-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 24 May 2006 10:08:32 -0400 Ed Kim <ed.kim@xxxxxxxxxxx> wrote:
> jdow wrote:
> > From: "Bruno Wolff III" <bruno@xxxxxxxx>
> >> CodeHeads <codeheads@xxxxxxxxx> wrote:
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> Hello all,
> >>> I searched the archives and google and did not find what i was
> >>> looking for.
> >>>
> >>> This is my setup:
> >>> Web Server with virtual hosts; FC4; IPTables and SELinux Running
> >>>
> >>> My questions is which is better, IPTables or hosts.deny???
> >>
> >> You want to use iptables. There may be some benefit to using
> >> hosts.deny/allow
> >> in that you can do dns look ups at the time of connection rather than
> >> when
> >> the rules are set up. While you don't want to depend on DNS for
> >> access, it
> >> is reasonable to use it do deny access in most situations.
> >>
> >>> I read some where, cannot remember, that hosts.deny does not read httpd
> >>> requests??
> >>
> >> For apache, you can configure allowed and denied hosts in httpd.conf
> >> and you
> >> don't need hosts.deny/allow.
> >>
> >>>
> >>> I am mostly concerned in blocking IP ranges with either.
> >>
> >> For this case it is probably best to build these restrictions into your
> >> iptables rules.
> >
> > Please, may I be obnoxious and introduce Belt and Suspenders to Mr.
> > Elastic Band, who is expected to work with them?
> >
> > In depth defense is worth while. It also allows for interesting
> > fine tuning potentials.
> >
> > {^_-}
> >
>
> There is a significant difference between hosts.deny and iptables.
> Iptables is a firewall, therefore it is the first line of defense
> between your computer and the outside world. If you want to make sure
> something or someone doesnt get into your computer, use Iptables.
>
> Hosts.deny is another layer of protection but it only works with TCP
> wrapped applications. Some examples of TCPwrapped apps are sshd,
> xinetd, and sendmail... you can tell if an application uses TCP
> wrappers by the command
> strings -f /usr/sbin/sshd | grep hosts_access
> Because, apache does not use TCP wrappers, hosts.deny would be
> ineffective for http requests.
Ed,
Thank you, That what I was looking for to verify what I have learned so far.
Question on entering IP address in IPTables, say I want to add a range to block
the whole ip range of 10.0.0.0 (example of course)
Can I do this:
$iptables -A FORWARD -p tcp -s 10. -i eth0 -j DROP
OR
$iptables -A FORWARD -p tcp -s 10.* -i eth0 -j DROP
Thanks for all the input.
Will
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEdHHPfw3TK8jhZrsRAh40AJwJbBSddgupzg813SpyXb01Wn1p5gCguAan
mZ87IHx4RANb4+MVbEcrVPM=
=mW7/
-----END PGP SIGNATURE-----
