iptables versus hosts denied
Guy Fraser
guy at incentre.net
Thu Oct 18 17:10:51 UTC 2007
On Thu, 2007-10-18 at 14:16 +0930, Tim wrote:
> On Tue, 2007-10-16 at 10:10 -0600, Ashley M. Kirchner wrote:
> > In terms of performance and when a packet is dropped or denied,
> > what's best to use? iptables or hosts.deny ? Let's assume for a
> > moment here that one has a very long list of IP ranges that are being
> > blocked, would using iptables to deny the ranges work better/faster
> > than having hosts.deny block them? Just wondering ...
>
> If iptables is running, then it's already had a look to see whether to
> let the traffic through, or not. Might as well make a decision about
> not letting it through, at the same time.
>
> I'd think that firewalling would be better, anyway. Firewalling is
> stopping traffic getting in or out, whereas hosts deny/allow is dealing
> with something that's already got part way in.
>
I would tend to concur with this method.
Use iptables to block those you wish to absolutely block, and
use 'hosts.allow' to track all activity that is allowed through
iptables. As an example I allow some connections through the
firewall for ssh access, but then use additional restrictions
in 'hosts.allow' and log all successful as well as unsuccessful
access attempts. I have a system that checks the logs and filters
out normal activity, then emails all other activity for analysis.
As someone once said, divide then conquer.
More information about the fedora-list
mailing list