summaryrefslogtreecommitdiff
path: root/2003/netfilter-free-openfest2003/netfilter-free-openfest2003.mgp
blob: 7a549ffd4586b35da263f69c58ae53b3e1ee0ddb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"

%center
%size 7


The netfilter/iptables project



%center
%size 4
by

Harald Welte <laforge@netfilter.org>

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Contents

	Introduction: Firewalls, Proxies, Packet Filters

	Why a free software firewall?

	What can you do with netfilter/iptables?

	Who is behind the project? How to get involved?


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Introduction: Firewalls, Proxies, Packet Filters 

	Firewalls are security gateways between networks

	Can be implemented in different ways, at different layers

		Packet filters at networking layer (3)
			inspect each packet and make decision based on the packet contents
			traditionally don't know about connections
			advantage: fast, transparent
			disadvantage: filtering limited to l3 and l4 headers

		Proxies at application layer (5-7)
			terminate two connections (client->proxy and proxy->server)
			advantage: can base decision on application protocol
			disadvantage: not transparent, need application support

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Introduction: Firewalls, Proxies, Packet Filters 

	However, the world is not that easy anymore since new techniques are blending those two concepts

		stateful packet filters
			keep state about existing connections/flows
			allow even state tracking beyond l4 state
			thus give packet filters some features of proxies

		transparent proxies
			can be implemented without application support
			how 'transparent' do you want to be? to the client? the server? the network?
			thus give proxies some of the transparency of packet filters

	In reality it is sometimes hard to tell.  netfilter/iptables implements a packet filter (stateless/stateful) and some support for transparent proxying.


			
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
History of linux packet filtering

%size 3
		1994: kernel 1.2.x (BSD4.4 ipfw)
			first packet filter in the linux kernel
%size 3
		1995: kernel 2.0.x (ipfwadm)
			enhanced version of the old ipfw
			first support for masquerading
%size 3
		1997: kernel 2.2.x (ipchains)
			enhanced version of ipfwadm
			support for multiple lists of rules (chains)
			support for transparent proxying
			masquerading helpers for ftp/irc/quake/...
%size 3
		2000: kernel 2.4.x (iptables)
			totally new implementation (based on netfilter API)
			allows for multiple tables (which each have multiple chains)
			first support for stateful packet filtering
			support for fully symmetric NAT (SNAT/DNAT/...)
%size 3
		2003: kernel 2.6.0-testX (iptables)	
			breaking a tradition: no new packet filter (not yet...)
			support for non-linear skb's (zerocopy TCP path)
%size 3
		2003/4: kernel 2.7.x and later 2.6.x backport (pkttables)
			totally new implementation
			layer 3 independent packet filtering framework


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Why a free software firewall?

	Tradition
		The internet was builton free/open standards and software
	Code Quality
		Security relevant open sourcecode gets more auditing because more people read it (and thus report/fix bugs)
	Trust
		Users can have more trust in FOSS, since they can check for hidden backdoors
	Public infrastructure
		Packet Filters (like routers) are core infrastructure of the internet.
		Infrastructure should be open/free for the public, just like roads.
	Arguments against proprietary software in infrastructure
		What if the vendor of your product goes bankrupt?
		Users are dependent on 'upgrade pressure' and future license changes
		No possibility to adopt new standards if Vendor has no interest

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page 
The netfilter/iptables project
What can you do using netfilter/iptables?

	stateless packet filtering
		provides matches for almost any criteria in the universe
	stateful packet filtering (using connection tracking)
		keeps state table about all ongoing connections
		currently supports TCP/UDP/ICMP/GRE
		currently supports l5+ helpers for ftp,irc,pptp,h323,talk,mms,tftp,...
	network address translation
		stateful, based on connection tracking
		source NAT / Masquerading
		destination NAT / redirect
		1:1 nat of whole networks (NETMAP)
	packet mangling
		clamp TCP MSS to PMTU for broken PMTU discovery
		manipulate packet header (TTL, ECN, DSCP, ...)
		combine with policy routing / traffic shaping
	stateless IPv6 packet filtering (ip6tables)

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
HA for netfillter/iptables
Who is behind netfilter/iptables?

	Project started by Paul 'Rusty' Russell
	Coreteam
		Rusty, Marc Boucher, James Morris, Harald Welte, Jozsef Kadlecsik, Martin Josefsson
		Elects a head of coreteam
	Countless contributions from hundreds of people all over the world
	In the past we had a scoreboard to keep track of the contributions

	We are always in lack of volunteers, even for listadmin/webmaster/...


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page 
The netfilter/iptables project
How to get involved?

	Internet services:
		Homepage - http://www.netfilter.org/
		FTP Server - ftp://ftp.netfilter.org/
		rsync server - rsync.netfilter.org
		CVS server - pserver.netfilter.org
		Bugzilla - http://bugzilla.netfilter.org/
		CVSweb - http://cvs.netfilter.org/
		Mailinglist - http://lists.netfilter.org/
	Anybody can contribute, code has to be GPL licensed
	Development discussion at netfilter-devel@lists.netfilter.org
	User questions at netfilter@lists.netfilter.org
	Security relevant issues at coreteam@netfilter.org


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page 
The netfilter/iptables project
Areas of current development

	pkttables (kernel part, pkttnetlink, libpkttnetlink, libpkttables)
	make ULOG and ip_queue l3 independent (and move to nfnetlink)
	optimizing connection tracking SMP performance
	conntrack: support for more protocols (SCTP,...)
	nf-hipac: highly optimized packet matching engine


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Thanks

%size 4
		The slides of this presentation are available at http://www.gnumonks.org/
		Visit the netfilter homepage http://www.netfilter.org/
	Thanks to
		the BBS people, Z-Netz, FIDO, ...
			for heavily increasing my computer usage in 1992
		KNF (http://www.franken.de/)
			for bringing me in touch with the internet as early as 1994
			for providing a playground for technical people
			for telling me about the existance of Linux!
		Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
			for implementing (one of?) the world's best TCP/IP stacks
		Paul 'Rusty' Russell
			for starting the netfilter/iptables project
			for trusting me to maintain it today
		Astaro AG
			for sponsoring most of my current netfilter work

personal git repositories of Harald Welte. Your mileage may vary