/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
>Hello,
>
>I have been experimenting with ipmasq a bit and really like the ability
>open up some masq-ed machines to external access, however, I would like
>to also be security conscious and limit access to authorized hosts. I
>know I can do this using ipchains but I was wondering if this is the
>best way to accomplish this and what people might suggestion on this
>topic in general.
>
>I've heard a bit about tcp wrappers but haven't gotten to implementing
>them yet so I'm not sure if that would be superior (or a good addition)
>to ipchains rules.
>
>Any info & recommendations on this are greatly appreciated.
>TIA,
>- Dave
Both will do the same thing technically.
When using tcp wrappers there is a little waiting (.5 -2 second ) period
that happens before the user is notified that the connection failed. With
IPchains though the user is automatically notified that the conneciton failed.
If you try to connect to a machine that disallowed you access through
tcp_wrappers, if you have access to that machine you will see through
netstat -a that the failed connection is stuck in the TIME WAIT status and
will disappear after the timeout expires ( Sorry don't know the value )
If many connections are attempted I am guessing that this could cause some
problems at least take up some system resourses...
With ipchains connections are tested at a lower level in the processing
phase so these connections never appear and make it look to the person
trying to connect that there is no open port on the server which I find is
a lot better.
Also with tcp_wrappers you need to wrap the actual daemon which will slow
down access to it which could be undesirable also. Take for example Apache.
So my recommendation would be to protect the boxes through ipchains. Take a
look at the Trinity doc, it has a firewalling script that has this feature
built into it.
www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/rc.firewall-trinityos
Hope this helps,
Steve
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
