2 files changed, 325 insertions, 0 deletions

diff --git a/2005/firewall_vpn-linuxpark_cebit2005/abstract b/2005/firewall_vpn-linuxpark_cebit2005/abstract
new file mode 100644
index 0000000..9a52af2
--- /dev/null
+++ b/2005/firewall_vpn-linuxpark_cebit2005/abstract
@@ -0,0 +1,31 @@
+Titel: Firewalling, VPN (und mehr) mit Linux 2.6.x
+
+Abstact:
+Der Einsatz von Linux im 'unsichtbaren' Bereich der Server und Router,
+Firewalls und Gateways hat bereits lange tradition. 
+
+Auch der Linux 2.6.x Kernel setzt diese Tradition fort, und kann insbesondere
+im Netzwerkbereich mit einigen Neuerungen aufwarten, wie z.B. dem neuen IPsec
+Stack.
+
+Linux-Systeme koennen problemlos als Paketfilter mit Stateful Inspection, zum
+Network Address Translation, als Load-Balancer, Policy-Router, Traffic-Shaper,
+oder auch VPN-Gateway eingesetzt werden.
+
+Der Vortrag gibt einen Ueberblick ueber die vielfaeltigen
+Einsatzmoeglichkeiten und soll beim geneigten Zuhoerer die "Lust auf mehr"
+wecken.
+
+Vorkenntnisse:
+Grundlegendes Wissen ueber Netzwerke und Linux
+
+Dozent:
+Harald Welte ist der Maintainer des Linux-Firewalling-Projekts
+netfilter/iptables. Er ist seit 1994 mit Linux befasst und arbeitet seit 1997
+als freiberuflicher Entwickler, Consultant und Trainer im Linux-Umfeld. Sein
+besonderer Schwerpunkt liegt im Bereich der Netzwerktechnik,
+Netzwerksicherheit, Computersicherheit, Embedded Linux und Kernel-Entwicklung.
+Mit seinem im Jahr 2004 gegruendeten gpl-violations.org Projekt ist es ihm
+bereits in mehr als 30 Faellen gelungen, die GPL aussergerichtlich und vor
+Gericht durchzusetzen.
+
diff --git a/2005/firewall_vpn-linuxpark_cebit2005/firewall-vpn-linuxpark_cebit2005.mgp b/2005/firewall_vpn-linuxpark_cebit2005/firewall-vpn-linuxpark_cebit2005.mgp
new file mode 100644
index 0000000..fa6c700
--- /dev/null
+++ b/2005/firewall_vpn-linuxpark_cebit2005/firewall-vpn-linuxpark_cebit2005.mgp
@@ -0,0 +1,294 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Firewalls, IPsec and Linux
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Contents
+
+
+	Introduction
+	Highly Scalable Linux Network Stack
+	Netfilter Hooks
+	Packet selection based on IP Tables
+	The Connection Tracking Subsystem
+	The NAT Subsystem
+	IPsec with Free S/WAN 
+	IPsec with Kernel 2.6.x
+	Cipe, vtun, openvpn and others
+	Traffic Shaping, QoS, Policy Routing
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+The GNU GPL Revisited
+Introduction
+
+
+Who is speaking to you?
+		an independent Free Software developer
+		who earns his living off Free Software since 1997
+		who is one of the authors of the Linux kernel firewall system called netfilter/iptables
+		who can claim to be the first to have enforced the GNU GPL in court
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Firewalls, IPsec and Linux
+Introduction
+
+What this is:
+	A broad overview about the advanced Linux networking features
+	Intended for a network savyy audience that has little Linux background
+
+What this presentation is not:
+	A tutorial on how to use iptables, tc, iproute2, brctl
+	An introduction into the cool code we write every day ;)
+
+It will try to show you what you can do with Linux networking, not how.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Firewalls, IPsec and Linux
+Introduction
+
+Linux and Networking
+	Linux is a true child of the Internet
+	Early adopters: ISP's, Universities
+	Lots of work went into a highly scalable network stack
+	Not only for client/server, but also for routers
+	Features unheared of in other OS's 
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Introduction 
+
+Did you know, that a stock 2.6.x linux kernel can provide
+
+	a stateful packet filter ?
+	fully symmetric NA(P)T ?
+	policy routing ?
+	QoS / traffic shaping ?
+	IPv6 firewalling ?
+	packet filtering, NA(P)T on a bridge ?
+	layer 2 (mac) address translation ?
+	packet forwarding rates of up to 2.1mpps ?
+
+If not, chances are high that this presentation will tell you something new.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Netfilter Hooks
+
+	What is netfilter?
