Re: hosts.{allow,deny} vs iptables.

To: Olaf Meeuwissen <olaf@epkowa.co.jp>
Cc: Joao Luis Meloni Assirati <assirati@visviva.com.br>, debian-security@lists.debian.org
Subject: Re: hosts.{allow,deny} vs iptables.
From: Jean-Francois Dive <jef@linuxbe.org>
Date: Mon, 4 Mar 2002 18:37:11 +1100
Message-id: <[🔎] 20020304073711.GB6259@gnoll.homeip.net>
In-reply-to: <[🔎] 87u1rxjijg.fsf@frodo.epkowa.co.jp>
References: <[🔎] Pine.LNX.4.21.0203031921280.13631-100000@cranicola.localnet> <[🔎] 87u1rxjijg.fsf@frodo.epkowa.co.jp>

hello,

tcpd offer offer another layer of security in your application ACL
scheme which is always a good thing. Another point is that you can
have more control on whow do what from where, you can match on usernames
which is something that iptables cant do as it acts at an underlying
level. Security is a matter of choice and most of the time depends
on the equation way to protect / power of the attacker. I'd recommend
to use both as it is better to have more than not enough security 
checks.

hope that help,

JeF

On Mon, Mar 04, 2002 at 09:14:27AM +0900, Olaf Meeuwissen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Joao Luis Meloni Assirati <assirati@visviva.com.br> writes:
> 
> > Recently I learned how to use linux2.4 netfilter. Since it is a fairly
> > complete ip tool (tcp, udp, icmp), capable of a wide set of matchings
> > (source IP, dest port, ...) and also able to LOG, it seemed to me that all
> > hosts.{allow,deny} control through tcpd could be done by a convenient set
> > of host based (i.e. not in a firewall gateway) iptables rules. More than
> > this, speed seems to be improved by eliminating inetd - tcpd latency.
> > 
> > I want to know if my point of view is right, or if there is any
> > functionality that hosts.{allow,deny} scheme provides which iptables
> > can't.
> 
> Yes, you can achieve the same control with netfilter as you can with
> hosts.{allow,deny}.  However, that doesn't mean you should throw out
> tcp wrappers (even if that improves throughput).
> 
> # Rather easily done by putting ALL: ALL in your hosts.allow.
> 
> It is usually desirable to have more than one line of defense.  Just
> for the sake of argument, suppose you happened to
> 
>   ~# /etc/init.d/iptables clear
> 
> and as a result tear down your whole firewall.  You'd be very happy to
> a hosts.deny lying around that says ALL: ALL.  This example is perhaps
> very unlikely to occur, but what if you happened to make a mistake in
> your firewall rules or, eek!, a bug in the kernel code implementing
> netfilter?
> - -- 
> Olaf Meeuwissen                            Epson Kowa Corporation, CID
> GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
> LPIC-2               -- I hack, therefore I am --                 BOFH
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.6 <http://mailcrypt.sourceforge.net/>
> 
> iD8DBQE8grxhFsfyfWvjfZARAlNpAJ9R9limzM711W+n0HU+r91/QGtToACgxi0X
> JSPo/zUMHGqKp4Vdk/zp8Go=
> =doh1
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
-> Jean-Francois Dive
--> jef@linuxbe.org

Reply to:

References:
- hosts.{allow,deny} vs iptables.
  - From: Joao Luis Meloni Assirati <assirati@visviva.com.br>
- Re: hosts.{allow,deny} vs iptables.
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>

Prev by Date: Re: hosts.{allow,deny} vs iptables.
Next by Date: unsubsribe
Previous by thread: Re: hosts.{allow,deny} vs iptables.
Next by thread: Re: hosts.{allow,deny} vs iptables.
Index(es):
- Date
- Thread