Showing results for 
Search instead for 
Did you mean: 

TCP Wrappers vs. IPFilter

Go to solution
Regular Advisor

TCP Wrappers vs. IPFilter


I have a simple question. Does it make sense to use IPFilter with TCP Wrappers installed on the same box? I have IPFilter rules defined for me, and now I'm not sure about using TCP Wrappers also.
Some comments, hints will be appreciated.

Steven E. Protter
Exalted Contributor

Re: TCP Wrappers vs. IPFilter


When taking the RHCE exam, I managed to meet the security requirements of the exam with a single iptables(firewall e.g. ipfilter) command.

There was no need to play at all with tcp wrappers.

The answer to your question is it depends on the requirements.

If you need to merely block hosts or an entire network, ipfilter will do the job. However if you must discriminate, for example let certain hosts use certain services, tcp wrappers may do the job.

I find it difficult to imagine needing both, but its certain possible to need both.

To avoid needless complexity, I'd study the security requirments and see which of the tools makes it easier to meet the requirements with minimal day to day intervention on your part.

The best sysadmins are usually the laziest. They come up with a scheme that does not require them to make frequent changes.

Steven E Protter
Owner of ISN Corporation
Robert Fritz
Regular Advisor

Re: TCP Wrappers vs. IPFilter

I do know though, that there is an HP team of developers supporting IPFilter, tuning it performance/reliability-wise, and integrating it into the network stack. I don't think TCPWrappers enjoys the same support. Also note that IPFilter has a pretty rich rule syntax. About the only thing I've seen TCPWrappers do that IPFilter can't is TCP port banners... I'm not sure how useful those are these days.
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
John Payne_2
Honored Contributor

Re: TCP Wrappers vs. IPFilter

You already have the firewall rules set up, what exactly are you trying to add with the tcp wrapper?

If you are trying to add logging, use the 'log' directive inside the IPTables configuration file:

block in log quick proto tcp/udp from any to any port = 13 #daytime

The log directive will log anytime that port is hit. By default, the log used is the syslog. It can be modified, however, in the startup script, /sbin/init.d/ipfboot:
ipmon -D /var/adm/syslog/ipf.log

My opinion, not knowing exactly what you are doing, but talking about it anyway, is that if you are happy with your firewall rules, why try to add complexity? It will just cause you headaches if you ever have a problem...

Hope it helps