Miner, Jonathan W (CSC) (US SSA) wrote:
-----Original Message-----
From: fedora-list-bounces@xxxxxxxxxx on behalf of Ashley M. Kirchner
Sent: Tue 10/16/2007 12:10 PM
To: For users of Fedora Core releases
Cc:
Subject: iptables versus hosts denied
In terms of performance and when a packet is dropped or denied,
what's best to use? iptables or hosts.deny ? Let's assume for a moment
here that one has a very long list of IP ranges that are being blocked,
would using iptables to deny the ranges work better/faster than having
hosts.deny block them? Just wondering ...
-----------------------------
iptables will drop the packet at the kernel level.
An application with tcp_wrapper support will consult the hosts.allow and hosts.deny files to determine whether or not to accept a TCP connection.
I would expect that iptables would be faster since the work is being done within the kernel.
That was my first thought.
But then, if you have lots of rules, the kernel might spend rather a lot
of time sorting through them, for every packet or connexion.
tcpwrappers only gets involved when a connexion to the controlled
application is attempted.
I'd worry less about performance and more about security. For best
results, use both!
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
Please do not reply off-list
