Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: darren kirby <bulliver@...>
Subject: Re: hosts.{allow,deny} vs. iptables.
Date: Thu, 13 Oct 2005 05:28:05 -0700
quoth the Peter Volkov:
> Hello.
>
> Can anybody explain the differences, pro/con between the mentioned two
> approaches in the subject?
>
> I thought that fewer programs I have on my server the more secure it is.
> But gentoo security guide and some people on this list suggest usage of
> hosts.allow, hosts.deny files, which only work if I have tpcd installed,
> thus another service which weaken server's security. But normaly each
> server has iptables installed. So every sysadmin can obtain hosts.allow,
> hosts.deny functionality with simple iptables rule like the following:
>
> iptables -A INPUT -s bad_host -j DROP
>
> This is the base functionality of iptables. No PoM is nescesary for such
> kind of things.
>
> More. I think some portable bash script that will parse host.* files and
> create iptables rules is very simple to write!
>
> So why many people and security guides still suggest the use of tcpd
> over simple iptables rules?
>
> Thank you for your time,
> Peter.

This is a good question, and one for which I am anticipating many responses 
more informative and comprehensive than mine...all I can do is offer opinion.

As I see it, iptables is best used to guard the network gateway, and live 
internet servers, ie: http, ftp, smtp, named etc...and tcpwrappers is best 
suited for internal LAN security, where you may want to easily control access 
to _many_ services host by host, ie NFS, samba, rsync, ssh, pop, imap etc...

I suppose the listing of services is arbitrary, depending on your 
circumstances. For me it comes down to iptables for servers directly 
accessable from the internet, and tcpwrappers for internal stuff.

-d
-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972
Attachment:
pgpH3iSjQ7Ete.pgp (PGP signature)
References:
hosts.{allow,deny} vs. iptables.
-- Peter Volkov
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: hosts.{allow,deny} vs. iptables.
Next by thread:
Re: hosts.{allow,deny} vs. iptables.
Previous by date:
Re: hosts.{allow,deny} vs. iptables.
Next by date:
RE: hosts.{allow,deny} vs. iptables.


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.