/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
I saw someone else made a good argument for ipchains, so I won't talk
about that. Where tcp wrappers really shine are for things like telnet,
ftp, and ssh, where people will have interactive(ish) sessions on your
machine, and generally have long sessions (ie few actual connections).
Thus, the overhead of forking the extra process is minimal.
The argument was made that ipchains and tcp wrappers do the same thing
from a technical standpoint, which I must disagree with. TCP wrappers
give several things over ipchains:
- ease of management. add it to a file and you're done.
- they'll work on domain names (*.yahoo.com) or host names in addition to
IP addresses.
- they'll check the incoming ip for a name, and the name to match the ip
to prevent some funky dns attacks on the above
- nicer logging
This is not to say that ipchains shouldn't be used for access control.
Both should be used in tandem, but the effectiveness of tcp wrappers
should not be ignored.
Sean
On Sun, 5 Mar 2000, Dave wrote:
> /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
>
>
> Hello,
>
> I have been experimenting with ipmasq a bit and really like the ability
> open up some masq-ed machines to external access, however, I would like
> to also be security conscious and limit access to authorized hosts. I
> know I can do this using ipchains but I was wondering if this is the
> best way to accomplish this and what people might suggestion on this
> topic in general.
>
> I've heard a bit about tcp wrappers but haven't gotten to implementing
> them yet so I'm not sure if that would be superior (or a good addition)
> to ipchains rules.
>
> Any info & recommendations on this are greatly appreciated.
> TIA,
> - Dave
>
>
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
>UNSUBSCRIBING!
> or email to [EMAIL PROTECTED]
>
> PLEASE read the HOWTO and search the archives before posting.
> You can start your search at http://www.indyramp.com/masq/
> Please keep general linux/unix/pc/internet questions off the list.
>
-------------------------------------------------------------------
Sean Walberg <[EMAIL PROTECTED]> http://www.escape.ca/~sean
"Fore yeers ago I kudn't spel Engineer. Now I are won."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
