Gentoo Archives: gentoo-security

From: darren kirby <bulliver@×××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] hosts.{allow,deny} vs. iptables.
Date: Thu, 13 Oct 2005 12:32:44
Message-Id: 200510130528.11196.bulliver@badcomputer.org
In Reply to: [gentoo-security] hosts.{allow,deny} vs. iptables. by Peter Volkov
1 quoth the Peter Volkov:
2 > Hello.
3 >
4 > Can anybody explain the differences, pro/con between the mentioned two
5 > approaches in the subject?
6 >
7 > I thought that fewer programs I have on my server the more secure it is.
8 > But gentoo security guide and some people on this list suggest usage of
9 > hosts.allow, hosts.deny files, which only work if I have tpcd installed,
10 > thus another service which weaken server's security. But normaly each
11 > server has iptables installed. So every sysadmin can obtain hosts.allow,
12 > hosts.deny functionality with simple iptables rule like the following:
13 >
14 > iptables -A INPUT -s bad_host -j DROP
15 >
16 > This is the base functionality of iptables. No PoM is nescesary for such
17 > kind of things.
18 >
19 > More. I think some portable bash script that will parse host.* files and
20 > create iptables rules is very simple to write!
21 >
22 > So why many people and security guides still suggest the use of tcpd
23 > over simple iptables rules?
24 >
25 > Thank you for your time,
26 > Peter.
27
28 This is a good question, and one for which I am anticipating many responses
29 more informative and comprehensive than mine...all I can do is offer opinion.
30
31 As I see it, iptables is best used to guard the network gateway, and live
32 internet servers, ie: http, ftp, smtp, named etc...and tcpwrappers is best
33 suited for internal LAN security, where you may want to easily control access
34 to _many_ services host by host, ie NFS, samba, rsync, ssh, pop, imap etc...
35
36 I suppose the listing of services is arbitrary, depending on your
37 circumstances. For me it comes down to iptables for servers directly
38 accessable from the internet, and tcpwrappers for internal stuff.
39
40 -d
41 --
42 darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
43 "...the number of UNIX installations has grown to 10, with more expected..."
44 - Dennis Ritchie and Ken Thompson, June 1972