As has been pointed out to me, with IPTables if the relevant parts of code you require are compiled as modules you have to specifically load them before you can use them. This strikes me as an unnecessary worry if you're concentrating on building a solid ruleset. So is it better to compile them all into the kernel?
However, if they are all compiled into the kernel will that provide too much of an unnecessary load on the host, especially if it's the kind of 16meg 486 type box used to protect a network? Or is the code efficient enough that the extra unnecessary code isn't really a big deal - especially if the under-powered host is only doing firewalling and not running any services? I'm asking this question partly for myself, and partly for a talk I'll be giving on IPTables to new / new-ish users, so I'm looking for the simplest working solution, rather than the optimal solution. Thanks. -- FunkyJesus System Administration Team
