Firewall Wizards mailing list archives
Re: IPChains vs. IPTables
From: Brian Hatch <firewall-wizards () ifokr org>
Date: Wed, 24 Jul 2002 09:22:39 -0700
Someone suggested that I use IPTables instead of IPchains, as IPTables is more robust. Is IPTables more secure for a given set of rules?
Depends on what you need to do. IPTables has modules that work well with the rest of netfilter, whereas they were not so friendly before. Say you needed to support inbound FTP (I offer my pitty) and want to have everything else disabled. You'd hope that the ipchains ftp module would let the secondary data channels though automatically, but no such luck. They'd still be blocked by your standard 'block everything' rules, so you'd need to open up a range of inbound ports (I'm assuming we're using PORT not PASV here) that were not blocked, and configure your ftp server to only use those ports. Pain, isn't it? In netfilter, the module does do what you expect, and those extra channels are allowed correctly because you told the module to allow them. This is where application-aware filters succeed where simple port-based ACLs die. Then there's always the argument that iptables is the latest, so most likely to be supported for a longer time. (Not that some folks don't still use 2.0 kernels on their firewalls...) -- Brian Hatch "I love talking about Systems and nothing, it's the only Security Engineer thing I know anything www.buildinglinuxvpns.net about." Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- IPChains vs. IPTables Marc DVer (Jul 24)
- Re: IPChains vs. IPTables Patrick Darden (Jul 24)
- Re: IPChains vs. IPTables Josh Welch (Jul 24)
- Re: IPChains vs. IPTables Volker Tanger (Jul 25)
- Re: IPChains vs. IPTables Nimesh Vakharia (Jul 29)
- Re: IPChains vs. IPTables Josh Welch (Jul 24)
- Re: IPChains vs. IPTables Patrick Darden (Jul 24)
- Re: IPChains vs. IPTables Martin A. Brown (Jul 24)
- Re: IPChains vs. IPTables firewall-wizards (Jul 24)
- Re: IPChains vs. IPTables Brian Hatch (Jul 24)