summaryrefslogtreecommitdiff
path: root/2003/netfilter-free-openfest2003
diff options
context:
space:
mode:
Diffstat (limited to '2003/netfilter-free-openfest2003')
-rw-r--r--2003/netfilter-free-openfest2003/abstract73
-rw-r--r--2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp220
2 files changed, 293 insertions, 0 deletions
diff --git a/2003/netfilter-free-openfest2003/abstract b/2003/netfilter-free-openfest2003/abstract
new file mode 100644
index 0000000..bf8daa2
--- /dev/null
+++ b/2003/netfilter-free-openfest2003/abstract
@@ -0,0 +1,73 @@
+
+0 - introduction/definition: Firewalls, Proxies, Packet Filters
+- present myself and my function within the netfilter coreteam
+- what is a firewall
+ - packet filters at networking layer
+ - inspect each packet and make a choice based on the packet
+ - traditionally don't know about connections (== layer 4)
+ - advantage: fast, transparent
+ - disadvantage: filtering limited to l3+l4 (sometimes l2)
+ - proxies at application layer
+ - terminate two connections (client->proxy and proxy->server)
+ - advantage: can base policy decision on application protocol
+ - disadvantage: not transparent at all (not even transparent proxies)
+ - result: both of them have their application.
+ - history of linux packet filtering
+ - ipfwadm (2.0)
+ - ipchains (2.2)
+ - iptables (2.4+2.6)
+ - pkttables (2.6+)
+ - iptables was developed together with netfilter in the 2.3.x kernel series
+
+1 - Why a free software firewall?
+ - the internet was built on free/open standards and software
+ - security relevant open sourcecode gets more auditing because more people read it (and thus report bugs)
+ - users can put more trust in FOSS, since they can check for hidden backdoors
+ - packet filters are used like routers. They are core infrastructure of the internet. Infrastructure should be open/free for the public, just like roads.
+ - Everybody should be able to learn and understand how packet filtering works
+ - Infrastructure should not depend on monopolistic companies.
+ - problem if company goes bankrupt
+ - dependent on 'upgrade pressure' and future license changes
+ - no possibility to adopt it to new standards if vendor doesn't want to support it
+
+2 - What can you do with netfilter/iptables
+ - stateless packet filtering
+ - matches: mac, src/dst ip, src/dst port,
+ - stateful packet filtering by using connection tracking
+ - keeps state table about all ongoing connections
+ - supports l4 TCP,UDP,ICMP,GRE,PPTP
+ - supports l5+ complex protocols like ftp,pptp,h323,talk,...
+ - IP accounting (every rule has a packet/byte counter)
+ - Network Adress Translation (NAT/NAPT)
+ - Stateful, based on Connection tracking
+ - Source NAT / Masquerading
+ - Destination NAT / Redirect
+ - 1:1 NAT of whole networks (NETMAP)
+ - supports l5+ complex protocols like ftp,pptp,h323,talk,...
+ - Packet Mangling
+ - Clamp TCP MSS to PMTU
+ - Manipulate packet header (TTL, ECN, DSCP, ...)
+ - Combine with policy routing / traffic shaping systems
+ - stateless IPv6 packet filtering using ip6tables
+
+3 - Who is behind the project? How to get involved?
+ - started by Paul 'Rusty' Russell from Australia (co-author of ipchains)
+ - Marc Boucher (Canada) and James Morris (Australia) dropped in
+ - Harald Welte (Germany), Jozsef Kadlecsik (Hungary), Martin Josefsson (Sweden) joined coreteam
+ - Countless contributions from hundreds of poeple all over the world
+ - used to keep a scoreboard, but it was eating too much time
+ - Project internet presence:
+ - HTTP (www.netfilter.org)
+ - FTP (ftp.netfilter.org)
+ - RSYNC (rsync.netfilter.org)
+ - CVS (pserver.netfilter.org)
+ - 5 mailinglists (lists.netfilter.org)
+ - Bugzilla (bugzilla.netfilter.org)
+ - CVSweb (http://cvs.netfilter.org)
+ - Anybody can contribute, as long as the contribution is GPL licensed
+ - development happens on netfilter-devel@lists.netfilter.org
+ - user questions belong to netfilter@lists.netfilter.org
+ - security relevant findings to coreteam@netfilter.org
+
+Iptables is used by a lot of commercial [and also proprietary] products. Companies like Astaro and Smoothwall are offering iptables-based firewall appliances. Other companies (like Linksys, Belkin, ...) are embedding iptables into their wavelan access points - and users don't even know that they are using iptables.
+
diff --git a/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp b/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp
new file mode 100644
index 0000000..7a549ff
--- /dev/null
+++ b/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp
@@ -0,0 +1,220 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+The netfilter/iptables project
+
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Contents
+
+ Introduction: Firewalls, Proxies, Packet Filters
+
+ Why a free software firewall?
+
+ What can you do with netfilter/iptables?
+
+ Who is behind the project? How to get involved?
