1 files changed, 73 insertions, 0 deletions

diff --git a/2003/netfilter-free-openfest2003/abstract b/2003/netfilter-free-openfest2003/abstract
new file mode 100644
index 0000000..bf8daa2
--- /dev/null
+++ b/2003/netfilter-free-openfest2003/abstract
@@ -0,0 +1,73 @@
+
+0 - introduction/definition: Firewalls, Proxies, Packet Filters
+- present myself and my function within the netfilter coreteam
+- what is a firewall
+	- packet filters at networking layer
+		- inspect each packet and make a choice based on the packet
+		- traditionally don't know about connections (== layer 4)
+		- advantage: fast, transparent
+		- disadvantage: filtering limited to l3+l4 (sometimes l2)
+	- proxies at application layer
+		- terminate two connections (client->proxy and proxy->server)
+		- advantage: can base policy decision on application protocol
+		- disadvantage: not transparent at all (not even transparent proxies)
+	- result: both of them have their application.
+	- history of linux packet filtering
+		- ipfwadm (2.0)
+		- ipchains (2.2)
+		- iptables (2.4+2.6)
+		- pkttables (2.6+)
+	- iptables was developed together with netfilter in the 2.3.x kernel series
+	
+1 - Why a free software firewall? 
+	- the internet was built on free/open standards and software
+	- security relevant open sourcecode gets more auditing because more people read it (and thus report bugs)
+	- users can put more trust in FOSS, since they can check for hidden backdoors
+	- packet filters are used like routers.  They are core infrastructure of the internet.  Infrastructure should be open/free for the public, just like roads.  
+	- Everybody should be able to learn and understand how packet filtering works
+	- Infrastructure should not depend on monopolistic companies.  
+		- problem if company goes bankrupt
+		- dependent on 'upgrade pressure' and future license changes
+		- no possibility to adopt it to new standards if vendor doesn't want to support it
+
+2 - What can you do with netfilter/iptables
+	- stateless packet filtering
+		- matches: mac, src/dst ip, src/dst port, 
+	- stateful packet filtering by using connection tracking
+		- keeps state table about all ongoing connections
+		- supports l4  TCP,UDP,ICMP,GRE,PPTP
+		- supports l5+ complex protocols like ftp,pptp,h323,talk,...
+	- IP accounting (every rule has a packet/byte counter)
+	- Network Adress Translation (NAT/NAPT)
+		- Stateful, based on Connection tracking
+		- Source NAT / Masquerading
+		- Destination NAT / Redirect
+		- 1:1 NAT of whole networks (NETMAP)
+		- supports l5+ complex protocols like ftp,pptp,h323,talk,...
+	- Packet Mangling
+		- Clamp TCP MSS to PMTU
+		- Manipulate packet header (TTL, ECN, DSCP, ...)
+		- Combine with policy routing / traffic shaping systems
+	- stateless IPv6 packet filtering using ip6tables
+
+3 - Who is behind the project? How to get involved?
+	- started by Paul 'Rusty' Russell from Australia (co-author of ipchains)
+	- Marc Boucher (Canada) and James Morris (Australia) dropped in
+	- Harald Welte (Germany), Jozsef Kadlecsik (Hungary), Martin Josefsson (Sweden) joined coreteam
+	- Countless contributions from hundreds of poeple all over the world
+	- used to keep a scoreboard, but it was eating too much time
+	- Project internet presence:
+		- HTTP (www.netfilter.org)
+		- FTP (ftp.netfilter.org)
+		- RSYNC (rsync.netfilter.org)
+		- CVS (pserver.netfilter.org)
+		- 5 mailinglists (lists.netfilter.org)
+		- Bugzilla (bugzilla.netfilter.org)
+		- CVSweb (http://cvs.netfilter.org)
+	- Anybody can contribute, as long as the contribution is GPL licensed
+	- development happens on netfilter-devel@lists.netfilter.org
+	- user questions belong to netfilter@lists.netfilter.org
+	- security relevant findings to coreteam@netfilter.org
+
+Iptables is used by a lot of commercial [and also proprietary] products.  Companies like Astaro and Smoothwall are offering iptables-based firewall appliances.  Other companies (like Linksys, Belkin, ...) are embedding iptables into their wavelan access points - and users don't even know that they are using iptables.
+