Re: hosts.{allow,deny} vs iptables.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joao Luis Meloni Assirati <assirati@visviva.com.br> writes:
> Recently I learned how to use linux2.4 netfilter. Since it is a fairly
> complete ip tool (tcp, udp, icmp), capable of a wide set of matchings
> (source IP, dest port, ...) and also able to LOG, it seemed to me that all
> hosts.{allow,deny} control through tcpd could be done by a convenient set
> of host based (i.e. not in a firewall gateway) iptables rules. More than
> this, speed seems to be improved by eliminating inetd - tcpd latency.
>
> I want to know if my point of view is right, or if there is any
> functionality that hosts.{allow,deny} scheme provides which iptables
> can't.
Yes, you can achieve the same control with netfilter as you can with
hosts.{allow,deny}. However, that doesn't mean you should throw out
tcp wrappers (even if that improves throughput).
# Rather easily done by putting ALL: ALL in your hosts.allow.
It is usually desirable to have more than one line of defense. Just
for the sake of argument, suppose you happened to
~# /etc/init.d/iptables clear
and as a result tear down your whole firewall. You'd be very happy to
a hosts.deny lying around that says ALL: ALL. This example is perhaps
very unlikely to occur, but what if you happened to make a mistake in
your firewall rules or, eek!, a bug in the kernel code implementing
netfilter?
- --
Olaf Meeuwissen Epson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90
LPIC-2 -- I hack, therefore I am -- BOFH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 <http://mailcrypt.sourceforge.net/>
iD8DBQE8grxhFsfyfWvjfZARAlNpAJ9R9limzM711W+n0HU+r91/QGtToACgxi0X
JSPo/zUMHGqKp4Vdk/zp8Go=
=doh1
-----END PGP SIGNATURE-----
Reply to: