Here is a list of links to resources and where I have gotten information from, etc
:
-
ip-sysctl.txt
- from the 2.4.14 kernel. A little bit short but a good reference for the IP networking
controls and what they do to the kernel.
-
InGate - InGate is a commercial
firewall producer that uses Linux as the base for their firewall products. Their
productrange goes from basic firewalls to SIP gateways and QoS machines.
-
RFC
768 - User Datagram Protocol - This is the official RFC describing how the
UDP protocol should be used, in detail, and all of it's headers.
-
RFC
791 - Internet Protocol - The IP specification as still used on the Internet,
with additions and updates. The basic is still the same for IPv4.
-
RFC
792 - Internet Control Message Protocol - The definitive resource for all
information about ICMP packets. Whatever technical information you need about the
ICMP protocol, this is where you should turn first. Written by J. Postel.
-
RFC
793 - Transmission Control Protocol - This is the original resource on how
TCP should behave on all hosts. This document has been the standard on how TCP should
work since 1981 and forward. Extremely technical, but a must read for anyone who
wants to learn TCP in every detail. This was originally a Department of Defense
standard written by J. Postel.
-
RFC
1122 - Requirements for Internet Hosts - Communication Layers - This RFC
defines the requirements of the software running on a Internet host, specifically
the communication layers.
-
RFC
1349 - Type of Service in the Internet Protocol Suite - RFC describing some
changes and clarifications of the TOS field in the IP header.
-
RFC
1812 - Requirements for IP Version 4 Routers - This RFC specifies how routers
on the Internet should behave and how they are expected to handle different situations.
Very interesting reading.
-
RFC
2401 - Security Architecture for the Internet Protocol - This is an RFC
talking about the IPSEC implementation and standardisation. Well worth reading if
you are working with IPSEC.
-
RFC
2474 - Definition of the Differentiated Services Field (DS Field) in the IPv4 and
IPv6 Headers - In this document you will find out how the DiffServ works,
and you will find much needed information about the TCP/IP protocol additions/changes
needed for the DiffServ protocol to work.
-
RFC
2638 - A Two-bit Differentiated Services Architecture for the Internet -
This RFC describes a method of implementing two different differentiated service
architecture into one. Both where described originally by D. Clark and van Jacobsen
at the Munich IETH meeting 1997.
-
RFC
2960 - Stream Control Transmission Protocol - This is a relatively new protocol
developed by several large telecoms companies to complement UDP and TCP as a layer
3 protocol with higher reliability and resilience.
-
RFC
3168 - The Addition of Explicit Congestion Notification (ECN) to IP - This
RFC defines how ECN is to be used on a technical level and how it should be implemented
in the TCP and IP protocols. Written by K. Ramakrishnan, S. Floyd and D. Black.
-
RFC
3260 - New Terminology and Clarifications for Diffserv - This memo captures
Diffserv working group agreements concerning new and improved terminology, and provides
minor technical clarifications.
-
RFC
3286 - An Introduction to the Stream Control Transmission Protocol - RFC
introducing the Stream Control Transmission Protocol, a relatively new layer 3 protocol
in the TCP/IP stack. Developed by several large telecom companies.
-
ip_dynaddr.txt - from the 2.4.14 kernel. A really short reference to the
ip_dynaddr settings available via sysctl and the proc file system.
-
iptables.8
- The iptables 1.3.1 man page. This is an HTMLized version of the man page which
is an excellent reference when reading/writing iptables rule-sets. Always have it
at hand.
-
Ipsysctl tutorial
- Another tutorial I have written about the IP System Control in Linux. A try to
make a complete listing of all the IP variables that can be set on the fly in Linux.
-
Policy Routing
Using Linux - This is an excellent book that has now been opened up on the
Internet regarding Policy routing in Linux. It is well written and most definitely
worth buying. Written by Matthew G. Marsh.
-
Security-Enhanced Linux
- The official site of the Security-Enhanced Linux (SELinux) system developed as
a proof of concept by the National Security Agency (NSA). SELinux is a fine grained
Mandatory Access Control system, which lets you have a much higher control on who
can do what and what processes has what privileges, et cetera.
-
Firewall rules table - A small PDF document gracefully given
to this project by Stuart Clark, which gives a reference form where you can write
all of the information needed for your firewall, in a simple manner.
-
http://l7-filter.sourceforge.net/
- The l7-filter project is basically a set of patches and files to make iptables
and netfilter able to handle layer 7 filtering, mainly for QoS and traffic accounting.
It works less reliably for filtering however, since it will allow the first couple
of packets through before actually blocking traffic.
-
http://www.netfilter.org/
- The official Netfilter and iptables site. It is a must for everyone wanting to
set up iptables and Netfilter in linux.
-
http://www.insecure.org/nmap/
- Nmap is one of the best, and most known, port scanners available. It is very useful
when debugging your firewall scripts. Take a closer look at it.
-
http://www.netfilter.org/documentation/index.html#FAQ
- The official Netfilter Frequently Asked
Questions. Also a good place to start at when wondering what iptables
and Netfilter is about.
-
http://www.netfilter.org/unreliable-guides/packet-filtering-HOWTO/index.html
- Rusty Russells Unreliable Guide to packet filtering. Excellent documentation about
basic packet filtering with iptables written by one of the core developers of iptables
and Netfilter.
-
http://www.netfilter.org/unreliable-guides/NAT-HOWTO/index.html - Rusty
Russells Unreliable Guide to Network Address Translation. Excellent documentation
about Network Address Translation in iptables and Netfilter written by one of the
core developers, Rusty Russell.
