Date: Sun, 28 Jan 2007 01:59:37 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: PF in kernel or as a module Message-ID: <200701280159.42895.max@love2party.net> In-Reply-To: <000301c74153$30d86ed0$92894c70$@ca> References: <45B684BD.8090706@gmail.com> <45BA0815.80708@gmail.com> <000301c74153$30d86ed0$92894c70$@ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1402097.FxNa0dWq8k Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Please don't top-post and fix quotation ] On Friday 26 January 2007 15:06, Kevin K. wrote: > I'm curious if there has been some benchmarking done to compare the two > methods of enabling PF. You will not be able to measure any difference whatsoever. The main call=20 path is exactly the same with either method. You are of course welcome=20 to perform a benchmark to verify. Unless pfsync or ALTQ is required,=20 using the module is the preferred method when tracking a newer security=20 branch as it will enable freebsd-update of the kernel+modules. > The security debate could be argued to be circumstantial, but I'd like > to hear from people who use it in production via loaded module, as my > only experience with PF is building it into the kernel. > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Martin Turgeon > Sent: Friday, January 26, 2007 8:54 AM > To: Max Laier > Cc: freebsd-pf@freebsd.org > Subject: Re: PF in kernel or as a module > > > Max Laier a =E9crit : > > On Tuesday 23 January 2007 22:57, Martin Turgeon wrote: > > > I would like to start a debate on this subject. Which method of > enabling PF is the more secure (buffer overflow for example), the > fastest, the most stable, etc. I searched the web for some info but > without result. So I would like to know your opinion on the pros and > cons of each method. > > > Kernel module - loaded via loader.conf - is as secure as built in.=20 > There is a slight chance, that somebody might be able to compromise the > module on disk, but then they are likely to be able to write to the > kernel (in the same location) as well. An additional plus is the > possibility of freebsd-update if you do not have to build a custom > kernel. > > Note that some features are only available when built in: pfsync and > altq - this is not going to change for technical reasons. > > Performance wise there should be no difference. > > > > Thanks a lot, that's exactly the type of answer I wanted. I'm always > surprised to see how much knowledge the FreeBSD mailinglists are > sharing. > Thank you for your effort > Martin Turgeon > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1402097.FxNa0dWq8k Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFu/V+XyyEoT62BG0RAndTAJ4wp5/jp4vMUVrmY/LbMo1sC7EbkwCfWMc8 xFj8m3zVkbuW5ZXF4peLLpo= =FSx2 -----END PGP SIGNATURE----- --nextPart1402097.FxNa0dWq8k--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701280159.42895.max>