Gentoo Logo
Gentoo Spaceship

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
To: gentoo-security@g.o
From: darren kirby <bulliver@...>
Subject: Re: hosts.{allow,deny} vs. iptables.
Date: Thu, 13 Oct 2005 05:28:05 -0700
quoth the Peter Volkov:
> Hello.
> Can anybody explain the differences, pro/con between the mentioned two
> approaches in the subject?
> I thought that fewer programs I have on my server the more secure it is.
> But gentoo security guide and some people on this list suggest usage of
> hosts.allow, hosts.deny files, which only work if I have tpcd installed,
> thus another service which weaken server's security. But normaly each
> server has iptables installed. So every sysadmin can obtain hosts.allow,
> hosts.deny functionality with simple iptables rule like the following:
> iptables -A INPUT -s bad_host -j DROP
> This is the base functionality of iptables. No PoM is nescesary for such
> kind of things.
> More. I think some portable bash script that will parse host.* files and
> create iptables rules is very simple to write!
> So why many people and security guides still suggest the use of tcpd
> over simple iptables rules?
> Thank you for your time,
> Peter.

This is a good question, and one for which I am anticipating many responses 
more informative and comprehensive than mine...all I can do is offer opinion.

As I see it, iptables is best used to guard the network gateway, and live 
internet servers, ie: http, ftp, smtp, named etc...and tcpwrappers is best 
suited for internal LAN security, where you may want to easily control access 
to _many_ services host by host, ie NFS, samba, rsync, ssh, pop, imap etc...

I suppose the listing of services is arbitrary, depending on your 
circumstances. For me it comes down to iptables for servers directly 
accessable from the internet, and tcpwrappers for internal stuff.

darren kirby :: Part of the problem since 1976 ::
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972
pgpH3iSjQ7Ete.pgp (PGP signature)
hosts.{allow,deny} vs. iptables.
-- Peter Volkov
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: hosts.{allow,deny} vs. iptables.
Next by thread:
Re: hosts.{allow,deny} vs. iptables.
Previous by date:
Re: hosts.{allow,deny} vs. iptables.
Next by date:
RE: hosts.{allow,deny} vs. iptables.

Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.