On Thu, 2007-10-18 at 14:16 +0930, Tim wrote: > On Tue, 2007-10-16 at 10:10 -0600, Ashley M. Kirchner wrote: > > In terms of performance and when a packet is dropped or denied, > > what's best to use? iptables or hosts.deny ? Let's assume for a > > moment here that one has a very long list of IP ranges that are being > > blocked, would using iptables to deny the ranges work better/faster > > than having hosts.deny block them? Just wondering ... > > If iptables is running, then it's already had a look to see whether to > let the traffic through, or not. Might as well make a decision about > not letting it through, at the same time. > > I'd think that firewalling would be better, anyway. Firewalling is > stopping traffic getting in or out, whereas hosts deny/allow is dealing > with something that's already got part way in. > I would tend to concur with this method. Use iptables to block those you wish to absolutely block, and use 'hosts.allow' to track all activity that is allowed through iptables. As an example I allow some connections through the firewall for ssh access, but then use additional restrictions in 'hosts.allow' and log all successful as well as unsuccessful access attempts. I have a system that checks the logs and filters out normal activity, then emails all other activity for analysis. As someone once said, divide then conquer.