On Friday 10 May 2002 12:40 pm, [EMAIL PROTECTED] wrote: > As has been pointed out to me, with IPTables if the relevant parts of code > you require are compiled as modules you have to specifically load them > before you can use them. This strikes me as an unnecessary worry if you're > concentrating on building a solid ruleset. So is it better to compile them > all into the kernel? > > However, if they are all compiled into the kernel will that provide too > much of an unnecessary load on the host, especially if it's the kind of > 16meg 486 type box used to protect a network?
For a firewall I always build everything into the kernel and I disable modules, so the kernel can't even load one if someone tries. My reasoning for this is: a) a monolithic kernel loads everything at boot time and doesn't need to spend time later on loading extra bits b) you don't really want any sort of 'auto load on demand' going on with a firewall where the kernel sees a particular type of packets and has to load a module off disk in order to start processing it c) for extra security, you don't want any possibility that someone can load a module that's not supposed to be running, or unload one which is d) if you've written the rules to use specific functions on your firewall, the question of whether a monolithic kernel is too much for a given machine to cope with doesn't apply - if you've written the rules, you're using the functions, so the code has to be loaded one way or another anyway e) the netfilter code is so small that it doesn't matter how much you try and load onto a given machine (as far as the poor thing not being able to cope is concerned) Modules may be useful when you're testing things and working out what you want your firewall to do, but for production use I'd go for compiled-in every time. Antony.
