So there is shorewall firewall which has its own configs
IPTables
HOSTS.allow
HOSTS.deny

4 mechanisms that are difference from each other in locking down a machine, correct?

From my understanding hosts.allow goes first, then hosts.deny, then shorewall then iptables?

If i have shorewall do I need Iptables?

Yes. Shorewall is essentially just a configuration program for IPTables. (It makes iptables a whole lot easier to setup -- especially if you've never done it before.) However, it is using iptables as its underlying base.

As for the hosts.allow and hosts.deny, I don't know too much about them. But, I do know that Shorewall (and, umltimately, IPTables) does allow you to block specific ip addresses and allow others.

Check out Shorewall's website for more information: http://www.shorewall.net/


I did just want to add one thing -- you always want to be careful when installing multiple "rules" from different sources on a system. This can create conflicts and other unnecessary conflicts that can become very difficult to track down. For example, a friend of mine was running BlackICE and ZoneAlarm on his Windows box -- this create a mess that, ultimately, allowed a security hole.

Just watch for things like that.

The hosts.allow/deny files control who can connect to stuff that is spawned by xinetd/inetd. Shorewall (or whatever iptables script you are using) will control who can connect to what ports period.