[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tcp wrapper

On Sun, Oct 24, 2004 at 11:14:48PM -0700, michal wrote:
> What's the difference between firewall and TCP wrapper?

A firewall is a somewhat general term, and one could argue that
tcpwrappers are a form of firewall.

> If I have
> installed iptables should I also install tcp wrraper? What advantages
> will I have after installing tcp wrapper?

They work on different level. tcpwrappers run in user mode, and
generally accept the connection, obtain the remote client info (IP
address/port), perform DNS lookup if necessary, and then, basing its
decision on the /etc/hosts.* files, either let the service in question
run, or reject the connection.

Netfilter (which is the firewalling part of iptables) works in kernel
mode, and deals with individual packets (although the state automaton
allows one to treat established connections differently). Except from
that it works with numeric addresses only (cannot perform DNS lookups
after having been set up), it is a more general mechanism than
tcpwrappers, since it can deal with protocols different than TCP and UDP
(does tcpwrappers support UDP at all?).

Generally tcpwrappers is simpler to set up, provided that the service
can be launched from inetd or is linked with tcpwrappers. However it has
higher overhead, and therefore may underperform in case of a heavy DoS


Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Reply to: