Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 26 Jan 2007 09:06:34 -0500
From:      "Kevin K." <freebsd-pf@magma.ca>
To:        <freebsd-pf@freebsd.org>
Subject:   RE: PF in kernel or as a module
Message-ID:  <000301c74153$30d86ed0$92894c70$@ca>
In-Reply-To: <45BA0815.80708@gmail.com>
References:  <45B684BD.8090706@gmail.com>	<200701240153.30454.max@love2party.net> <45BA0815.80708@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
I'm curious if there has been some benchmarking done to compare the two
methods of enabling PF.

The security debate could be argued to be circumstantial, but I'd like =
to
hear from people who use it in production via loaded module, as my only
experience with PF is building it into the kernel.




-----Original Message-----
From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] =
On
Behalf Of Martin Turgeon
Sent: Friday, January 26, 2007 8:54 AM
To: Max Laier
Cc: freebsd-pf@freebsd.org
Subject: Re: PF in kernel or as a module


   Max Laier a =E9crit :

On Tuesday 23 January 2007 22:57, Martin Turgeon wrote:
 =20

I would like to start a debate on this subject. Which method of
enabling PF is the more secure (buffer overflow for example), the
fastest, the most stable, etc. I searched the web for some info but
without result. So I would like to know your opinion on the pros and
cons of each method.
   =20

Kernel module - loaded via loader.conf - is as secure as built in.  =
There=20
is a slight chance, that somebody might be able to compromise the module =

on disk, but then they are likely to be able to write to the kernel (in=20
the same location) as well.  An additional plus is the possibility of=20
freebsd-update if you do not have to build a custom kernel.

Note that some features are only available when built in: pfsync and=20
altq - this is not going to change for technical reasons.

Performance wise there should be no difference.

 =20

   Thanks a lot, that's exactly the type of answer I wanted. I'm always
   surprised to see how much knowledge the FreeBSD mailinglists are
   sharing.
   Thank you for your effort
   Martin Turgeon
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000301c74153$30d86ed0$92894c70$>