default

This is a question we encounter quite often: what is a firewall and how is it different than tcp wrappers? I have tcp wrappers installed and configured, is my system secure?

It is very important to be aware that having tcp wrappers installed does not constitute a proper firewall and does not create an adequately secure system.

Firewalling works at the operating system level to allow or deny connections from certain ips to certain services/ports on your computer. This works regardless of whether the application or service is aware of firewalling. An example would be to allow ssh access into your system, but only from a system, which has a static ip, at another institution. The best firewall security policy is to deny all connections and only allow in explicitly defined services from explicitly defined ip's

Tcp wrappers on the other hand should be thought of as an access control mechanism which works at the application level not the operating system or network level. Typically an application must be written to use tcp wrappers and determine how to behave when a connection is allowed or denied.

What should you choose? Do you have to pick one or the other?

Best practices dictates the two are not mutually exclusive and both should be configured on a system. Take the previous ssh example where you want to login from a system at another institution with a known static ip. One would configure the destination systems firewall to only allow ssh in from that ip. For completeness, tcp wrappers would also be configured to only allow the connection from the specified ip.  tcp wrappers really becomes useful if you want to ssh into a system but do not know the ip or the ip changes such as it would if you use a broadband isp.  In this scenario the systems firewall would be configured to allow ssh connections in from anywhere and then tcp wrappers, which really excels at access control, would then be configured to only allow connections from your isp.

Figuring out the tens of thousands of ips and dozens of subnets the typical isp uses and configuring those in a static firewall is a difficult process. On the other hand configuring ssh to allow connections from anywhere and then configuring tcp wrappers to allow connections only from the isp is much easier, typically involving only a couple of lines in each subsystem.

Configuration - due to the complexity of configuring both subsystems properly it is preferred that you work with staff to set things up.

1. Firewall - there are many firewall solutions under linux. All use iptables, and ipchains as their underlying technology. The difference comes down to what product is layered on top of that to present a configuration management scheme.
2. Tcp wrappers - are configured under /etc/hosts.deny and /etc/hosts.allow

This page should be adequate to illustrate the fundamental difference between the two. If you have any further questions, wish to check or modify your system firewall and tcp wrapper configuration, please contact staff and we will work with you on the matter.

NOTE: it is also a good idea to request regularly scheduled security scans of your system.