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Introduction: Firewalls, Proxies, Packet Filters
+
+ Firewalls are security gateways between networks
+
+ Can be implemented in different ways, at different layers
+
+ Packet filters at networking layer (3)
+ inspect each packet and make decision based on the packet contents
+ traditionally don't know about connections
+ advantage: fast, transparent
+ disadvantage: filtering limited to l3 and l4 headers
+
+ Proxies at application layer (5-7)
+ terminate two connections (client->proxy and proxy->server)
+ advantage: can base decision on application protocol
+ disadvantage: not transparent, need application support
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Introduction: Firewalls, Proxies, Packet Filters
+
+ However, the world is not that easy anymore since new techniques are blending those two concepts
+
+ stateful packet filters
+ keep state about existing connections/flows
+ allow even state tracking beyond l4 state
+ thus give packet filters some features of proxies
+
+ transparent proxies
+ can be implemented without application support
+ how 'transparent' do you want to be? to the client? the server? the network?
+ thus give proxies some of the transparency of packet filters
+
+ In reality it is sometimes hard to tell. netfilter/iptables implements a packet filter (stateless/stateful) and some support for transparent proxying.
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+History of linux packet filtering
+
+%size 3
+ 1994: kernel 1.2.x (BSD4.4 ipfw)
+ first packet filter in the linux kernel
+%size 3
+ 1995: kernel 2.0.x (ipfwadm)
+ enhanced version of the old ipfw
+ first support for masquerading
+%size 3
+ 1997: kernel 2.2.x (ipchains)
+ enhanced version of ipfwadm
+ support for multiple lists of rules (chains)
+ support for transparent proxying
+ masquerading helpers for ftp/irc/quake/...
+%size 3
+ 2000: kernel 2.4.x (iptables)
+ totally new implementation (based on netfilter API)
+ allows for multiple tables (which each have multiple chains)
+ first support for stateful packet filtering
+ support for fully symmetric NAT (SNAT/DNAT/...)
+%size 3
+ 2003: kernel 2.6.0-testX (iptables)
+ breaking a tradition: no new packet filter (not yet...)
+ support for non-linear skb's (zerocopy TCP path)
+%size 3
+ 2003/4: kernel 2.7.x and later 2.6.x backport (pkttables)
+ totally new implementation
+ layer 3 independent packet filtering framework
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Why a free software firewall?
+
+ Tradition
+ The internet was builton free/open standards and software
+ Code Quality
+ Security relevant open sourcecode gets more auditing because more people read it (and thus report/fix bugs)
+ Trust
+ Users can have more trust in FOSS, since they can check for hidden backdoors
+ Public infrastructure
+ Packet Filters (like routers) are core infrastructure of the internet.
+ Infrastructure should be open/free for the public, just like roads.
+ Arguments against proprietary software in infrastructure
+ What if the vendor of your product goes bankrupt?
+ Users are dependent on 'upgrade pressure' and future license changes
+ No possibility to adopt new standards if Vendor has no interest
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+What can you do using netfilter/iptables?
+
+ stateless packet filtering
+ provides matches for almost any criteria in the universe
+ stateful packet filtering (using connection tracking)
+ keeps state table about all ongoing connections
+ currently supports TCP/UDP/ICMP/GRE
+ currently supports l5+ helpers for ftp,irc,pptp,h323,talk,mms,tftp,...
+ network address translation
+ stateful, based on connection tracking
+ source NAT / Masquerading
+ destination NAT / redirect
+ 1:1 nat of whole networks (NETMAP)
+ packet mangling
+ clamp TCP MSS to PMTU for broken PMTU discovery
+ manipulate packet header (TTL, ECN, DSCP, ...)
+ combine with policy routing / traffic shaping
+ stateless IPv6 packet filtering (ip6tables)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Who is behind netfilter/iptables?
+
+ Project started by Paul 'Rusty' Russell
+ Coreteam
+ Rusty, Marc Boucher, James Morris, Harald Welte, Jozsef Kadlecsik, Martin Josefsson
+ Elects a head of coreteam
+ Countless contributions from hundreds of people all over the world
+ In the past we had a scoreboard to keep track of the contributions
+
+ We are always in lack of volunteers, even for listadmin/webmaster/...
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+How to get involved?
+
+ Internet services:
+ Homepage - http://www.netfilter.org/
+ FTP Server - ftp://ftp.netfilter.org/
+ rsync server - rsync.netfilter.org
+ CVS server - pserver.netfilter.org
+ Bugzilla - http://bugzilla.netfilter.org/
+ CVSweb - http://cvs.netfilter.org/
+ Mailinglist - http://lists.netfilter.org/
+ Anybody can contribute, code has to be GPL licensed
+ Development discussion at netfilter-devel@lists.netfilter.org
+ User questions at netfilter@lists.netfilter.org
+ Security relevant issues at coreteam@netfilter.org
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Areas of current development
+
+ pkttables (kernel part, pkttnetlink, libpkttnetlink, libpkttables)
+ make ULOG and ip_queue l3 independent (and move to nfnetlink)
+ optimizing connection tracking SMP performance
+ conntrack: support for more protocols (SCTP,...)
+ nf-hipac: highly optimized packet matching engine
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables project
+Thanks
+
+%size 4
+ The slides of this presentation are available at http://www.gnumonks.org/
+ Visit the netfilter homepage http://www.netfilter.org/
+ Thanks to
+ the BBS people, Z-Netz, FIDO, ...
+ for heavily increasing my computer usage in 1992
+ KNF (http://www.franken.de/)
+ for bringing me in touch with the internet as early as 1994
+ for providing a playground for technical people
+ for telling me about the existance of Linux!
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring most of my current netfilter work
+
personal git repositories of Harald Welte. Your mileage may vary