Gentoo Archives: gentoo-security

From: darren kirby <bulliver@×××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] hosts.{allow,deny} vs. iptables.
Date: Thu, 13 Oct 2005 12:32:44
In Reply to: [gentoo-security] hosts.{allow,deny} vs. iptables. by Peter Volkov
quoth the Peter Volkov:
> Hello. > > Can anybody explain the differences, pro/con between the mentioned two > approaches in the subject? > > I thought that fewer programs I have on my server the more secure it is. > But gentoo security guide and some people on this list suggest usage of > hosts.allow, hosts.deny files, which only work if I have tpcd installed, > thus another service which weaken server's security. But normaly each > server has iptables installed. So every sysadmin can obtain hosts.allow, > hosts.deny functionality with simple iptables rule like the following: > > iptables -A INPUT -s bad_host -j DROP > > This is the base functionality of iptables. No PoM is nescesary for such > kind of things. > > More. I think some portable bash script that will parse host.* files and > create iptables rules is very simple to write! > > So why many people and security guides still suggest the use of tcpd > over simple iptables rules? > > Thank you for your time, > Peter.
This is a good question, and one for which I am anticipating many responses more informative and comprehensive than mine...all I can do is offer opinion. As I see it, iptables is best used to guard the network gateway, and live internet servers, ie: http, ftp, smtp, named etc...and tcpwrappers is best suited for internal LAN security, where you may want to easily control access to _many_ services host by host, ie NFS, samba, rsync, ssh, pop, imap etc... I suppose the listing of services is arbitrary, depending on your circumstances. For me it comes down to iptables for servers directly accessable from the internet, and tcpwrappers for internal stuff. -d -- darren kirby :: Part of the problem since 1976 :: "...the number of UNIX installations has grown to 10, with more expected..." - Dennis Ritchie and Ken Thompson, June 1972