Question,

I have a RaQ4 with Portsentry installed, but I hear a lot about this IP tables/chains too...

What exactly is the difference between IP tables and chains?

What what between those two and Portsentry?

Do you suggest I install IPchains/tables on top of Portsentry?
If so, WHY?

Also, has anyone got any instructions?

Thanks

Well I'll do my best to explain the difference.

PortScan's job is to log or block people from doing portscans. That means that one site (IP) is trying to connect on different ports trying to find an open port/access method to your system.

ipchains/tables is firewall software. You use it to block certain ports/ip's or to only allow access to certain ports from certain ip's. ipchains/tables can also do accounting (i.e. bytes in/out) and some of the stats packsages use that (i.e. bandmin).

Frank

Ahh I see :)

Clear enough :P

but is there a Difference between 1) IP Chains 2) IP Tables?

Also, do you recommend installing it? WHY? E.g. for what ports? Etc...

Also, do you know where I can find instructions?

Support needs to be built into the kernel for ipchains/tables. I believe it is built in for RaQ's, but I'd have to double check.

chains is the older software. It really depends on your kernel verisons. Older ones only support chains. New ones can support chains or tables.

There is a HOWTO for both. I'll try to dig up the link.

Frank

A RaQ has a 2.2 kernel, which means you have to use IPChains.

IPTables requires a 2.4 kernel. IPTables is better protection, as it incorporates state inspection that's unavailable in IPChains - but IPChains is entirely capable in its own right.

Portsentry doesn't block anything. It tells you when a port scan is taking place, and can be configured to work WITH IPChains to block access to an intruder.

In short, you would want Portsentry AND IPChains, not one or the other.

Hope this helps

Brandon

I believe you can also configure portsentry to use hosts.deny, so you could get away without ipchains.

Frank

Originally posted by ffeingol
I believe you can also configure portsentry to use hosts.deny, so you could get away without ipchains.You can but don't lull yourself into a false sense of security by *just* using portsentry. You NEED a firewall on your box period!

Shortz

I believe you can also configure portsentry to use hosts.deny, so you could get away without ipchains.

host.deny will only affect those services in TCPWrappers (see inetd.conf), it is NOT the same as firewall protection.

IPChains is an absolute prerequisite for putting your box online. Contact me via PM if you need a resource to have it installed properly.

Brandon

Originally posted by cbtrussell
A RaQ has a 2.2 kernel, which means you have to use IPChains.


Some RaQs do :-)

The XTRs can be equipped with a 2.4 kernel.

The XTRs can be equipped with a 2.4 kernel.

Good catch.

I was thinking in terms of the original poster's RaQ4. (blinders!)

Brandon