1

I've taken over administering some machines with no context about their configuration.

Some are using iptables. Some are using tcp_wrappers (ie. /etc/hosts.allow). Some are using both. They're all inconsistently configured.

In many cases iptables and tcp_wrappers appear to have redundant rules. In one case they're conflicting. This is a maintenance nightmare and I'm inclined to switch to using just one system.

Before I do so I thought I'd ask, are there situations where it is appropriate to use both on the same machine?

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Schwern
  • 111
  • 3
  • If you plan out your rules first and know what you need to cover instead of growing them organically, you should be able to answer this question yourself. – Tigger Jan 21 '18 at 03:14
  • @Tigger Nothing about this system seems to have been planned. This isn't about planning out a system, it's for forensics. I'm curious if there's a possibility I've missed before I begin making changes. – Schwern Jan 21 '18 at 03:25

2 Answers2

3

tcp_wrappers used to be all the rage in the 90s for anyone who was serious about security, and when dealing with security mostly solutions at layer of 7 OSI were strongly encouraged; the world moved on, and nowadays we have much more solutions at different layers and different technologies.

When designing solutions, there are not entirely wrong or right approaches.

Depending on the software or use case, often when you deal it at the application level you might simplify other configurations.

Also nowadays you might define all the firewalling rules at corporate firewalls, or virtualisation side and you might not wish to have iptables rules in all your servers.

It should be noted that also the binaries/programs in question might be compiled without libwrap e.g. without support for tcp_wrappersand usually you would better double check this first.

So as said before you have to factor several angles for deciding what is the best approach for you.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
2

The hosts_access(5) man page gives some possibilities regarding why you might want to use a allow/deny entry instead of iptables:

  1. User matches (if the client supports it): I don't know of any existing hosts that implement RFC 931 or friends anymore, as it seems like an enormous security hole!
  2. Booby traps/Program calls: If you are implementing something more complex than logging on a rule.
  3. Per-program rules: If you are doing filtering based on the process path instead of network port. This is possibly helpful if you need this functionality and you don't have the owner module available in iptables.
  4. Keepalive/linger options (from hosts_options(5)): If the program doesn't do this and your init system doesn't either(?)

I have never had to use hosts.allow or hosts.deny because iptables rules do everything I need, but it's possible that you may need some of the functionality of (2) and maybe (4) for edge case scenerios. If those files don't do anything crazy, I would imagine that you could replace them with equivalent iptables rules: it certainly should simplify administration!

Community
  • 1
ErikF
  • 3,942
  • 1
  • 10
  • 15
  • 1
    The biggest reason to provide an ident server is that you're connecting to IRC... It's completely useless of course if you don't trust the client system to identify its users properly. – ilkkachu Jan 21 '18 at 10:19