Re: hosts.allow - words of wisdom?
Alexander Kushnirenko <kushnir@pccmu1.fnal.gov> writes:
> > I'm actually using the IP firewall code in Linux 2.2.0-pre5 to provide
> > most of the protection to my system. My ipchains rules are as follows
> > (actually saved in /etc/ipchains.save and read by ipchains-restore in
> > /etc/init.d/network).
> Interesting, that's quite a new thought to me. I'm not a security expert at
> all of course. Do you have any web references or other relevant documents
> telling pro and cons of this technique, as opposed to TCP wrapper?
There's the Firewall HOWTO, and the IP Chains HOWTO in
/usr/doc/netbase/ipchains-HOWTO.txt.gz.
As a summary:
Pros:
* In the kernel, so it should be faster.
* Affects *everything*, including UDP (like the Network Time
Protocol server and Samba name server), and even if the
application doesn't use hosts.allow (like X11 and the DNS server).
Cons:
* More complex to configure.
* Harder to tell whether it will work right.
After thinking about it, I've actually changed my rules slightly, so
that the _only_ incoming TCP connections permitted are on the ident
port (for IRC and FTP servers), and on the ports from 1024 to 4999
from the "ftp-data" port, for FTP servers not in passive mode. Using
the kernel firewalling code I *know* that a bad application won't
leave my system open for abuse.
I do have to experiment a little with UDP, to see what's necessary to
permit Real Audio to work but keep out other packets. I could also
block some kinds of ICMP traffic that I'm not interested in.
--
Carey Evans http://home.clear.net.nz/pages/c.evans/
Larry froze. Was the bag a trap?
He could see the way in, but the other end appeared to be sealed.
Reply to: