summaryrefslogtreecommitdiff
path: root/2003/netfilter-free-openfest2003/abstract
blob: bf8daa2ef3930008d11a5bcb6394de84452ac152 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

0 - introduction/definition: Firewalls, Proxies, Packet Filters
- present myself and my function within the netfilter coreteam
- what is a firewall
	- packet filters at networking layer
		- inspect each packet and make a choice based on the packet
		- traditionally don't know about connections (== layer 4)
		- advantage: fast, transparent
		- disadvantage: filtering limited to l3+l4 (sometimes l2)
	- proxies at application layer
		- terminate two connections (client->proxy and proxy->server)
		- advantage: can base policy decision on application protocol
		- disadvantage: not transparent at all (not even transparent proxies)
	- result: both of them have their application.
	- history of linux packet filtering
		- ipfwadm (2.0)
		- ipchains (2.2)
		- iptables (2.4+2.6)
		- pkttables (2.6+)
	- iptables was developed together with netfilter in the 2.3.x kernel series
	
1 - Why a free software firewall? 
	- the internet was built on free/open standards and software
	- security relevant open sourcecode gets more auditing because more people read it (and thus report bugs)
	- users can put more trust in FOSS, since they can check for hidden backdoors
	- packet filters are used like routers.  They are core infrastructure of the internet.  Infrastructure should be open/free for the public, just like roads.  
	- Everybody should be able to learn and understand how packet filtering works
	- Infrastructure should not depend on monopolistic companies.  
		- problem if company goes bankrupt
		- dependent on 'upgrade pressure' and future license changes
		- no possibility to adopt it to new standards if vendor doesn't want to support it

2 - What can you do with netfilter/iptables
	- stateless packet filtering
		- matches: mac, src/dst ip, src/dst port, 
	- stateful packet filtering by using connection tracking
		- keeps state table about all ongoing connections
		- supports l4  TCP,UDP,ICMP,GRE,PPTP
		- supports l5+ complex protocols like ftp,pptp,h323,talk,...
	- IP accounting (every rule has a packet/byte counter)
	- Network Adress Translation (NAT/NAPT)
		- Stateful, based on Connection tracking
		- Source NAT / Masquerading
		- Destination NAT / Redirect
		- 1:1 NAT of whole networks (NETMAP)
		- supports l5+ complex protocols like ftp,pptp,h323,talk,...
	- Packet Mangling
		- Clamp TCP MSS to PMTU
		- Manipulate packet header (TTL, ECN, DSCP, ...)
		- Combine with policy routing / traffic shaping systems
	- stateless IPv6 packet filtering using ip6tables

3 - Who is behind the project? How to get involved?
	- started by Paul 'Rusty' Russell from Australia (co-author of ipchains)
	- Marc Boucher (Canada) and James Morris (Australia) dropped in
	- Harald Welte (Germany), Jozsef Kadlecsik (Hungary), Martin Josefsson (Sweden) joined coreteam
	- Countless contributions from hundreds of poeple all over the world
	- used to keep a scoreboard, but it was eating too much time
	- Project internet presence:
		- HTTP (www.netfilter.org)
		- FTP (ftp.netfilter.org)
		- RSYNC (rsync.netfilter.org)
		- CVS (pserver.netfilter.org)
		- 5 mailinglists (lists.netfilter.org)
		- Bugzilla (bugzilla.netfilter.org)
		- CVSweb (http://cvs.netfilter.org)
	- Anybody can contribute, as long as the contribution is GPL licensed
	- development happens on netfilter-devel@lists.netfilter.org
	- user questions belong to netfilter@lists.netfilter.org
	- security relevant findings to coreteam@netfilter.org

Iptables is used by a lot of commercial [and also proprietary] products.  Companies like Astaro and Smoothwall are offering iptables-based firewall appliances.  Other companies (like Linksys, Belkin, ...) are embedding iptables into their wavelan access points - and users don't even know that they are using iptables.

personal git repositories of Harald Welte. Your mileage may vary