You are not logged in.
- Topics: Active | Unanswered
#1 2009-08-06 21:49:48
- Profjim
- Member
- From: NYC
- Registered: 2008-03-24
- Posts: 658
/etc/hosts.allow versus iptables/firewall?
What's the relation between the /etc/hosts.allow and /etc/hosts.deny files, on the one hand, and a host firewall on the other? If I'm going to configure iptables on a machine, is there any point to having any non-trivial rules in /etc/hosts.allow and /etc/hosts.deny too? Or should I just set them to let everything connect and do all my configuration through iptables?
(Well, really, I'm going to use some iptables-for-dummies tool like ufw or firehol.)
Offline
#2 2009-08-06 23:04:52
- quarkup
- Member
- From: Portugal
- Registered: 2008-09-07
- Posts: 497
- Website
Re: /etc/hosts.allow versus iptables/firewall?
well there is no possible comparison. they are just 2 different things.
the iptables firewall is a wrapper, which can deny specific packets (connections, etc)
it will certainly block any connection you specify.
on the other hand, the hosts file are just few rules which are interesting for the daemons which support it (ssh for example).
the daemons read the file then choose what to do.
look in this wiki for a good example of an iptables firewall
http://wiki.archlinux.org/index.php/Sim … wall_HOWTO
If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.
Offline
#3 2009-08-06 23:09:02
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,223
- Website
Re: /etc/hosts.allow versus iptables/firewall?
iptables works inside the kernel with the network stack to inspect and apply rules to any and all network traffic passing through the box.
The hosts.allow and hosts.deny files are wrappers, which rely on the application they are 'protecting' to call them in order for them to work. They are also a lot more basic in what they can do - this service, from this IP address, allow or deny. While iptables gives you a lot more options with the inspection and matching of traffic, and what you can do with it.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#4 2009-08-08 22:07:41
- briest
- Member
- From: Katowice, PL
- Registered: 2006-05-04
- Posts: 468
Re: /etc/hosts.allow versus iptables/firewall?
I cannot agree that hosts.{allow,deny} are 'a lot more basic' 
They're different from iptables, they work on different level and offer different capabilities, but it would be much harder with iptables to grant/deny access according to:
- ident lookup
- NIS netgroup
- domain name
- consistent ip->name and name->ip mapping
and so on; man 5 hosts_access and man hosts_options contain some examples. On the actions side, in addition to granting or denying access, arbitrary command can be run in parallel or instead of called service, with some useful informations about connection available as %variables.
Tcp_wrappers do not have to be called by protected service itself; they can be used with everything that uses TCP and can be run via (x)inetd, with a little help from tcpd(8).
I prefer iptables myself (no use in letting unwanted traffic pass any further than strictly necessary), but tcp_wrappers make a really nice and useful complementary solution.
Offline
#5 2009-08-09 01:39:28
- von_Wanderlust
- Member
- Registered: 2008-11-03
- Posts: 67
Re: /etc/hosts.allow versus iptables/firewall?
As mentioned earlier, they are at two different levels, so it's nice to have both set up in case the other one fails.
Briest has already mentioned tcpd, but if you man tcpd it has a good description on how it works.
Offline
#6 2009-08-09 19:30:23
- Profjim
- Member
- From: NYC
- Registered: 2008-03-24
- Posts: 658
Re: /etc/hosts.allow versus iptables/firewall?
Thanks for the responses!
Offline