-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 24 May 2006 10:08:32 -0400 Ed Kim <ed.kim@xxxxxxxxxxx> wrote: > jdow wrote: > > From: "Bruno Wolff III" <bruno@xxxxxxxx> > >> CodeHeads <codeheads@xxxxxxxxx> wrote: > >>> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA1 > >>> > >>> Hello all, > >>> I searched the archives and google and did not find what i was > >>> looking for. > >>> > >>> This is my setup: > >>> Web Server with virtual hosts; FC4; IPTables and SELinux Running > >>> > >>> My questions is which is better, IPTables or hosts.deny??? > >> > >> You want to use iptables. There may be some benefit to using > >> hosts.deny/allow > >> in that you can do dns look ups at the time of connection rather than > >> when > >> the rules are set up. While you don't want to depend on DNS for > >> access, it > >> is reasonable to use it do deny access in most situations. > >> > >>> I read some where, cannot remember, that hosts.deny does not read httpd > >>> requests?? > >> > >> For apache, you can configure allowed and denied hosts in httpd.conf > >> and you > >> don't need hosts.deny/allow. > >> > >>> > >>> I am mostly concerned in blocking IP ranges with either. > >> > >> For this case it is probably best to build these restrictions into your > >> iptables rules. > > > > Please, may I be obnoxious and introduce Belt and Suspenders to Mr. > > Elastic Band, who is expected to work with them? > > > > In depth defense is worth while. It also allows for interesting > > fine tuning potentials. > > > > {^_-} > > > > There is a significant difference between hosts.deny and iptables. > Iptables is a firewall, therefore it is the first line of defense > between your computer and the outside world. If you want to make sure > something or someone doesnt get into your computer, use Iptables. > > Hosts.deny is another layer of protection but it only works with TCP > wrapped applications. Some examples of TCPwrapped apps are sshd, > xinetd, and sendmail... you can tell if an application uses TCP > wrappers by the command > strings -f /usr/sbin/sshd | grep hosts_access > Because, apache does not use TCP wrappers, hosts.deny would be > ineffective for http requests. Ed, Thank you, That what I was looking for to verify what I have learned so far. Question on entering IP address in IPTables, say I want to add a range to block the whole ip range of 10.0.0.0 (example of course) Can I do this: $iptables -A FORWARD -p tcp -s 10. -i eth0 -j DROP OR $iptables -A FORWARD -p tcp -s 10.* -i eth0 -j DROP Thanks for all the input. Will -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEdHHPfw3TK8jhZrsRAh40AJwJbBSddgupzg813SpyXb01Wn1p5gCguAan mZ87IHx4RANb4+MVbEcrVPM= =mW7/ -----END PGP SIGNATURE-----