Date: Fri, 26 Jan 2007 08:54:29 -0500 From: Martin Turgeon <turgeon.martin@gmail.com> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF in kernel or as a module Message-ID: <45BA0815.80708@gmail.com> In-Reply-To: <200701240153.30454.max@love2party.net> References: <45B684BD.8090706@gmail.com> <200701240153.30454.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier a écrit :
On Tuesday 23 January 2007 22:57, Martin Turgeon wrote:
I would like to start a debate on this subject. Which method of
enabling PF is the more secure (buffer overflow for example), the
fastest, the most stable, etc. I searched the web for some info but
without result. So I would like to know your opinion on the pros and
cons of each method.
Kernel module - loaded via loader.conf - is as secure as built in. There
is a slight chance, that somebody might be able to compromise the module
on disk, but then they are likely to be able to write to the kernel (in
the same location) as well. An additional plus is the possibility of
freebsd-update if you do not have to build a custom kernel.
Note that some features are only available when built in: pfsync and
altq - this is not going to change for technical reasons.
Performance wise there should be no difference.
Thanks a lot, that's exactly the type of answer I wanted. I'm always
surprised to see how much knowledge the FreeBSD mailinglists are
sharing.
Thank you for your effort
Martin Turgeon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45BA0815.80708>