|
Firewall Wizards
mailing list archives
Re: IPChains vs. IPTables
From: Brian Hatch <firewall-wizards () ifokr org>
Date: Wed, 24 Jul 2002 09:22:39 -0700
Someone suggested that I use IPTables instead of IPchains, as IPTables is
more robust. Is IPTables more secure for a given set of rules?
Depends on what you need to do. IPTables has modules that
work well with the rest of netfilter, whereas they were not
so friendly before.
Say you needed to support inbound FTP (I offer my pitty) and
want to have everything else disabled. You'd hope that the
ipchains ftp module would let the secondary data channels
though automatically, but no such luck. They'd still be blocked
by your standard 'block everything' rules, so you'd need to
open up a range of inbound ports (I'm assuming we're using PORT
not PASV here) that were not blocked, and configure your ftp
server to only use those ports.
Pain, isn't it?
In netfilter, the module does do what you expect, and those
extra channels are allowed correctly because you told the module
to allow them. This is where application-aware filters succeed where
simple port-based ACLs die.
Then there's always the argument that iptables is the latest,
so most likely to be supported for a longer time.
(Not that some folks don't still use 2.0 kernels on their firewalls...)
--
Brian Hatch "I love talking about
Systems and nothing, it's the only
Security Engineer thing I know anything
www.buildinglinuxvpns.net about."
Every message PGP signed
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
- Re: IPChains vs. IPTables, (continued)
Re: IPChains vs. IPTables Martin A. Brown (Jul 24)
Re: IPChains vs. IPTables firewall-wizards (Jul 24)
Re: IPChains vs. IPTables Brian Hatch (Jul 24)
|
Intro
