Educause Security Discussion mailing list archives

Re: IPtables versus Tcp_wrapper

From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Thu, 4 Mar 2010 11:30:28 -0500

On 3 March 2010 18:01, Josh Richard <jrichar4 () d umn edu> wrote:

On Wed, 2010-03-03 at 16:51 -0500, Kevin Wilcox wrote:

iptables drops packets at the kernel level. tcp_wrappers is less

ideal

as you expose the service to higher levels of the OS.  Most

individuals

on this list would recommend iptables over tcp_wrappers.

Or, as Adam suggested, use both.

I find 'both' to be more of a support issue.  My recommendation given 1
choice is use iptables over tcp_wrappers as you do not have to ensure
something is compiled against lib_wrap.  That is an easy assumption to
break in shared administrative environments.


That's (partly) why I made the comment,

"with sufficient documentation that someone trying to troubleshoot
on the machine could follow the setup"

If you have multiple people with the authority to add/update/install
software, they need to document what they've done so whoever comes
along behind them knows what to expect.

The easy solution there (strict change management procedures aside) is
to have a policy that <x software> is compatible and is to be built
with support. In large Gentoo or BSD deployments you only need to
compile it once anyway, on the build server, then push the package out
to all the production machines, so in those environments that type of
policy is easily followed. I suppose another solution is the more
common, and that is that the package is provided by the vendor (a la
RedHat, Novell, Ubuntu, whoever) and the admins really aren't fussing
about with the compile options of their software.

In any case, are we in agreement that given the choice of one or the
other, the preferred method would be iptables as it drops packets?


If placed in the lamentable position of having to choose one or the
other, aye, I'd use the kernel-level firewall as these should almost
always be enabled, regardless of what other tools are available.

kmw


-- 
Kevin Wilcox
Network Infrastructure and Control Systems
Appalachian State University
Email: wilcoxkm () appstate edu
Office: 828.262.6259

Current thread:

IPtables versus Tcp_wrapper Griese, Steven A. (Mar 03)
- <Possible follow-ups>
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)