-
http://www.netfilter.org/unreliable-guides/netfilter-hacking-HOWTO/index.html
- Rusty Russells Unreliable Netfilter Hacking HOW-TO. One of the few documentations
on how to write code in the Netfilter and iptables user-space and kernel space code-base.
This was also written by Rusty Russell.
-
http://www.linuxguruz.org/iptables/
- Excellent link-page with links to most of the pages on the Internet about iptables
and Netfilter. Also maintains a list of iptables scripts for different purposes.
-
Policy Routing using Linux
- The best book I have ever read on Policy routing nad linux. This is an absolute
must when it comes to routing in linux. Written by Matthew G. Marsh.
-
Implementing
Quality of Service Policies with DSCP - A link about the cisco implementation
of DSCP. This shows some classes used in DSCP, and so on.
-
IETF SIP
Working Group - SIP is one of the "next big things" it seems. Basically
it is the defacto standards for Internet telephony today. It is horribly complex
as you can see from the amount of documentation on the working groups homepage,
and should hopefully be able to cope with pretty much any needs of session initiation
in the future. It is used mainly to setup peer to peer connections between known
users, for example to connect to user@example.org and setup a phone connection to
that user. This is the IETF Working group handling all SIP work.
-
IETF TLS
Working Group - TLS is a transport layer security model that is one of the
most common host to server based security mechanisms. The current version is running
is 1.1 and work is ongoing to get 1.2 out the door with support for newer and better
cryptos as of this writing. This is a standardized way of sending and receiving
public keys for servers and handling trusted certificate agents etc. For more information,
read the RFC's on this page.
-
IPSEC Howto - This is the
official IPSEC howto for Linux 2.6 kernels. It describes how IPSEC works in the
2.6 kernels and up, however, it is not the place to find out exactly how the Linux
2.2 and 2.4 kernels worked when it comes to IPSEC. Go to the
FreeS/WAN site for that information.
-
FreeS/WAN - This is the official
site for FreeS/WAN, an IPSEC implementation for the Linux 2.2 and 2.4 kernel series.
This site contains documentation and all necessary downloads for the IPSEC implementation.
This effort has been discontinued due to several reasons discussed on the page,
but efforts will still be put into bugfixes, documentation and the forums. For an
IPSEC implementation for Linux 2.6 kernels, please look at the
IPSEC Howto site and the information there.
-
http://www.islandsoft.net/veerapen
.html -Excellent discussion on automatic hardening of iptables and how to
make small changes that will make your computer automatically add hostile sites
to a special ban list in iptables .
-
/etc/protocols - An example protocols file taken from
the Slackware distribution. This can be used to find out what protocol number different
protocols have, such as the IP, ICMP or TCP protocols have.
-
/etc/services - An example services file taken from
the Slackware distribution. This is extremely good to get used to reading once in
a while, specifically if you want to get a basic look at what protocols runs on
different ports.
-
Internet Assigned Numbers Authority
- The IANA is the organisation that is responsible for fixing all numbers in the
different protocols in an orderly fashion. If anyone has a specific addition to
make to a protocol (for example, adding a new TCP option), they need to contact
the IANA, which will assign the numbers requested. In other words, extremely important
site to keep an eye on.
-
RFC-editor.org - This is
an excellent site for finding RFC documents in a fast and orderly way. Functions
for searching RFC documents, and general information about the RFC community (I.e.,
errata, news, et cetera).
-
Internet Engineering Task Force
- This is one of the biggest groups when it comes to setting and maintaining Internet
standards. They are the ones maintaining the RFC repository, and consist of a large
group of companies and individuals that work together to ensure the interoperability
of the Internet.
-
Linux Advanced Routing and Traffic Control
HOW-TO - This site hosts the Linux Advanced Routing and Traffic Control
HOWTO. It is one of the biggest and best documents regarding Linux advanced routing.
Maintained by Bert Hubert.
-
Paksecured Linux Kernel patches
- A site containing all of the kernel patches written by Matthew G. Marsh. Among
others, the FTOS patch is available here.
-
ULOGD project page - The homepage of the ULOGD site.
-
The Linux Documentation Project
is a great site for documentation. Most big documents for Linux is available here,
and if not in the TLDP, you will have to search the net very carefully. If there
is anything you want to know more about, check this site out.
-
Snort - this is an excellent open
source "network intrusion detection system" (NIDS) which looks for signatures in
the packets that it sees, and if it sees a signature of some kind of attack or break-in
it can do different actions that can be defined (notifying the administrator, or
take action, or simply logging it).
-
Tripwire - tripwire is an excellent
security tool which can be used to find out about host intrusions. It makes checksums
of all the files specified in a configuration file, and then it tells the administrator
about any files that has been tampered with in an illegit way every time it is run.
-
Squid - This is one of the most
known webproxies available on the market. It is open source, and free. It can do
several of the filtering tasks that should be done before the traffic actually hits
your webserver, as well as doing the standard webcaching functions for your networks.
-
http://kalamazoolinux.org/presentations/20010417/conntrack.html - This presentation
contains an excellent explanation of the conntrack modules and their work in Netfilter.
If you are interested in more documentation on conntrack, this is a "must read".
-
http://www.docum.org - Excellent
information about the CBQ, tc and the ip commands in Linux. One of the few sites
that has any information at all about these programs. Maintained by Stef Coene.
-
http://lists.samba.org/m
ailman/listinfo/netfilter- The official Netfilter mailing-list. Extremely
useful in case you have questions about something not covered in this document or
any of the other links here.
And of course the iptables source, documentation and individuals who helped me.