HPE Community
Operating System - HP-UX
1819803 Members
2987 Online
109607 Solutions
New Discussion юеВ

TCP Wrappers vs. IPFilter

 
SOLVED
Go to solution
aaaA_4
Regular Advisor

тАО10-24-2007 10:28 PM

тАО10-24-2007 10:28 PM

TCP Wrappers vs. IPFilter

Hi,

I have a simple question. Does it make sense to use IPFilter with TCP Wrappers installed on the same box? I have IPFilter rules defined for me, and now I'm not sure about using TCP Wrappers also.
Some comments, hints will be appreciated.

N.
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

тАО10-24-2007 11:28 PM

тАО10-24-2007 11:28 PM

Solution

Re: TCP Wrappers vs. IPFilter

Shalom,

When taking the RHCE exam, I managed to meet the security requirements of the exam with a single iptables(firewall e.g. ipfilter) command.

There was no need to play at all with tcp wrappers.

The answer to your question is it depends on the requirements.

If you need to merely block hosts or an entire network, ipfilter will do the job. However if you must discriminate, for example let certain hosts use certain services, tcp wrappers may do the job.

I find it difficult to imagine needing both, but its certain possible to need both.

To avoid needless complexity, I'd study the security requirments and see which of the tools makes it easier to meet the requirements with minimal day to day intervention on your part.

The best sysadmins are usually the laziest. They come up with a scheme that does not require them to make frequent changes.

sEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Robert Fritz
Regular Advisor

тАО10-26-2007 04:57 AM

тАО10-26-2007 04:57 AM

Re: TCP Wrappers vs. IPFilter

I do know though, that there is an HP team of developers supporting IPFilter, tuning it performance/reliability-wise, and integrating it into the network stack. I don't think TCPWrappers enjoys the same support. Also note that IPFilter has a pretty rich rule syntax. About the only thing I've seen TCPWrappers do that IPFilter can't is TCP port banners... I'm not sure how useful those are these days.
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
Reply
John Payne_2
Honored Contributor

тАО10-26-2007 07:11 AM

тАО10-26-2007 07:11 AM

Re: TCP Wrappers vs. IPFilter

You already have the firewall rules set up, what exactly are you trying to add with the tcp wrapper?

If you are trying to add logging, use the 'log' directive inside the IPTables configuration file:

block in log quick proto tcp/udp from any to any port = 13 #daytime

The log directive will log anytime that port is hit. By default, the log used is the syslog. It can be modified, however, in the startup script, /sbin/init.d/ipfboot:
ipmon -D /var/adm/syslog/ipf.log

My opinion, not knowing exactly what you are doing, but talking about it anyway, is that if you are happy with your firewall rules, why try to add complexity? It will just cause you headaches if you ever have a problem...

Hope it helps
John
Spoon!!!!
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.