74 lines
3.7 KiB
Plaintext
74 lines
3.7 KiB
Plaintext
|
|
0 - introduction/definition: Firewalls, Proxies, Packet Filters
|
|
- present myself and my function within the netfilter coreteam
|
|
- what is a firewall
|
|
- packet filters at networking layer
|
|
- inspect each packet and make a choice based on the packet
|
|
- traditionally don't know about connections (== layer 4)
|
|
- advantage: fast, transparent
|
|
- disadvantage: filtering limited to l3+l4 (sometimes l2)
|
|
- proxies at application layer
|
|
- terminate two connections (client->proxy and proxy->server)
|
|
- advantage: can base policy decision on application protocol
|
|
- disadvantage: not transparent at all (not even transparent proxies)
|
|
- result: both of them have their application.
|
|
- history of linux packet filtering
|
|
- ipfwadm (2.0)
|
|
- ipchains (2.2)
|
|
- iptables (2.4+2.6)
|
|
- pkttables (2.6+)
|
|
- iptables was developed together with netfilter in the 2.3.x kernel series
|
|
|
|
1 - Why a free software firewall?
|
|
- the internet was built on free/open standards and software
|
|
- security relevant open sourcecode gets more auditing because more people read it (and thus report bugs)
|
|
- users can put more trust in FOSS, since they can check for hidden backdoors
|
|
- packet filters are used like routers. They are core infrastructure of the internet. Infrastructure should be open/free for the public, just like roads.
|
|
- Everybody should be able to learn and understand how packet filtering works
|
|
- Infrastructure should not depend on monopolistic companies.
|
|
- problem if company goes bankrupt
|
|
- dependent on 'upgrade pressure' and future license changes
|
|
- no possibility to adopt it to new standards if vendor doesn't want to support it
|
|
|
|
2 - What can you do with netfilter/iptables
|
|
- stateless packet filtering
|
|
- matches: mac, src/dst ip, src/dst port,
|
|
- stateful packet filtering by using connection tracking
|
|
- keeps state table about all ongoing connections
|
|
- supports l4 TCP,UDP,ICMP,GRE,PPTP
|
|
- supports l5+ complex protocols like ftp,pptp,h323,talk,...
|
|
- IP accounting (every rule has a packet/byte counter)
|
|
- Network Adress Translation (NAT/NAPT)
|
|
- Stateful, based on Connection tracking
|
|
- Source NAT / Masquerading
|
|
- Destination NAT / Redirect
|
|
- 1:1 NAT of whole networks (NETMAP)
|
|
- supports l5+ complex protocols like ftp,pptp,h323,talk,...
|
|
- Packet Mangling
|
|
- Clamp TCP MSS to PMTU
|
|
- Manipulate packet header (TTL, ECN, DSCP, ...)
|
|
- Combine with policy routing / traffic shaping systems
|
|
- stateless IPv6 packet filtering using ip6tables
|
|
|
|
3 - Who is behind the project? How to get involved?
|
|
- started by Paul 'Rusty' Russell from Australia (co-author of ipchains)
|
|
- Marc Boucher (Canada) and James Morris (Australia) dropped in
|
|
- Harald Welte (Germany), Jozsef Kadlecsik (Hungary), Martin Josefsson (Sweden) joined coreteam
|
|
- Countless contributions from hundreds of poeple all over the world
|
|
- used to keep a scoreboard, but it was eating too much time
|
|
- Project internet presence:
|
|
- HTTP (www.netfilter.org)
|
|
- FTP (ftp.netfilter.org)
|
|
- RSYNC (rsync.netfilter.org)
|
|
- CVS (pserver.netfilter.org)
|
|
- 5 mailinglists (lists.netfilter.org)
|
|
- Bugzilla (bugzilla.netfilter.org)
|
|
- CVSweb (http://cvs.netfilter.org)
|
|
- Anybody can contribute, as long as the contribution is GPL licensed
|
|
- development happens on netfilter-devel@lists.netfilter.org
|
|
- user questions belong to netfilter@lists.netfilter.org
|
|
- security relevant findings to coreteam@netfilter.org
|
|
|
|
Iptables is used by a lot of commercial [and also proprietary] products. Companies like Astaro and Smoothwall are offering iptables-based firewall appliances. Other companies (like Linksys, Belkin, ...) are embedding iptables into their wavelan access points - and users don't even know that they are using iptables.
|
|
|