[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: hosts.deny vs iptables



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 24 May 2006 10:08:32 -0400 Ed Kim <ed kim rhatbox com> wrote:

> jdow wrote:
> > From: "Bruno Wolff III" <bruno wolff to>
> >>  CodeHeads <codeheads gmail com> wrote:
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> Hello all,
> >>> I searched the archives and google and did not find what i was 
> >>> looking for.
> >>>
> >>> This is my setup:
> >>> Web Server with virtual hosts; FC4; IPTables and SELinux Running
> >>>
> >>> My questions is which is better, IPTables or hosts.deny???
> >>
> >> You want to use iptables. There may be some benefit to using 
> >> hosts.deny/allow
> >> in that you can do dns look ups at the time of connection rather than 
> >> when
> >> the rules are set up. While you don't want to depend on DNS for 
> >> access, it
> >> is reasonable to use it do deny access in most situations.
> >>
> >>> I read some where, cannot remember, that hosts.deny does not read httpd
> >>> requests??
> >>
> >> For apache, you can configure allowed and denied hosts in httpd.conf 
> >> and you
> >> don't need hosts.deny/allow.
> >>
> >>>
> >>> I am mostly concerned in blocking IP ranges with either.
> >>
> >> For this case it is probably best to build these restrictions into your
> >> iptables rules.
> > 
> > Please, may I be obnoxious and introduce Belt and Suspenders to Mr.
> > Elastic Band, who is expected to work with them?
> > 
> > In depth defense is worth while. It also allows for interesting
> > fine tuning potentials.
> > 
> > {^_-}
> > 
> 
> There is a significant difference between hosts.deny and iptables.
> Iptables is a firewall, therefore it is the first line of defense 
> between your computer and the outside world.  If you want to make sure 
> something or someone doesnt get into your computer, use Iptables.
> 
> Hosts.deny is another layer of protection but it only works with TCP 
> wrapped applications.  Some examples of TCPwrapped apps are sshd, 
> xinetd, and sendmail...  you can tell if an application uses TCP 
> wrappers by the command
> strings -f /usr/sbin/sshd | grep hosts_access
> Because, apache does not use TCP wrappers, hosts.deny would be 
> ineffective for http requests.

Ed,
Thank you, That what I was looking for to verify what I have learned so far.

Question on entering IP address in IPTables, say I want to add a range to block
the whole ip range of 10.0.0.0 (example of course)
Can I do this:
$iptables -A FORWARD -p tcp -s 10. -i eth0 -j DROP
OR
$iptables -A FORWARD -p tcp -s 10.* -i eth0 -j DROP

Thanks for all the input.

Will
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEdHHPfw3TK8jhZrsRAh40AJwJbBSddgupzg813SpyXb01Wn1p5gCguAan
mZ87IHx4RANb4+MVbEcrVPM=
=mW7/
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]