Re: should IPTables be modules, or built in to the kernel?

Fri, 10 May 2002 04:38:56 -0700 

* [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
> As has been pointed out to me, with IPTables if the relevant parts of code
> you require are compiled as modules you have to specifically load them
> before you can use them.  This strikes me as an unnecessary worry if you're
> concentrating on building a solid ruleset.  So is it better to compile them
> all into the kernel?

  It's really not that big a deal, you just load what you want.  The
  list is basically: /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
  of what your options are.

> However, if they are all compiled into the kernel will that provide too much
> of an unnecessary load on the host, especially if it's the kind of 16meg 486
> type box used to protect a network?  Or is the code efficient enough that
> the extra unnecessary code isn't really a big deal - especially if the
> under-powered host is only doing firewalling and not running any services?

  If you're loading them into the kernel as modules you're taking up
  memory anyway.  The advantage to modules is that you don't have to
  include things you're not going to use and still have them available
  to use if you decide you want to.  If you know you're not going to use
  something you don't have to compile it into the kernel anyway.  You
  can also upgrade the modules without having to reboot the system but
  that's not always a very simple thing to do and can cause problems.

> I'm asking this question partly for myself, and partly for a talk I'll be
> giving on IPTables to new / new-ish users, so I'm looking for the simplest
> working solution, rather than the optimal solution.

  Simplest?  I think it depends more on what you want to do and what you
  want to be able to do.  Personally I see them all as pretty simple
  really. :)  Compiling things into the kernel will make it less likely
  you'll forget things but takes up more memory if you compile in things
  you're not going to use (not very much though, really); building
  things as modules gives you the flexability to only load what you're
  using but means you might forget something along the way that causes
  problems (though most things will complain if the module isn't
  available, this is really mainly true just for the NAT helpers I
  think).

        Stephen

Attachment: msg02720/pgp00000.pgp
Description: PGP signature

Reply via email to