Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Jan 2007 23:34:24 -0000
From:      "Greg Hennessy" <Greg.Hennessy@nviz.net>
To:        "'Martin Turgeon'" <turgeon.martin@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   RE: PF in kernel or as a module
Message-ID:  <000001c73f47$041659b0$0c430d10$@Hennessy@nviz.net>
In-Reply-To: <45B684BD.8090706@gmail.com>
References:  <45B684BD.8090706@gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> Hi all!
> 
> I would like to start a debate on this subject. Which method of
> enabling
> PF is the more secure (buffer overflow for example), the fastest, the
> most stable, etc. I searched the web for some info but without result.
> So I would like to know your opinion on the pros and cons of each
> method.

For production Freebsd based firewalls I have always built the kernel with
PF. The idea being that if something does go pear shaped, there's a good
chance that at least the packet filter will stay operational. 

OpenBSDs standard pre loaded /etc/rc filter  (which drops everything except
ssh & IIRC dns) would also be nice, but my understanding is that to
implement it on Free would break the startup elsewhere. 


Greg








Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000001c73f47$041659b0$0c430d10$>