From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2005/firewall_vpn-linuxpark_cebit2005/abstract | 31 +++ .../firewall-vpn-linuxpark_cebit2005.mgp | 294 +++++++++++++++++++++ 2 files changed, 325 insertions(+) create mode 100644 2005/firewall_vpn-linuxpark_cebit2005/abstract create mode 100644 2005/firewall_vpn-linuxpark_cebit2005/firewall-vpn-linuxpark_cebit2005.mgp (limited to '2005/firewall_vpn-linuxpark_cebit2005') diff --git a/2005/firewall_vpn-linuxpark_cebit2005/abstract b/2005/firewall_vpn-linuxpark_cebit2005/abstract new file mode 100644 index 0000000..9a52af2 --- /dev/null +++ b/2005/firewall_vpn-linuxpark_cebit2005/abstract @@ -0,0 +1,31 @@ +Titel: Firewalling, VPN (und mehr) mit Linux 2.6.x + +Abstact: +Der Einsatz von Linux im 'unsichtbaren' Bereich der Server und Router, +Firewalls und Gateways hat bereits lange tradition. + +Auch der Linux 2.6.x Kernel setzt diese Tradition fort, und kann insbesondere +im Netzwerkbereich mit einigen Neuerungen aufwarten, wie z.B. dem neuen IPsec +Stack. + +Linux-Systeme koennen problemlos als Paketfilter mit Stateful Inspection, zum +Network Address Translation, als Load-Balancer, Policy-Router, Traffic-Shaper, +oder auch VPN-Gateway eingesetzt werden. + +Der Vortrag gibt einen Ueberblick ueber die vielfaeltigen +Einsatzmoeglichkeiten und soll beim geneigten Zuhoerer die "Lust auf mehr" +wecken. + +Vorkenntnisse: +Grundlegendes Wissen ueber Netzwerke und Linux + +Dozent: +Harald Welte ist der Maintainer des Linux-Firewalling-Projekts +netfilter/iptables. Er ist seit 1994 mit Linux befasst und arbeitet seit 1997 +als freiberuflicher Entwickler, Consultant und Trainer im Linux-Umfeld. Sein +besonderer Schwerpunkt liegt im Bereich der Netzwerktechnik, +Netzwerksicherheit, Computersicherheit, Embedded Linux und Kernel-Entwicklung. +Mit seinem im Jahr 2004 gegruendeten gpl-violations.org Projekt ist es ihm +bereits in mehr als 30 Faellen gelungen, die GPL aussergerichtlich und vor +Gericht durchzusetzen. + diff --git a/2005/firewall_vpn-linuxpark_cebit2005/firewall-vpn-linuxpark_cebit2005.mgp b/2005/firewall_vpn-linuxpark_cebit2005/firewall-vpn-linuxpark_cebit2005.mgp new file mode 100644 index 0000000..fa6c700 --- /dev/null +++ b/2005/firewall_vpn-linuxpark_cebit2005/firewall-vpn-linuxpark_cebit2005.mgp @@ -0,0 +1,294 @@ +%include "default.mgp" +%default 1 bgrad +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + +%center +%size 7 + + +Firewalls, IPsec and Linux + + +%center +%size 4 +by + +Harald Welte + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Contents + + + Introduction + Highly Scalable Linux Network Stack + Netfilter Hooks + Packet selection based on IP Tables + The Connection Tracking Subsystem + The NAT Subsystem + IPsec with Free S/WAN + IPsec with Kernel 2.6.x + Cipe, vtun, openvpn and others + Traffic Shaping, QoS, Policy Routing + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The GNU GPL Revisited +Introduction + + +Who is speaking to you? + an independent Free Software developer + who earns his living off Free Software since 1997 + who is one of the authors of the Linux kernel firewall system called netfilter/iptables + who can claim to be the first to have enforced the GNU GPL in court + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Introduction + +What this is: + A broad overview about the advanced Linux networking features + Intended for a network savyy audience that has little Linux background + +What this presentation is not: + A tutorial on how to use iptables, tc, iproute2, brctl + An introduction into the cool code we write every day ;) + +It will try to show you what you can do with Linux networking, not how. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Introduction + +Linux and Networking + Linux is a true child of the Internet + Early adopters: ISP's, Universities + Lots of work went into a highly scalable network stack + Not only for client/server, but also for routers + Features unheared of in other OS's + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Introduction + +Did you know, that a stock 2.6.x linux kernel can provide + + a stateful packet filter ? + fully symmetric NA(P)T ? + policy routing ? + QoS / traffic shaping ? + IPv6 firewalling ? + packet filtering, NA(P)T on a bridge ? + layer 2 (mac) address translation ? + packet forwarding rates of up to 2.1mpps ? + +If not, chances are high that this presentation will tell you something new. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Netfilter Hooks + + What is netfilter? + + System of callback functions within network stack + Callback function to be called for every packet traversing certain point (hook) within network stack + Protocol independent framework + Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP) + Multiple kernel modules can register with each of the hooks + +Traditional packet filtering, NAT, ... is implemented on top of this framework + +Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +IP tables + + Packet selection using IP tables + + The kernel provides generic IP tables support + + Each kernel module may create it's own IP table + + The three major parts of 2.4 firewalling subsystem are implemented using IP tables + Packet filtering table 'filter' + NAT table 'nat' + Packet mangling table 'mangle' + + Could potentially be used for other stuff, e.g. IPsec SPDB + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +IP Tables + + Managing chains and tables + + An IP table