Date: Sun, 28 Jan 2007 01:59:37 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: PF in kernel or as a module Message-ID: <200701280159.42895.max@love2party.net> In-Reply-To: <000301c74153$30d86ed0$92894c70$@ca> References: <45B684BD.8090706@gmail.com> <45BA0815.80708@gmail.com> <000301c74153$30d86ed0$92894c70$@ca>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] [ Please don't top-post and fix quotation ] On Friday 26 January 2007 15:06, Kevin K. wrote: > I'm curious if there has been some benchmarking done to compare the two > methods of enabling PF. You will not be able to measure any difference whatsoever. The main call path is exactly the same with either method. You are of course welcome to perform a benchmark to verify. Unless pfsync or ALTQ is required, using the module is the preferred method when tracking a newer security branch as it will enable freebsd-update of the kernel+modules. > The security debate could be argued to be circumstantial, but I'd like > to hear from people who use it in production via loaded module, as my > only experience with PF is building it into the kernel. > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Martin Turgeon > Sent: Friday, January 26, 2007 8:54 AM > To: Max Laier > Cc: freebsd-pf@freebsd.org > Subject: Re: PF in kernel or as a module > > > Max Laier a écrit : > > On Tuesday 23 January 2007 22:57, Martin Turgeon wrote: > > > I would like to start a debate on this subject. Which method of > enabling PF is the more secure (buffer overflow for example), the > fastest, the most stable, etc. I searched the web for some info but > without result. So I would like to know your opinion on the pros and > cons of each method. > > > Kernel module - loaded via loader.conf - is as secure as built in. > There is a slight chance, that somebody might be able to compromise the > module on disk, but then they are likely to be able to write to the > kernel (in the same location) as well. An additional plus is the > possibility of freebsd-update if you do not have to build a custom > kernel. > > Note that some features are only available when built in: pfsync and > altq - this is not going to change for technical reasons. > > Performance wise there should be no difference. > > > > Thanks a lot, that's exactly the type of answer I wanted. I'm always > surprised to see how much knowledge the FreeBSD mailinglists are > sharing. > Thank you for your effort > Martin Turgeon > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFu/V+XyyEoT62BG0RAndTAJ4wp5/jp4vMUVrmY/LbMo1sC7EbkwCfWMc8 xFj8m3zVkbuW5ZXF4peLLpo= =FSx2 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701280159.42895.max>