1 |
On Thursday 13 October 2005 02:26 am, Peter Volkov wrote: |
2 |
> Can anybody explain the differences, pro/con between the mentioned two |
3 |
> approaches in the subject? |
4 |
|
5 |
First, I must say that this is a very interesting read on the original |
6 |
intended purpose of tcpd: |
7 |
ftp://ftp.porcupine.org/pub/security/tcp_wrapper.txt.Z |
8 |
|
9 |
IMO, security works best in layers. So, why not use both? |
10 |
|
11 |
I see the following downsides: |
12 |
|
13 |
- hosts.(allow|deny) seems to be implementation specific in the sense that not |
14 |
everything supports it. You might need to check to see if it's supported, or |
15 |
simply use tcpwrappers/inetd if it is not. |
16 |
|
17 |
- IPTables is platform specific, in that not every (*nix) operating system |
18 |
uses it. |
19 |
|
20 |
|
21 |
On the other hand, these days it seems easier to setup a firewall in some form |
22 |
of a firewall builder app/script that can compile firewalls for multiple |
23 |
platforms from a centralized workstation. Then have it push the firewalls |
24 |
out to each host and restart them appropriately. Perhaps someday these apps |
25 |
may provide hosts.(allow|deny) support(?). |
26 |
|
27 |
If forced to choose, I would go with firewalls (or rather, IPTables), you have |
28 |
a lot more options especially when the firewall is stateful. |
29 |
|
30 |
My 0.02.. |
31 |
|
32 |
Robert |
33 |
-- |
34 |
gentoo-security@g.o mailing list |