Re: [fw-wiz] IPChains vs. IPTables

From: Brian Hatch (firewall-wizards@ifokr.org)
Date: 07/24/02 

From: Brian Hatch <firewall-wizards@ifokr.org>
To: Marc DVer <mdver@whiteeagletox.com>
Date: Wed Jul 24 13:51:01 2002

> Someone suggested that I use IPTables instead of IPchains, as IPTables is
> more robust. Is IPTables more secure for a given set of rules?

Depends on what you need to do. IPTables has modules that
work well with the rest of netfilter, whereas they were not
so friendly before.

Say you needed to support inbound FTP (I offer my pitty) and
want to have everything else disabled. You'd hope that the
ipchains ftp module would let the secondary data channels
though automatically, but no such luck. They'd still be blocked
by your standard 'block everything' rules, so you'd need to
open up a range of inbound ports (I'm assuming we're using PORT
not PASV here) that were not blocked, and configure your ftp
server to only use those ports.

Pain, isn't it?

In netfilter, the module does do what you expect, and those
extra channels are allowed correctly because you told the module
to allow them. This is where application-aware filters succeed where
simple port-based ACLs die.

Then there's always the argument that iptables is the latest,
so most likely to be supported for a longer time.

(Not that some folks don't still use 2.0 kernels on their firewalls...) 

--
Brian Hatch                  "I love talking about
   Systems and                nothing, it's the only
   Security Engineer          thing I know anything
www.buildinglinuxvpns.net     about."
Every message PGP signed

Relevant Pages

  • Re: Understanding iptables FC4
    ... > possible that your machine is still blocking the ports, ... > because I am not an iptables expert. ... I personally never allow FTP on servers I manage as it is an insecure ...
    (alt.os.linux)
  • Re: iptables, ftp and dnat?
    ... It shows you how the ports are used for ftp. ... http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again google). ... Also anything to do with iptables and firewalls you should probably read ...
    (Debian-User)
  • Re: FedCore2 Firewall not "on"
    ... from a PC outside the network it's visible on all ports. ... > FTP, telnet, Web browse to it without problem. ... Learn about iptables and/or get an easy gui tool like firestarter ...
    (alt.os.linux.redhat)
  • Re: IPTABLES: Per erfolgreichem SSH Login Ports =?iso-8859-15?Q?=F6ffnen?=
    ... Also sollen weitere Ports z.B. nur mit dem korrekten Keyfile ... Entkopple doch den Teil, der iptables aufruft, von dem teil, der ... wenn sich jemand per ssh einloggt. ... kommandos absetzt und keinen User-input entgegen nimmt. ...
    (de.comp.security.firewall)
  • Re: Questions on secure remote access to Fedora Core 2
    ... After most of a day of research on iptables, and a bunch of trial and ... Keep HTTP and HTTPS open for everybody ... Open inbound SSH, FTP, and mail for everybody ... ... users who for whatever reason can't use SFTP. ...
    (comp.os.linux.security)