summaryrefslogtreecommitdiff
path: root/2003/netfilter-internals-kiblix2003/abstract
blob: 56a19a5400d0e7e2deb04817c8541f6f24f3c68d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Linux 2.4.x netfilter/iptables firewalling internals

  The Linux 2.4.x kernel series has introduced a totally new kernel firewalling subsystem.  It is much more than a plain successor of ipfwadm or ipchains.

  The netfilter/iptables project has a very modular design and it's
sub-projects can be split in several parts: netfilter, iptables, connection
tracking, NAT and packet mangling.

  While most users will already have learned how to use the basic functions
of netfilter/iptables in order to convert their old ipchains firewalls to
iptables, there's more advanced but less used functionality in
netfilter/iptables.

  The presentation covers the design principles behind the netfilter/iptables
implementation.  This knowledge enables us to understand how the individual
parts of netfilter/iptables fit together, and for which potential applications
this is useful.

Topics covered:

- overview about the internal netfilter/iptables architecture
	- the netfilter hooks inside the network protocol stacks
	- packet selection with IP tables
	- how is connection tracking and NAT integrated into the framework
- the connection tracking system
	- how good does it track the TCP state?
	- how does it track ICMP and UDP state at all?
	- layer 4 protocol helpers (GRE, ...)
	- application helpers (ftp, irc, h323, ...)
	- restrictions/limitations
- the NAT system
	- how does it interact with connection tracking?
	- layer 4 protocol helpers
	- application helpers (ftp, irc, ...)
- misc
	- how far is IPv6 firewalling with ip6tables?
	- advances in failover/HA of stateful firewalls
	- ivisible firewalls with iptables on a bridge
	- userspace packet queueing with QUEUE
	- userspace packet logging with ULOG

Requirements:  
- knowledge about the TCP/IP protocol family
- knowledge about general firewalling and packet filtering concepts
- prior experience with linux packet filters

Audience:
- firewall administrators
- network developers
personal git repositories of Harald Welte. Your mileage may vary