+
+		System of callback functions within network stack
+		Callback function to be called for every packet traversing certain point (hook) within network stack
+		Protocol independent framework
+		Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP)
+		Multiple kernel modules can register with each of the hooks
+
+Traditional packet filtering, NAT, ... is implemented on top of this framework
+
+Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+IP tables
+
+	Packet selection using IP tables
+
+		The kernel provides generic IP tables support
+
+		Each kernel module may create it's own IP table
+
+		The three major parts of 2.4 firewalling subsystem are implemented using IP tables
+			Packet filtering table 'filter'
+			NAT table 'nat'
+			Packet mangling table 'mangle'
+
+		Could potentially be used for other stuff, e.g. IPsec SPDB
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+IP Tables
+
+	Managing chains and tables
+
+		An IP table consists out of multiple chains
+		A chain consists out of a list of rules
+		Every single rule in a chain consists out of
+			match[es] (rule executed if all matches true)
+			target (what to do if the rule is matched)
+
+%size 4
+matches and targets can either be builtin or implemented as kernel modules
+
+%size 5
+		The userspace tool iptables is used to control IP tables
+			handles all different kinds of IP tables 
+			supports a plugin/shlib interface for target/match specific options
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Connection Tracking Subsystem
+
+	Connection tracking...
+		implemented seperately from NAT 
+		enables stateful filtering 
+		protocol modules (currently TCP/UDP/ICMP/GRE/SCTP)
+		application helpers (currently FTP,IRC,H.323,talk,SNMP,RTSP)
+		does _NOT_ filter packets itself
+		can be utilized by iptables using the 'state' match 
+		is used by NAT Subsystem
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Network Address Translation
+
+	Network Address Translation
+
+		Previous Linux Kernels only implemented one special case of NAT: Masquerading
+		Linux 2.4.x / 2.6.x can do any kind of NAT.
+		NAT subsystem implemented on top of netfilter, iptables and conntrack
+		Following targets available within 'nat' Table
+			SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
+			DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
+			MASQUERADE is a special case of SNAT
+			REDIRECT is a special case of DNAT
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Packet Mangling
+
+	Purpose of mangle table
+		packet manipulation except address manipulation
+	Targets specific to the 'mangle' table:
+		DSCP - manipulate DSCP field
+		IPV4OPTSSTRIP - strip IPv4 options
+		MARK - change the nfmark field of the skb
+		TCPMSS - set TCP MSS option
+		TOS - manipulate the TOS bits 
+		TTL - set / increase / decrease TTL field
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux Bridging
+
+	Bridging (brctl)
+		Includes support for Spanning Tree
+		Fully supports packet filtering and NAT (!) on a bridge
+		Can also filter and translate layer 2 MAC addresses
+		Can implement a 'brouter' (bridge certain traffic, route other)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux Policy Routing
+
+	Policy Routing (iproute2)
+		Allows routing decisions on arbitrary information
+		Provides up to 255 different routing tables within one system
+		By combining via nfmark with iptables, any matches of the packet filter can be used for the routing decision
+		Very useful in complex setups with mutiple links (e.g. multiple DSL uplinks with dynamic addresses, asymmetric routing, ...)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux Traffic Shaping
+
+	Traffic Control (tc)
+		Framework for lots of algorithms like RED,SFQ,TBF,CBQ,CSZ,GRED,HTB
+		Very granular control, especially for very low bandwidth links
+		Present since Linux 2.2.x but still not used widely
+		Lack of documentation, but situation is improving (www.lartc.org)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Free S/WAN
+
+	Free S/WAN
+		Was a politically motivated effort to provide IPsec for Linux 2.0+
+		Goal was to encrypt as much Internet Traffic as possible 
+		Software architecture didn't fit very well with Linux 2.4/2.6 network stack
+		Project has been shut down, however Open S/WAN continues support
+		Is in widespread production use and has received a lot of testing
+		Political motivation prevented any U.S. citizen to contribute code
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux 2.6.x IPsec
+
+	Linux 2.6.x IPsec
+		Linux networking gods disaproved Free S/WAN political restrictions and software design
+		Thus, they decided to write their own IPsec stack
+		Result is in the stock 2.6.x kernel series
+		Offers complete support for transport and tunnel mode
+		Can be used with FreeSWAN (pluto) or KAME (isakmpd) userspace
+		Remaining problems
+			No integration with hardware crypto accelerators yet
+			No implementation of NAT traversal yet
+			Interaction with iptable_nat still has to be sorted out
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+cipe, vtun, openswan and others
+
+	Other VPN protocols/programs
+		Evolved as linux specific VPN implementations since the Linux Kernel was lacking stock IPsec support for a long time
+		Are totally incompatible to IPsec and only compatible to themselves
+		Are of questionable security (at least in case of cipe, vtun)
+		Are mostly userspace implementations
+		Are way easier to configure
+		Can provide layer 2 tunnels to route (or bridge!) all kinds of protocols
+		openvpn with X.509 certificates is a very clean and easy solution for building strong VPN tunnels between two linux gateways
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Thanks
+
+	Thanks to
+		the BBS scene, Z-Netz, FIDO, ...
+			for heavily increasing my computer usage in 1992
+		KNF (http://www.franken.de/)
+			for bringing me in touch with the internet as early as 1994
+			for providing a playground for technical people
+			for telling me about the existance of Linux!
+		Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+			for implementing (one of?) the world's best TCP/IP stacks
+		Paul 'Rusty' Russell
+			for starting the netfilter/iptables project
+			for trusting me to maintain it today
+		Astaro AG
+			for sponsoring parts of my netfilter work
+%size 3
+	The slides and the an according paper of this presentation are available at http://www.gnumonks.org/
+%size 3