Date: Wed, 24 Jan 2007 01:53:25 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: PF in kernel or as a module Message-ID: <200701240153.30454.max@love2party.net> In-Reply-To: <45B684BD.8090706@gmail.com> References: <45B684BD.8090706@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1993469.oDF9YYB5g8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 23 January 2007 22:57, Martin Turgeon wrote: > I would like to start a debate on this subject. Which method of > enabling PF is the more secure (buffer overflow for example), the > fastest, the most stable, etc. I searched the web for some info but > without result. So I would like to know your opinion on the pros and > cons of each method. Kernel module - loaded via loader.conf - is as secure as built in. There=20 is a slight chance, that somebody might be able to compromise the module=20 on disk, but then they are likely to be able to write to the kernel (in=20 the same location) as well. An additional plus is the possibility of=20 freebsd-update if you do not have to build a custom kernel. Note that some features are only available when built in: pfsync and=20 altq - this is not going to change for technical reasons. Performance wise there should be no difference. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1993469.oDF9YYB5g8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFtq4KXyyEoT62BG0RAmp1AJ9dGZiP04BGnWbQMEFA3OpIid1V5QCdGCpN 9GLlTYgbqoVENsH7CiVWPG4= =rEVm -----END PGP SIGNATURE----- --nextPart1993469.oDF9YYB5g8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701240153.30454.max>