From owner-freebsd-pf@FreeBSD.ORG Fri Jan 26 14:24:17 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 20AD716A400 for ; Fri, 26 Jan 2007 14:24:17 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mx4.magma.ca (mx4-3.spamtrap.magma.ca [209.217.78.178]) by mx1.freebsd.org (Postfix) with ESMTP id D39C813C458 for ; Fri, 26 Jan 2007 14:24:14 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mail4.magma.ca (mail4.internal.magma.ca [10.0.10.14]) by mx4-3.spamtrap.magma.ca (8.13.1/8.13.1) with ESMTP id l0QE6YZc010063 for ; Fri, 26 Jan 2007 09:06:34 -0500 Received: from kkmeyhy7ba1b1d (ottawa-hs-64-26-176-88.s-ip.magma.ca [64.26.176.88]) (authenticated bits=0) by mail4.magma.ca (Magma's Mail Server) with ESMTP id l0QE6W1I008983 for ; Fri, 26 Jan 2007 09:06:33 -0500 From: "Kevin K." To: References: <45B684BD.8090706@gmail.com> <200701240153.30454.max@love2party.net> <45BA0815.80708@gmail.com> In-Reply-To: <45BA0815.80708@gmail.com> Date: Fri, 26 Jan 2007 09:06:34 -0500 Message-ID: <000301c74153$30d86ed0$92894c70$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdBUYkABpCGSZ9pQLKpI1HseUsaywAAXH9A Content-Language: en-us X-magma-MailScanner-Information: Magma Mailscanner Service X-magma-MailScanner: Clean X-Spam-Status: Subject: RE: PF in kernel or as a module X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jan 2007 14:24:17 -0000 I'm curious if there has been some benchmarking done to compare the two methods of enabling PF. The security debate could be argued to be circumstantial, but I'd like = to hear from people who use it in production via loaded module, as my only experience with PF is building it into the kernel. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] = On Behalf Of Martin Turgeon Sent: Friday, January 26, 2007 8:54 AM To: Max Laier Cc: freebsd-pf@freebsd.org Subject: Re: PF in kernel or as a module Max Laier a =E9crit : On Tuesday 23 January 2007 22:57, Martin Turgeon wrote: =20 I would like to start a debate on this subject. Which method of enabling PF is the more secure (buffer overflow for example), the fastest, the most stable, etc. I searched the web for some info but without result. So I would like to know your opinion on the pros and cons of each method. =20 Kernel module - loaded via loader.conf - is as secure as built in. = There=20 is a slight chance, that somebody might be able to compromise the module = on disk, but then they are likely to be able to write to the kernel (in=20 the same location) as well. An additional plus is the possibility of=20 freebsd-update if you do not have to build a custom kernel. Note that some features are only available when built in: pfsync and=20 altq - this is not going to change for technical reasons. Performance wise there should be no difference. =20 Thanks a lot, that's exactly the type of answer I wanted. I'm always surprised to see how much knowledge the FreeBSD mailinglists are sharing. Thank you for your effort Martin Turgeon _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"