Re: IPChains vs. IPTables

[Brian Hatch <firewall-wizards () ifokr org>]

> Someone suggested that I use IPTables instead of IPchains, as IPTables is
> more robust.  Is IPTables more secure for a given set of rules?

Depends on what you need to do.  IPTables has modules that
work well with the rest of netfilter, whereas they were not
so friendly before.

Say you needed to support inbound FTP (I offer my pitty) and
want to have everything else disabled.  You'd hope that the
ipchains ftp module would let the secondary data channels
though automatically, but no such luck.  They'd still be blocked
by your standard 'block everything' rules, so you'd need to
open up a range of inbound ports (I'm assuming we're using PORT
not PASV here) that were not blocked, and configure your ftp
server to only use those ports.

Pain, isn't it?

In netfilter, the module does do what you expect, and those
extra channels are allowed correctly because you told the module
to allow them.  This is where application-aware filters succeed where
simple port-based ACLs die.


Then there's always the argument that iptables is the latest,
so most likely to be supported for a longer time.

(Not that some folks don't still use 2.0 kernels on their firewalls...)

--
Brian Hatch                  "I love talking about
   Systems and                nothing, it's the only
   Security Engineer          thing I know anything
www.buildinglinuxvpns.net     about."

Every message PGP signed

Attachment: _bin
Description: