Gentoo Archives: gentoo-security

From: Robert Larson <robert@×××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] hosts.{allow,deny} vs. iptables.
Date: Thu, 13 Oct 2005 17:39:24
Message-Id: 200510131232.32817.robert@sixthings.com
In Reply to: [gentoo-security] hosts.{allow,deny} vs. iptables. by Peter Volkov
1 On Thursday 13 October 2005 02:26 am, Peter Volkov wrote:
2 > Can anybody explain the differences, pro/con between the mentioned two
3 > approaches in the subject?
4
5 First, I must say that this is a very interesting read on the original
6 intended purpose of tcpd:
7 ftp://ftp.porcupine.org/pub/security/tcp_wrapper.txt.Z
8
9 IMO, security works best in layers. So, why not use both?
10
11 I see the following downsides:
12
13 - hosts.(allow|deny) seems to be implementation specific in the sense that not
14 everything supports it. You might need to check to see if it's supported, or
15 simply use tcpwrappers/inetd if it is not.
16
17 - IPTables is platform specific, in that not every (*nix) operating system
18 uses it.
19
20
21 On the other hand, these days it seems easier to setup a firewall in some form
22 of a firewall builder app/script that can compile firewalls for multiple
23 platforms from a centralized workstation. Then have it push the firewalls
24 out to each host and restart them appropriately. Perhaps someday these apps
25 may provide hosts.(allow|deny) support(?).
26
27 If forced to choose, I would go with firewalls (or rather, IPTables), you have
28 a lot more options especially when the firewall is stateful.
29
30 My 0.02..
31
32 Robert
33 --
34 gentoo-security@g.o mailing list