221 lines
7.1 KiB
Plaintext
221 lines
7.1 KiB
Plaintext
|
%include "default.mgp"
|
||
|
%default 1 bgrad
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
%nodefault
|
||
|
%back "blue"
|
||
|
|
||
|
%center
|
||
|
%size 7
|
||
|
|
||
|
|
||
|
The netfilter/iptables project
|
||
|
|
||
|
|
||
|
|
||
|
%center
|
||
|
%size 4
|
||
|
by
|
||
|
|
||
|
Harald Welte <laforge@netfilter.org>
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
The netfilter/iptables project
|
||
|
Contents
|
||
|
|
||
|
Introduction: Firewalls, Proxies, Packet Filters
|
||
|
|
||
|
Why a free software firewall?
|
||
|
|
||
|
What can you do with netfilter/iptables?
|
||
|
|
||
|
Who is behind the project? How to get involved?
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
The netfilter/iptables project
|
||
|
Introduction: Firewalls, Proxies, Packet Filters
|
||
|
|
||
|
Firewalls are security gateways between networks
|
||
|
|
||
|
Can be implemented in different ways, at different layers
|
||
|
|
||
|
Packet filters at networking layer (3)
|
||
|
inspect each packet and make decision based on the packet contents
|
||
|
traditionally don't know about connections
|
||
|
advantage: fast, transparent
|
||
|
disadvantage: filtering limited to l3 and l4 headers
|
||
|
|
||
|
Proxies at application layer (5-7)
|
||
|
terminate two connections (client->proxy and proxy->server)
|
||
|
advantage: can base decision on application protocol
|
||
|
disadvantage: not transparent, need application support
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
The netfilter/iptables project
|
||
|
Introduction: Firewalls, Proxies, Packet Filters
|
||
|
|
||
|
However, the world is not that easy anymore since new techniques are blending those two concepts
|
||
|
|
||
|
stateful packet filters
|
||
|
keep state about existing connections/flows
|
||
|
allow even state tracking beyond l4 state
|
||
|
thus give packet filters some features of proxies
|
||
|
|
||
|
transparent proxies
|
||
|
can be implemented without application support
|
||
|
how 'transparent' do you want to be? to the client? the server? the network?
|
||
|
thus give proxies some of the transparency of packet filters
|
||
|
|
||
|
In reality it is sometimes hard to tell. netfilter/iptables implements a packet filter (stateless/stateful) and some support for transparent proxying.
|
||
|
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
The netfilter/iptables project
|
||
|
History of linux packet filtering
|
||
|
|
||
|
%size 3
|
||
|
1994: kernel 1.2.x (BSD4.4 ipfw)
|
||
|
first packet filter in the linux kernel
|
||
|
%size 3
|
||
|
1995: kernel 2.0.x (ipfwadm)
|
||
|
enhanced version of the old ipfw
|
||
|
first support for masquerading
|
||
|
%size 3
|
||
|
1997: kernel 2.2.x (ipchains)
|
||
|
enhanced version of ipfwadm
|
||
|
support for multiple lists of rules (chains)
|
||
|
support for transparent proxying
|
||
|
masquerading helpers for ftp/irc/quake/...
|
||
|
%size 3
|
||
|
2000: kernel 2.4.x (iptables)
|
||
|
totally new implementation (based on netfilter API)
|
||
|
allows for multiple tables (which each have multiple chains)
|
||
|
first support for stateful packet filtering
|
||
|
support for fully symmetric NAT (SNAT/DNAT/...)
|
||
|
%size 3
|
||
|
2003: kernel 2.6.0-testX (iptables)
|
||
|
breaking a tradition: no new packet filter (not yet...)
|
||
|
support for non-linear skb's (zerocopy TCP path)
|
||
|
%size 3
|
||
|
2003/4: kernel 2.7.x and later 2.6.x backport (pkttables)
|
||
|
totally new implementation
|
||
|
layer 3 independent packet filtering framework
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
The netfilter/iptables project
|
||
|
Why a free software firewall?
|
||
|
|
||
|
Tradition
|
||
|
The internet was builton free/open standards and software
|
||
|
Code Quality
|
||
|
Security relevant open sourcecode gets more auditing because more people read it (and thus report/fix bugs)
|
||
|
Trust
|
||
|
Users can have more trust in FOSS, since they can check for hidden backdoors
|
||
|
Public infrastructure
|
||
|
Packet Filters (like routers) are core infrastructure of the internet.
