Hi list, some days ago i had a discussion on configuring the optimal kernel for a firewall gateway. I know this is a never ending story but i have a small question out of it: Does it matter how big the kernel is for the speed of the packet flow ? I mean is it better to have a small kernel without all the optional things like soundcard etc., or is it equal because it doesn't has a negative behaviour on the performance of the firewall ? I know that you always hear about small kernels without modules and just the options enabled which you really need, but my friend said this is all because of security and not performance. Is this right ? I feel that a small kernel is not just more secure but also has more performance. Is this right ? Bye Markus
Hi list, some days ago i had a discussion on configuring the optimal kernel for a firewall gateway. I know this is a never ending story but i have a small question out of it:
Does it matter how big the kernel is for the speed of the packet flow ? I mean is it better to have a small kernel without all the optional things like soundcard etc., or is it equal because it doesn't has a negative behaviour on the performance of the firewall ?
I know that you always hear about small kernels without modules and just the options enabled which you really need, but my friend said this is all because of security and not performance. Is this right ?
Negative. All of this used to be right not too long ago, but since 2.2 times it is a bit different, mostly because the machines are bigger (RAM) and faster but the kernel-used memory is nearly the same. As long as no sound card is initialized and no sound kernel module is loaded, the driver doesn't consume any resources (apart from the diskspace for the kernel module). Basically the same is valid for scsi host adapters and other stuff. The memory consumed by kernel code will remain the same. The latest phrack magazine describes ways to change kernel code without the need of loading modules or the possibility of loading a kernel module in the first place. The method uses /dev/kmem. By consequence, all argumentation about more security because kernel modules can't be loaded is obsolete.
I feel that a small kernel is not just more secure but also has more performance. Is this right ?
It shouldn't, no. One of the first things that I did after a fresh SuSE installation was to configure and compile the latest kernel, for just the reasons that you listed. In the meanwhile and with machines with 128MB RAM instead of 32 I don't see the reason any more to do this, I just use the RPM that comes with SuSE. In addition to more drivers the SuSE kernel even has some bugfixes that didn't make their way to the standard kernel yet (some of the core kernel people work for SuSE). After all, the decision about which kernel to use is up to personal taste.
Bye Markus
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Negative. All of this used to be right not too long ago, but since 2.2 times it is a bit different, mostly because the machines are bigger (RAM) and faster but the kernel-used memory is nearly the same. As long as no sound card is initialized and no sound kernel module is loaded, the driver doesn't consume any resources (apart from the diskspace for the kernel module). Basically the same is valid for scsi host adapters and other stuff. The memory consumed by kernel code will remain the same.
Ok. If you install a kernel with modul support it doesn't consume memory or performance until the module is really used and loaded. That's clear. But what about driver or other things compiled directly into the kernel, so that the kernel grows ? Does this also has no effect on the kernel performance, e.g packet filtering, traffic management,... ? Bye Markus
Ok. If you install a kernel with modul support it doesn't consume memory or performance until the module is really used and loaded. That's clear. But what about driver or other things compiled directly into the kernel, so that the kernel grows ? Does this also has no effect on the kernel performance, e.g packet filtering, traffic management,... ?
Well, if you compile a kernel with ip-forwarding turned on but filtering disabled, one would expect that the router is faster because the code is just missing in the kernel. On a reasonably fast machine I'd say that these effects should be neglectable. Is anybody volunteering to test and measure/benchmark the differences?
Bye Markus
Roman.
--
- -
| Roman Drahtmüller
Well, if you compile a kernel with ip-forwarding turned on but filtering disabled, one would expect that the router is faster because the code is just missing in the kernel. On a reasonably fast machine I'd say that these effects should be neglectable. But what do think is a reasonable machine? What will I need for a simple firewall with Internet (1 MBit), DMZ (Mailserver) and a local network in terms of MHz and MByte?
Thanks, Bernhard
a 486 will firewall 1 megabit no sweat unless you have about 70 million
rules.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
----- Original Message -----
From: "Bernhard Held"
Well, if you compile a kernel with ip-forwarding turned on but filtering disabled, one would expect that the router is faster because the code is just missing in the kernel. On a reasonably fast machine I'd say that these effects should be neglectable. But what do think is a reasonable machine? What will I need for a simple firewall with Internet (1 MBit), DMZ (Mailserver) and a local network in terms of MHz and MByte?
Thanks, Bernhard
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hey, Bernhard Held schrieb:
Well, if you compile a kernel with ip-forwarding turned on but filtering disabled, one would expect that the router is faster because the code is just missing in the kernel. On a reasonably fast machine I'd say that these effects should be neglectable. But what do think is a reasonable machine? What will I need for a simple firewall with Internet (1 MBit), DMZ (Mailserver) and a local network in terms of MHz and MByte?
for me works a 486-with i think 33 MHZ and 12 MB RAM. It connects my wireless lan to the internet (adsl - german telekom) Greetings Torsten
Thanks, Bernhard
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (5)
-
Bernhard Held
-
Kurt Seifried
-
Markus Koellner
-
Roman Drahtmueller
-
Torsten Mueller