PF in kernel or as a module
Greg Hennessy
Greg.Hennessy at nviz.net
Tue Jan 23 23:54:31 UTC 2007
> Hi all!
>
> I would like to start a debate on this subject. Which method of
> enabling
> PF is the more secure (buffer overflow for example), the fastest, the
> most stable, etc. I searched the web for some info but without result.
> So I would like to know your opinion on the pros and cons of each
> method.
For production Freebsd based firewalls I have always built the kernel with
PF. The idea being that if something does go pear shaped, there's a good
chance that at least the packet filter will stay operational.
OpenBSDs standard pre loaded /etc/rc filter (which drops everything except
ssh & IIRC dns) would also be nice, but my understanding is that to
implement it on Free would break the startup elsewhere.
Greg
More information about the freebsd-pf
mailing list