Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] optimal kernel config for firewall gateway ?
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Thu, 10 Jan 2002 14:59:17 +0100 (MET)
  • Message-id: <Pine.LNX.4.43.0201101451470.15825-100000@xxxxxxxxxxxx>
> Hi list,
> some days ago i had a discussion on configuring the optimal kernel for a
> firewall gateway.
> I know this is a never ending story but i have a small question out of it:
> Does it matter how big the kernel is for the speed of the packet flow ?
> I mean is it better to have a small kernel without all the optional things
> like soundcard etc.,
> or is it equal because it doesn't has a negative behaviour on the
> performance of the firewall ?
> I know that you always hear about small kernels without modules and just
> the options enabled
> which you really need, but my friend said this is all because of security
> and not performance.
> Is this right ?

Negative. All of this used to be right not too long ago, but since 2.2
times it is a bit different, mostly because the machines are bigger (RAM)
and faster but the kernel-used memory is nearly the same. As long as no
sound card is initialized and no sound kernel module is loaded, the driver
doesn't consume any resources (apart from the diskspace for the kernel
module). Basically the same is valid for scsi host adapters and other
stuff. The memory consumed by kernel code will remain the same.

The latest phrack magazine describes ways to change kernel code without
the need of loading modules or the possibility of loading a kernel module
in the first place. The method uses /dev/kmem. By consequence, all
argumentation about more security because kernel modules can't be loaded
is obsolete.

> I feel that a small kernel is not just more secure but also has more
> performance. Is this right ?

It shouldn't, no. One of the first things that I did after a fresh SuSE
installation was to configure and compile the latest kernel, for just the
reasons that you listed. In the meanwhile and with machines with 128MB RAM
instead of 32 I don't see the reason any more to do this, I just use the
RPM that comes with SuSE. In addition to more drivers the SuSE kernel even
has some bugfixes that didn't make their way to the standard kernel yet
(some of the core kernel people work for SuSE).

After all, the decision about which kernel to use is up to personal taste.

> Bye
> Markus

- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| N├╝rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -

< Previous Next >
Follow Ups