From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- .../netfilter-free-openfest2003.mgp | 220 +++++++++++++++++++++ 1 file changed, 220 insertions(+) create mode 100644 2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp (limited to '2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp') diff --git a/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp b/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp new file mode 100644 index 0000000..7a549ff --- /dev/null +++ b/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp @@ -0,0 +1,220 @@ +%include "default.mgp" +%default 1 bgrad +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + +%center +%size 7 + + +The netfilter/iptables project + + + +%center +%size 4 +by + +Harald Welte + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Contents + + Introduction: Firewalls, Proxies, Packet Filters + + Why a free software firewall? + + What can you do with netfilter/iptables? + + Who is behind the project? How to get involved? + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Introduction: Firewalls, Proxies, Packet Filters + + Firewalls are security gateways between networks + + Can be implemented in different ways, at different layers + + Packet filters at networking layer (3) + inspect each packet and make decision based on the packet contents + traditionally don't know about connections + advantage: fast, transparent + disadvantage: filtering limited to l3 and l4 headers + + Proxies at application layer (5-7) + terminate two connections (client->proxy and proxy->server) + advantage: can base decision on application protocol + disadvantage: not transparent, need application support + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Introduction: Firewalls, Proxies, Packet Filters + + However, the world is not that easy anymore since new techniques are blending those two concepts + + stateful packet filters + keep state about existing connections/flows + allow even state tracking beyond l4 state + thus give packet filters some features of proxies + + transparent proxies + can be implemented without application support + how 'transparent' do you want to be? to the client? the server? the network? + thus give proxies some of the transparency of packet filters + + In reality it is sometimes hard to tell. netfilter/iptables implements a packet filter (stateless/stateful) and some support for transparent proxying. + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +History of linux packet filtering + +%size 3 + 1994: kernel 1.2.x (BSD4.4 ipfw) + first packet filter in the linux kernel +%size 3 + 1995: kernel 2.0.x (ipfwadm) + enhanced version of the old ipfw + first support for masquerading +%size 3 + 1997: kernel 2.2.x (ipchains) + enhanced version of ipfwadm + support for multiple lists of rules (chains) + support for transparent proxying + masquerading helpers for ftp/irc/quake/... +%size 3 + 2000: kernel 2.4.x (iptables) + totally new implementation (based on netfilter API) + allows for multiple tables (which each have multiple chains) + first support for stateful packet filtering + support for fully symmetric NAT (SNAT/DNAT/...) +%size 3 + 2003: kernel 2.6.0-testX (iptables) + breaking a tradition: no new packet filter (not yet...) + support for non-linear skb's (zerocopy TCP path) +%size 3 + 2003/4: kernel 2.7.x and later 2.6.x backport (pkttables) + totally new implementation + layer 3 independent packet filtering framework + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Why a free software firewall? + + Tradition + The internet was builton free/open standards and software + Code Quality + Security relevant open sourcecode gets more auditing because more people read it (and thus report/fix bugs) + Trust + Users can have more trust in FOSS, since they can check for hidden backdoors + Public infrastructure + Packet Filters (like routers) are core infrastructure of the internet. + Infrastructure should be open/free for the public, just like roads. + Arguments against proprietary software in infrastructure + What if the vendor of your product goes bankrupt? + Users are dependent on 'upgrade pressure' and future license changes + No possibility to adopt new standards if Vendor has no interest + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +What can you do using netfilter/iptables? + + stateless packet filtering + provides matches for almost any criteria in the universe + stateful packet filtering (using connection tracking) + keeps state table about all ongoing connections + currently supports TCP/UDP/ICMP/GRE + currently supports l5+ helpers for ftp,irc,pptp,h323,talk,mms,tftp,... + network address translation + stateful, based on connection tracking + source NAT / Masquerading + destination NAT / redirect + 1:1 nat of whole networks (NETMAP) + packet mangling + clamp TCP MSS to PMTU for broken PMTU discovery + manipulate packet header (TTL, ECN, DSCP, ...) + combine with policy routing / traffic shaping + stateless IPv6 packet filtering (ip6tables) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +HA for netfillter/iptables +Who is behind netfilter/iptables? + + Project started by Paul 'Rusty' Russell + Coreteam + Rusty, Marc Boucher, James Morris, Harald Welte, Jozsef Kadlecsik, Martin Josefsson + Elects a head of coreteam + Countless contributions from hundreds of people all over the world + In the past we had a scoreboard to keep track of the contributions + + We are always in lack of volunteers, even for listadmin/webmaster/... + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +How to get involved? + + Internet services: + Homepage - http://www.netfilter.org/ + FTP Server - ftp://ftp.netfilter.org/ + rsync server - rsync.netfilter.org + CVS server - pserver.netfilter.org + Bugzilla - http://bugzilla.netfilter.org/ + CVSweb - http://cvs.netfilter.org/ + Mailinglist - http://lists.netfilter.org/ + Anybody can contribute, code has to be GPL licensed + Development discussion at netfilter-devel@lists.netfilter.org + User questions at netfilter@lists.netfilter.org + Security relevant issues at coreteam@netfilter.org + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Areas of current development + + pkttables (kernel part, pkttnetlink, libpkttnetlink, libpkttables) + make ULOG and ip_queue l3 independent (and move to nfnetlink) + optimizing connection tracking SMP performance + conntrack: support for more protocols (SCTP,...) + nf-hipac: highly optimized packet matching engine + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The netfilter/iptables project +Thanks + +%size 4 + The slides of this presentation are available at http://www.gnumonks.org/ + Visit the netfilter homepage http://www.netfilter.org/ + Thanks to + the BBS people, Z-Netz, FIDO, ... + for heavily increasing my computer usage in 1992 + KNF (http://www.franken.de/) + for bringing me in touch with the internet as early as 1994 + for providing a playground for technical people + for telling me about the existance of Linux! + Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen + for implementing (one of?) the world's best TCP/IP stacks + Paul 'Rusty' Russell + for starting the netfilter/iptables project + for trusting me to maintain it today + Astaro AG + for sponsoring most of my current netfilter work + -- cgit v1.2.3