I'm curious if there has been some benchmarking done to
compare the two
methods of enabling PF.
The security debate could be argued to be circumstantial,
but I'd like to
hear from people who use it in production via loaded module,
as my only
experience with PF is building it into the kernel.
-----Original Message-----
From: owner-freebsd-pf freebsd.org [mailto:owner-freebsd-pffreebsd.org] On
Behalf Of Martin Turgeon
Sent: Friday, January 26, 2007 8:54 AM
To: Max Laier
Cc: freebsd-pffreebsd.org
Subject: Re: PF in kernel or as a module
Max Laier a écrit :
On Tuesday 23 January 2007 22:57, Martin Turgeon wrote:
I would like to start a debate on this subject. Which method
of
enabling PF is the more secure (buffer overflow for
example), the
fastest, the most stable, etc. I searched the web for some
info but
without result. So I would like to know your opinion on the
pros and
cons of each method.
Kernel module - loaded via loader.conf - is as secure as
built in. There
is a slight chance, that somebody might be able to
compromise the module
on disk, but then they are likely to be able to write to the
kernel (in
the same location) as well. An additional plus is the
possibility of
freebsd-update if you do not have to build a custom kernel.
Note that some features are only available when built in:
pfsync and
altq - this is not going to change for technical reasons.
Performance wise there should be no difference.
Thanks a lot, that's exactly the type of answer I wanted.
I'm always
surprised to see how much knowledge the FreeBSD
mailinglists are
sharing.
Thank you for your effort
Martin Turgeon
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|