consists out of multiple chains + A chain consists out of a list of rules + Every single rule in a chain consists out of + match[es] (rule executed if all matches true) + target (what to do if the rule is matched) + +%size 4 +matches and targets can either be builtin or implemented as kernel modules + +%size 5 + The userspace tool iptables is used to control IP tables + handles all different kinds of IP tables + supports a plugin/shlib interface for target/match specific options + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Connection Tracking Subsystem + + Connection tracking... + implemented seperately from NAT + enables stateful filtering + protocol modules (currently TCP/UDP/ICMP/GRE/SCTP) + application helpers (currently FTP,IRC,H.323,talk,SNMP,RTSP) + does _NOT_ filter packets itself + can be utilized by iptables using the 'state' match + is used by NAT Subsystem + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Network Address Translation + + Network Address Translation + + Previous Linux Kernels only implemented one special case of NAT: Masquerading + Linux 2.4.x / 2.6.x can do any kind of NAT. + NAT subsystem implemented on top of netfilter, iptables and conntrack + Following targets available within 'nat' Table + SNAT changes the packet's source whille passing NF_IP_POST_ROUTING + DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING + MASQUERADE is a special case of SNAT + REDIRECT is a special case of DNAT + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Packet Mangling + + Purpose of mangle table + packet manipulation except address manipulation + Targets specific to the 'mangle' table: + DSCP - manipulate DSCP field + IPV4OPTSSTRIP - strip IPv4 options + MARK - change the nfmark field of the skb + TCPMSS - set TCP MSS option + TOS - manipulate the TOS bits + TTL - set / increase / decrease TTL field + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Linux Bridging + + Bridging (brctl) + Includes support for Spanning Tree + Fully supports packet filtering and NAT (!) on a bridge + Can also filter and translate layer 2 MAC addresses + Can implement a 'brouter' (bridge certain traffic, route other) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Linux Policy Routing + + Policy Routing (iproute2) + Allows routing decisions on arbitrary information + Provides up to 255 different routing tables within one system + By combining via nfmark with iptables, any matches of the packet filter can be used for the routing decision + Very useful in complex setups with mutiple links (e.g. multiple DSL uplinks with dynamic addresses, asymmetric routing, ...) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Linux Traffic Shaping + + Traffic Control (tc) + Framework for lots of algorithms like RED,SFQ,TBF,CBQ,CSZ,GRED,HTB + Very granular control, especially for very low bandwidth links + Present since Linux 2.2.x but still not used widely + Lack of documentation, but situation is improving (www.lartc.org) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Free S/WAN + + Free S/WAN + Was a politically motivated effort to provide IPsec for Linux 2.0+ + Goal was to encrypt as much Internet Traffic as possible + Software architecture didn't fit very well with Linux 2.4/2.6 network stack + Project has been shut down, however Open S/WAN continues support + Is in widespread production use and has received a lot of testing + Political motivation prevented any U.S. citizen to contribute code + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Linux 2.6.x IPsec + + Linux 2.6.x IPsec + Linux networking gods disaproved Free S/WAN political restrictions and software design + Thus, they decided to write their own IPsec stack + Result is in the stock 2.6.x kernel series + Offers complete support for transport and tunnel mode + Can be used with FreeSWAN (pluto) or KAME (isakmpd) userspace + Remaining problems + No integration with hardware crypto accelerators yet + No implementation of NAT traversal yet + Interaction with iptable_nat still has to be sorted out + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +cipe, vtun, openswan and others + + Other VPN protocols/programs + Evolved as linux specific VPN implementations since the Linux Kernel was lacking stock IPsec support for a long time + Are totally incompatible to IPsec and only compatible to themselves + Are of questionable security (at least in case of cipe, vtun) + Are mostly userspace implementations + Are way easier to configure + Can provide layer 2 tunnels to route (or bridge!) all kinds of protocols + openvpn with X.509 certificates is a very clean and easy solution for building strong VPN tunnels between two linux gateways + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Firewalls, IPsec and Linux +Thanks + + Thanks to + the BBS scene, Z-Netz, FIDO, ... + for heavily increasing my computer usage in 1992 + KNF (http://www.franken.de/) + for bringing me in touch with the internet as early as 1994 + for providing a playground for technical people + for telling me about the existance of Linux! + Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen + for implementing (one of?) the world's best TCP/IP stacks + Paul 'Rusty' Russell + for starting the netfilter/iptables project + for trusting me to maintain it today + Astaro AG + for sponsoring parts of my netfilter work +%size 3 + The slides and the an according paper of this presentation are available at http://www.gnumonks.org/ +%size 3 -- cgit v1.2.3