|
List Info
Thread: PF in kernel or as a module
|
|
| PF in kernel or as a module |
|
2007-01-23 15:57:17 |
|
Hi all!
I would like to start a debate on this subject. Which method of enabling
PF is the more secure (buffer overflow for example), the fastest, the
most stable, etc. I searched the web for some info but without result.
So I would like to know your opinion on the pros and cons of each method.
Thank you,
Martin Turgeon
_______________________________________________
freebsd-pf freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribefreebsd.org"
|
| RE: PF in kernel or as a module |
|
2007-01-23 17:34:24 |
|
| > Hi all!
>
> I would like to start a debate on this subject. Which method of
> enabling
> PF is the more secure (buffer overflow for example), the fastest, the
> most stable, etc. I searched the web for some info but without result.
> So I would like to know your opinion on the pros and cons of each
> method.
For production Freebsd based firewalls I have always built the kernel with
PF. The idea being that if something does go pear shaped, there's a good
chance that at least the packet filter will stay operational.
OpenBSDs standard pre loaded /etc/rc filter (which drops everything except
ssh & IIRC dns) would also be nice, but my understanding is that to
implement it on Free would break the startup elsewhere.
Greg
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribefreebsd.org"
|
| Re: PF in kernel or as a module |
|
2007-01-23 18:53:25 |
|
| On Tuesday 23 January 2007 22:57, Martin Turgeon wrote:
> I would like to start a debate on this subject. Which method of
> enabling PF is the more secure (buffer overflow for example), the
> fastest, the most stable, etc. I searched the web for some info but
> without result. So I would like to know your opinion on the pros and
> cons of each method.
Kernel module - loaded via loader.conf - is as secure as built in. There
is a slight chance, that somebody might be able to compromise the module
on disk, but then they are likely to be able to write to the kernel (in
the same location) as well. An additional plus is the possibility of
freebsd-update if you do not have to build a custom kernel.
Note that some features are only available when built in: pfsync and
altq - this is not going to change for technical reasons.
Performance wise there should be no difference.
--
/" Best regards, | mlaierfreebsd.org
/ Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaierEFnet
/ ASCII Ribbon Campaign | Against HTML Mail and News
|
| Re: PF in kernel or as a module |
|
2007-01-26 07:54:29 |
Max Laier a écrit :
On Tuesday 23 January 2007 22:57, Martin Turgeon wrote:
I would like to start a debate on this subject. Which method
of
enabling PF is the more secure (buffer overflow for
example), the
fastest, the most stable, etc. I searched the web for some
info but
without result. So I would like to know your opinion on the
pros and
cons of each method.
Kernel module - loaded via loader.conf - is as secure as
built in. There
is a slight chance, that somebody might be able to
compromise the module
on disk, but then they are likely to be able to write to the
kernel (in
the same location) as well. An additional plus is the
possibility of
freebsd-update if you do not have to build a custom kernel.
Note that some features are only available when built in:
pfsync and
altq - this is not going to change for technical reasons.
Performance wise there should be no difference.
Thanks a lot, that's exactly the type of answer I wanted.
I'm always
surprised to see how much knowledge the FreeBSD
mailinglists are
sharing.
Thank you for your effort
Martin Turgeon
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
| Re: PF in kernel or as a module |
|
2007-01-27 18:59:37 |
[ Please don't top-post and fix quotation ]
On Friday 26 January 2007 15:06, Kevin K. wrote:
> I'm curious if there has been some benchmarking done to
compare the two
> methods of enabling PF.
You will not be able to measure any difference whatsoever.
The main call
path is exactly the same with either method. You are of
course welcome
to perform a benchmark to verify. Unless pfsync or ALTQ is
required,
using the module is the preferred method when tracking a
newer security
branch as it will enable freebsd-update of the
kernel+modules.
> The security debate could be argued to be
circumstantial, but I'd like
> to hear from people who use it in production via loaded
module, as my
> only experience with PF is building it into the
kernel.
>
> -----Original Message-----
> From: owner-freebsd-pffreebsd.org
> [mailto:owner-freebsd-pffreebsd.org] On Behalf Of
Martin Turgeon
> Sent: Friday, January 26, 2007 8:54 AM
> To: Max Laier
> Cc: freebsd-pffreebsd.org
> Subject: Re: PF in kernel or as a module
>
>
> Max Laier a écrit :
>
> On Tuesday 23 January 2007 22:57, Martin Turgeon
wrote:
>
>
> I would like to start a debate on this subject. Which
method of
> enabling PF is the more secure (buffer overflow for
example), the
> fastest, the most stable, etc. I searched the web for
some info but
> without result. So I would like to know your opinion on
the pros and
> cons of each method.
>
>
> Kernel module - loaded via loader.conf - is as secure
as built in.
> There is a slight chance, that somebody might be able
to compromise the
> module on disk, but then they are likely to be able to
write to the
> kernel (in the same location) as well. An additional
plus is the
> possibility of freebsd-update if you do not have to
build a custom
> kernel.
>
> Note that some features are only available when built
in: pfsync and
> altq - this is not going to change for technical
reasons.
>
> Performance wise there should be no difference.
>
>
>
> Thanks a lot, that's exactly the type of answer I
wanted. I'm always
> surprised to see how much knowledge the FreeBSD
mailinglists are
> sharing.
> Thank you for your effort
> Martin Turgeon
> _______________________________________________
> freebsd-pffreebsd.org mailing list
>
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
>
> _______________________________________________
> freebsd-pffreebsd.org mailing list
>
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
--
/" Best regards, | mlaierfreebsd.org
/ Max Laier | ICQ #67774661
X http://pf4freebsd.l
ove2party.net/ | mlaierEFnet
/ ASCII Ribbon Campaign | Against HTML Mail
and News
|
|
[1-5]
|
|
|
about | contact Other archives ( Real Estate discussion Medical topics )
|