|
||
|
Infrastructure should be open/free for the public, just like roads.
|
||
|
Arguments against proprietary software in infrastructure
|
||
|
What if the vendor of your product goes bankrupt?
|
||
|
Users are dependent on 'upgrade pressure' and future license changes
|
||
|
No possibility to adopt new standards if Vendor has no interest
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
The netfilter/iptables project
|
||
|
What can you do using netfilter/iptables?
|
||
|
|
||
|
stateless packet filtering
|
||
|
provides matches for almost any criteria in the universe
|
||
|
stateful packet filtering (using connection tracking)
|
||
|
keeps state table about all ongoing connections
|
||
|
currently supports TCP/UDP/ICMP/GRE
|
||
|
currently supports l5+ helpers for ftp,irc,pptp,h323,talk,mms,tftp,...
|
||
|
network address translation
|
||
|
stateful, based on connection tracking
|
||
|
source NAT / Masquerading
|
||
|
destination NAT / redirect
|
||
|
1:1 nat of whole networks (NETMAP)
|
||
|
packet mangling
|
||
|
clamp TCP MSS to PMTU for broken PMTU discovery
|
||
|
manipulate packet header (TTL, ECN, DSCP, ...)
|
||
|
combine with policy routing / traffic shaping
|
||
|
stateless IPv6 packet filtering (ip6tables)
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
HA for netfillter/iptables
|
||
|
Who is behind netfilter/iptables?
|
||
|
|
||
|
Project started by Paul 'Rusty' Russell
|
||
|
Coreteam
|
||
|
Rusty, Marc Boucher, James Morris, Harald Welte, Jozsef Kadlecsik, Martin Josefsson
|
||
|
Elects a head of coreteam
|
||
|
Countless contributions from hundreds of people all over the world
|
||
|
In the past we had a scoreboard to keep track of the contributions
|
||
|
|
||
|
We are always in lack of volunteers, even for listadmin/webmaster/...
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
The netfilter/iptables project
|
||
|
How to get involved?
|
||
|
|
||
|
Internet services:
|
||
|
Homepage - http://www.netfilter.org/
|
||
|
FTP Server - ftp://ftp.netfilter.org/
|
||
|
rsync server - rsync.netfilter.org
|
||
|
CVS server - pserver.netfilter.org
|
||
|
Bugzilla - http://bugzilla.netfilter.org/
|
||
|
CVSweb - http://cvs.netfilter.org/
|
||
|
Mailinglist - http://lists.netfilter.org/
|
||
|
Anybody can contribute, code has to be GPL licensed
|
||
|
Development discussion at netfilter-devel@lists.netfilter.org
|
||
|
User questions at netfilter@lists.netfilter.org
|
||
|
Security relevant issues at coreteam@netfilter.org
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
The netfilter/iptables project
|
||
|
Areas of current development
|
||
|
|
||
|
pkttables (kernel part, pkttnetlink, libpkttnetlink, libpkttables)
|
||
|
make ULOG and ip_queue l3 independent (and move to nfnetlink)
|
||
|
optimizing connection tracking SMP performance
|
||
|
conntrack: support for more protocols (SCTP,...)
|
||
|
nf-hipac: highly optimized packet matching engine
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
The netfilter/iptables project
|
||
|
Thanks
|
||
|
|
||
|
%size 4
|
||
|
The slides of this presentation are available at http://www.gnumonks.org/
|
||
|
Visit the netfilter homepage http://www.netfilter.org/
|
||
|
Thanks to
|
||
|
the BBS people, Z-Netz, FIDO, ...
|
||
|
for heavily increasing my computer usage in 1992
|
||
|
KNF (http://www.franken.de/)
|
||
|
for bringing me in touch with the internet as early as 1994
|
||
|
for providing a playground for technical people
|
||
|
for telling me about the existance of Linux!
|
||
|
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
|
||
|
for implementing (one of?) the world's best TCP/IP stacks
|
||
|
Paul 'Rusty' Russell
|
||
|
for starting the netfilter/iptables project
|
||
|
for trusting me to maintain it today
|
||
|
Astaro AG
|
||
|
for sponsoring most of my current netfilter work
|
||
|
|