Gentoo Archives: gentoo-security

From: Robert Larson <robert@×××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] hosts.{allow,deny} vs. iptables.
Date: Thu, 13 Oct 2005 17:39:24
Message-Id: 200510131232.32817.robert@sixthings.com
In Reply to: [gentoo-security] hosts.{allow,deny} vs. iptables. by Peter Volkov
On Thursday 13 October 2005 02:26 am, Peter Volkov wrote:
> Can anybody explain the differences, pro/con between the mentioned two > approaches in the subject?
First, I must say that this is a very interesting read on the original intended purpose of tcpd: ftp://ftp.porcupine.org/pub/security/tcp_wrapper.txt.Z IMO, security works best in layers. So, why not use both? I see the following downsides: - hosts.(allow|deny) seems to be implementation specific in the sense that not everything supports it. You might need to check to see if it's supported, or simply use tcpwrappers/inetd if it is not. - IPTables is platform specific, in that not every (*nix) operating system uses it. On the other hand, these days it seems easier to setup a firewall in some form of a firewall builder app/script that can compile firewalls for multiple platforms from a centralized workstation. Then have it push the firewalls out to each host and restart them appropriately. Perhaps someday these apps may provide hosts.(allow|deny) support(?). If forced to choose, I would go with firewalls (or rather, IPTables), you have a lot more options especially when the firewall is stateful. My 0.02.. Robert -- gentoo-security@g.o mailing list