summaryrefslogtreecommitdiff
path: root/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp
diff options
context:
space:
mode:
Diffstat (limited to '2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp')
-rw-r--r--2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp220
1 files changed, 220 insertions, 0 deletions
diff --git a/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp b/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp
new file mode 100644
index 0000000..7a549ff
--- /dev/null
+++ b/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp
@@ -0,0 +1,220 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+The netfilter/iptables project
+
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Contents
+
+ Introduction: Firewalls, Proxies, Packet Filters
+
+ Why a free software firewall?
+
+ What can you do with netfilter/iptables?
+
+ Who is behind the project? How to get involved?
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Introduction: Firewalls, Proxies, Packet Filters
+
+ Firewalls are security gateways between networks
+
+ Can be implemented in different ways, at different layers
+
+ Packet filters at networking layer (3)
+ inspect each packet and make decision based on the packet contents
+ traditionally don't know about connections
+ advantage: fast, transparent
+ disadvantage: filtering limited to l3 and l4 headers
+
+ Proxies at application layer (5-7)
+ terminate two connections (client->proxy and proxy->server)
+ advantage: can base decision on application protocol
+ disadvantage: not transparent, need application support
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Introduction: Firewalls, Proxies, Packet Filters
+
+ However, the world is not that easy anymore since new techniques are blending those two concepts
+
+ stateful packet filters
+ keep state about existing connections/flows
+ allow even state tracking beyond l4 state
+ thus give packet filters some features of proxies
+
+ transparent proxies
+ can be implemented without application support
+ how 'transparent' do you want to be? to the client? the server? the network?
+ thus give proxies some of the transparency of packet filters
+
+ In reality it is sometimes hard to tell. netfilter/iptables implements a packet filter (stateless/stateful) and some support for transparent proxying.
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+History of linux packet filtering
+
+%size 3
+ 1994: kernel 1.2.x (BSD4.4 ipfw)
+ first packet filter in the linux kernel
+%size 3
+ 1995: kernel 2.0.x (ipfwadm)
+ enhanced version of the old ipfw
+ first support for masquerading
+%size 3
+ 1997: kernel 2.2.x (ipchains)
+ enhanced version of ipfwadm
+ support for multiple lists of rules (chains)
+ support for transparent proxying
+ masquerading helpers for ftp/irc/quake/...
+%size 3
+ 2000: kernel 2.4.x (iptables)
+ totally new implementation (based on netfilter API)
+ allows for multiple tables (which each have multiple chains)
+ first support for stateful packet filtering
+ support for fully symmetric NAT (SNAT/DNAT/...)
+%size 3
+ 2003: kernel 2.6.0-testX (iptables)
+ breaking a tradition: no new packet filter (not yet...)
+ support for non-linear skb's (zerocopy TCP path)
+%size 3
+ 2003/4: kernel 2.7.x and later 2.6.x backport (pkttables)
+ totally new implementation
+ layer 3 independent packet filtering framework
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Why a free software firewall?
+
+ Tradition
+ The internet was builton free/open standards and software
+ Code Quality
+ Security relevant open sourcecode gets more auditing because more people read it (and thus report/fix bugs)
+ Trust
+ Users can have more trust in FOSS, since they can check for hidden backdoors
+ Public infrastructure
+ Packet Filters (like routers) are core infrastructure of the internet.
+ Infrastructure should be open/free for the public, just like roads.
+ Arguments against proprietary software in infrastructure
+ What if the vendor of your product goes bankrupt?
+ Users are dependent on 'upgrade pressure' and future license changes
+ No possibility to adopt new standards if Vendor has no interest
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+What can you do using netfilter/iptables?
+
+ stateless packet filtering
+ provides matches for almost any criteria in the universe
+ stateful packet filtering (using connection tracking)
+ keeps state table about all ongoing connections
+ currently supports TCP/UDP/ICMP/GRE
+ currently supports l5+ helpers for ftp,irc,pptp,h323,talk,mms,tftp,...
+ network address translation
+ stateful, based on connection tracking
+ source NAT / Masquerading
+ destination NAT / redirect
+ 1:1 nat of whole networks (NETMAP)
+ packet mangling
+ clamp TCP MSS to PMTU for broken PMTU discovery
+ manipulate packet header (TTL, ECN, DSCP, ...)
+ combine with policy routing / traffic shaping
+ stateless IPv6 packet filtering (ip6tables)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Who is behind netfilter/iptables?
+
+ Project started by Paul 'Rusty' Russell
+ Coreteam
+ Rusty, Marc Boucher, James Morris, Harald Welte, Jozsef Kadlecsik, Martin Josefsson
+ Elects a head of coreteam
+ Countless contributions from hundreds of people all over the world
+ In the past we had a scoreboard to keep track of the contributions
+
+ We are always in lack of volunteers, even for listadmin/webmaster/...
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+How to get involved?
+
+ Internet services:
+ Homepage - http://www.netfilter.org/
+ FTP Server - ftp://ftp.netfilter.org/
+ rsync server - rsync.netfilter.org
+ CVS server - pserver.netfilter.org
+ Bugzilla - http://bugzilla.netfilter.org/
+ CVSweb - http://cvs.netfilter.org/
+ Mailinglist - http://lists.netfilter.org/
+ Anybody can contribute, code has to be GPL licensed
+ Development discussion at netfilter-devel@lists.netfilter.org
+ User questions at netfilter@lists.netfilter.org
+ Security relevant issues at coreteam@netfilter.org
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Areas of current development
+
+ pkttables (kernel part, pkttnetlink, libpkttnetlink, libpkttables)
+ make ULOG and ip_queue l3 independent (and move to nfnetlink)
+ optimizing connection tracking SMP performance
+ conntrack: support for more protocols (SCTP,...)
+ nf-hipac: highly optimized packet matching engine
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Thanks
+
+%size 4
+ The slides of this presentation are available at http://www.gnumonks.org/
+ Visit the netfilter homepage http://www.netfilter.org/
+ Thanks to
+ the BBS people, Z-Netz, FIDO, ...
+ for heavily increasing my computer usage in 1992
+ KNF (http://www.franken.de/)
+ for bringing me in touch with the internet as early as 1994
+ for providing a playground for technical people
+ for telling me about the existance of Linux!
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring most of my current netfilter work
+
personal git repositories of Harald Welte. Your mileage may vary