostly userspace implementations
+ Are way easier to configure
+ Can provide layer 2 tunnels to route (or bridge!) all kinds of protocols
+ openvpn with X.509 certificates is a very clean and easy solution for building strong VPN tunnels between two linux gateways
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Thanks
+
+ Thanks to
+ the BBS scene, Z-Netz, FIDO, ...
+ for heavily increasing my computer usage in 1992
+ KNF (http://www.franken.de/)
+ for bringing me in touch with the internet as early as 1994
+ for providing a playground for technical people
+ for telling me about the existance of Linux!
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+%size 3
+ The slides and the an according paper of this presentation are available at http://www.gnumonks.org/
+%size 3
diff --git a/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.pdf b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.pdf
new file mode 100644
index 0000000..4386fe5
--- /dev/null
+++ b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.pdf
Binary files differ
diff --git a/2004/firewall-vpn-gse2004/firewall-vpn-gse2004_2.pdf b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004_2.pdf
new file mode 100644
index 0000000..871e4a5
--- /dev/null
+++ b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004_2.pdf
Binary files differ
personal git repositories of Harald Welte. Your mileage may vary