[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tcp wrapper

--- Daniel Pittman <daniel@rimspace.net> wrote:

> On 25 Oct 2004, michal wrote:
> > What's the difference between firewall and TCP wrapper? 
> A firewall deals with packet and flow management below the protocol
> level.
> TCP wrapper is a per-application mechanism for determining access on an
> IP (or DNS name) basis.
> Both do the same task, but a firewall (iptables, say) is a /much/ more
> general purpose tool.
> > If I have installed iptables should I also install tcp wrraper? 
> No, not really.  There just isn't much point in having two tools do the
> same job.  The basic firewall rules should allow/deny access to services
> just as effectively.
> You can't use iptables to do the DNS reverse lookup stuff that
> TCPwrappers can do at connection time, but then, you don't do that if
> you want security anyway. :)
A special note for the pre ssh days.  When telineting into a box it may
appere to be unresponice for upto a minuet!  This is due to a *REVERSE*
dns lookup done by the *SERVER*.  It's not posible to bypass this by using
the IP for your telnet client(it's not the same thing).

This lookup is a great *tool* for client authentication(provided the
connection is not spoofed), for instance you can block all of mpaa.org and
microsoft.com from using your inetd started servers.  Hmm, maby I'l get
gtkg to link with tcpwrapper. :)

> > What advantages will I have after installing tcp wrapper?
> None, really.
>         Daniel
> -- 
> I can't understand why anybody would want to devote their life to
> a cause like dope. It's the most boring pasttime I can think of.
> It ranks a close second to television.
>         -- Frank Zappa
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.

Reply to: