From owner-freebsd-pf@FreeBSD.ORG Fri Jan 26 13:54:38 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C09B116A401 for ; Fri, 26 Jan 2007 13:54:38 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id 85C6013C483 for ; Fri, 26 Jan 2007 13:54:38 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so357363ana for ; Fri, 26 Jan 2007 05:54:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=t/lZDB8OwcjglFIAJ+GbtntMZtXkDfxDqbQi1JyggB9AG4MbJFv/wXyQJqylfpFF8up/B7IB3cYZ5V2Ln6Pwiy8f4rBkIBNZ7b2wWZBPQh7ECwvX6KIwQmPT8cdSQrU0uQYIgisGsMnJls0orja3l3Zjj7WB6yanXApGqmXl8zk= Received: by 10.65.154.4 with SMTP id g4mr5034706qbo.1169819675743; Fri, 26 Jan 2007 05:54:35 -0800 (PST) Received: from ?192.168.0.101? ( [70.81.169.115]) by mx.google.com with ESMTP id f16sm4441037qba.2007.01.26.05.54.33; Fri, 26 Jan 2007 05:54:34 -0800 (PST) Message-ID: <45BA0815.80708@gmail.com> Date: Fri, 26 Jan 2007 08:54:29 -0500 From: Martin Turgeon User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) To: Max Laier References: <45B684BD.8090706@gmail.com> <200701240153.30454.max@love2party.net> In-Reply-To: <200701240153.30454.max@love2party.net> Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: PF in kernel or as a module X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jan 2007 13:54:38 -0000 Max Laier a écrit : On Tuesday 23 January 2007 22:57, Martin Turgeon wrote: I would like to start a debate on this subject. Which method of enabling PF is the more secure (buffer overflow for example), the fastest, the most stable, etc. I searched the web for some info but without result. So I would like to know your opinion on the pros and cons of each method. Kernel module - loaded via loader.conf - is as secure as built in. There is a slight chance, that somebody might be able to compromise the module on disk, but then they are likely to be able to write to the kernel (in the same location) as well. An additional plus is the possibility of freebsd-update if you do not have to build a custom kernel. Note that some features are only available when built in: pfsync and altq - this is not going to change for technical reasons. Performance wise there should be no difference. Thanks a lot, that's exactly the type of answer I wanted. I'm always surprised to see how much knowledge the FreeBSD mailinglists are sharing. Thank you for your effort Martin Turgeon