quoth the Peter Volkov:
> Hello.
>
> Can anybody explain the differences, pro/con between the mentioned two
> approaches in the subject?
>
> I thought that fewer programs I have on my server the more secure it is.
> But gentoo security guide and some people on this list suggest usage of
> hosts.allow, hosts.deny files, which only work if I have tpcd installed,
> thus another service which weaken server's security. But normaly each
> server has iptables installed. So every sysadmin can obtain hosts.allow,
> hosts.deny functionality with simple iptables rule like the following:
>
> iptables -A INPUT -s bad_host -j DROP
>
> This is the base functionality of iptables. No PoM is nescesary for such
> kind of things.
>
> More. I think some portable bash script that will parse host.* files and
> create iptables rules is very simple to write!
>
> So why many people and security guides still suggest the use of tcpd
> over simple iptables rules?
>
> Thank you for your time,
> Peter.
This is a good question, and one for which I am anticipating many responses
more informative and comprehensive than mine...all I can do is offer opinion.
As I see it, iptables is best used to guard the network gateway, and live
internet servers, ie: http, ftp, smtp, named etc...and tcpwrappers is best
suited for internal LAN security, where you may want to easily control access
to _many_ services host by host, ie NFS, samba, rsync, ssh, pop, imap etc...
I suppose the listing of services is arbitrary, depending on your
circumstances. For me it comes down to iptables for servers directly
accessable from the internet, and tcpwrappers for internal stuff.
-d
--
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972
|
