|
|
2003/02/04 - Harald Welte
netfilter/iptables
An interview conducted by Alain Buret
Alain Buret - Please present yourself !
Harald Welte - I'm Harald Welte, member of the netfilter core team.
Alain Buret - You're not an old guy, but you already have a good linux background. Can you explain what you did before ?
Harald Welte - I started using computers at the age of nine, learned Basic on the C64, and continued with Pascal and x86 assembly on the x86, wrote shareware programs for DOS and finally discovered linux and the free software movement in 1995. This was a hobby in my spare time. My professional career started as a communication electronics technician, but I started my own consulting business very soon afterwards.
I haven't had any formal training in computer science. All I know about coding I have learned by reading books and source code.
Alain Buret - Now, you're a key member of the netfilter/iptables team : bow would you introduce netfilter/iptables to newbies ?
Harald Welte - Difficult to answer that question ... newbies to computers? newbies to linux? newbies to network security ?
I'd start with: "netfilter/iptables is the linux 2.4+ packet filtering subsystem. It is part of the Linux kernel. It is used to increase networking security."
Alain Buret - There are parts of it in the linux kernel, but also in the "patch-o-matic" system ... why ? Are you progressing to fast or the linux kernel too slow ?
Harald Welte - There are several reasons.
New features should be stable and secure once we submit them to the kernel. So we publish them in patch-o-matic first, and after some more time testing they get submitted to the kernel.
Due to the modular architecture of netfilter/iptables, we receive numerous contributions. Some of them are only useful under very rare conditions. We don't want to bloat the linux kernel with features only a handfull of people will need - so those patches stay in patch-o-matic.
There are people who need to run old kernels for a particular reason. With patch-o-matic they can still have all netfilter bugfixes with an old kernel.
Alain Buret - There are of course other firewalling tools, other NAT tools, ... what are your main advantages over them (despite it's free/open) ?
Harald Welte - I'm always bad at advertisement, which seems related to the fact that I hate any kind of advertisement in general. I think we provide a good solution to most packet filtering issues, as do others. Every user should look at the different options and make a decision based on technical facts.
To not leave you with this vague answer: From my point of view, one of our strong points is the conntrack + NAT system, supported by helper modules for complex protocols and it's concept of what we call connection expectations.
Alain Buret - As nothing's perfect, what are the nearby features that will be added in netfilter/iptables ?
Harald Welte - There's plenty of them. A long-standing item is failover of the connection tracking state table, which I want to become the part of the project I spend most of the time this year. On the other hand, there is a redesign of the kernel/userspace interface and the userspace itself underway, which will enable third-party applications (especially like GUI frontends and intrusion detection systems) to interact with the packet filter more easily. And last, but not least, we want to reduce code duplication between the different layer 3 protocols supported right now (iptables, ip6tables, arptables).
Alain Buret - Is there some kind of sponsoring from companies that are using it ?
Harald Welte - Rusty Russell, who started the netfilter/iptables project, was sponsored by a couple of companies in the beginning: Watchguard, Linuxcare and finally IBM. I myself was sponsored by Conectiva in 2001, and parts of my recent netfilter/iptables work are funded by Astaro. And finally there's noris.net, who is sponsoring the hosting+traffic of the netfilter.org site (doing about 100GB per month).
Of course, as always, we could need more sponsoring to advance more quickly.
Alain Buret - What do you expect from your FOSDEM talk ?
Harald Welte - What do _I_ expect? Well, I expect lots of people interested in the future of the linux packet filter. And I expect that I will fulfill their expectations :)
|
|
|
Special announcement |
|
FOSDEM 2003 will take place on February 8 - 9 2003 in Brussels... |
|
|
FOSDEM search |
|
|
Contest |
|
Best background:
|
|
Create the coolest Fosdem background design and win cool stuffs... More info |
|
|
Sponsors corner |
|
|