Educause Security Discussion mailing list archives
Re: IPtables versus Tcp_wrapper
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Thu, 4 Mar 2010 11:30:28 -0500
On 3 March 2010 18:01, Josh Richard <jrichar4 () d umn edu> wrote:
On Wed, 2010-03-03 at 16:51 -0500, Kevin Wilcox wrote:
iptables drops packets at the kernel level. tcp_wrappers is lessidealas you expose the service to higher levels of the OS. Mostindividualson this list would recommend iptables over tcp_wrappers.
Or, as Adam suggested, use both.
I find 'both' to be more of a support issue. My recommendation given 1 choice is use iptables over tcp_wrappers as you do not have to ensure something is compiled against lib_wrap. That is an easy assumption to break in shared administrative environments.
That's (partly) why I made the comment, "with sufficient documentation that someone trying to troubleshoot on the machine could follow the setup" If you have multiple people with the authority to add/update/install software, they need to document what they've done so whoever comes along behind them knows what to expect. The easy solution there (strict change management procedures aside) is to have a policy that <x software> is compatible and is to be built with support. In large Gentoo or BSD deployments you only need to compile it once anyway, on the build server, then push the package out to all the production machines, so in those environments that type of policy is easily followed. I suppose another solution is the more common, and that is that the package is provided by the vendor (a la RedHat, Novell, Ubuntu, whoever) and the admins really aren't fussing about with the compile options of their software.
In any case, are we in agreement that given the choice of one or the other, the preferred method would be iptables as it drops packets?
If placed in the lamentable position of having to choose one or the other, aye, I'd use the kernel-level firewall as these should almost always be enabled, regardless of what other tools are available. kmw -- Kevin Wilcox Network Infrastructure and Control Systems Appalachian State University Email: wilcoxkm () appstate edu Office: 828.262.6259
Current thread:
- IPtables versus Tcp_wrapper Griese, Steven A. (Mar 03)
- <Possible follow-ups>
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)