Hi list, some days ago i had a discussion on configuring the optimal kernel for a firewall gateway. I know this is a never ending story but i have a small question out of it:
Does it matter how big the kernel is for the speed of the packet flow ? I mean is it better to have a small kernel without all the optional things like soundcard etc., or is it equal because it doesn't has a negative behaviour on the performance of the firewall ?
I know that you always hear about small kernels without modules and just the options enabled which you really need, but my friend said this is all because of security and not performance. Is this right ?
Negative. All of this used to be right not too long ago, but since 2.2 times it is a bit different, mostly because the machines are bigger (RAM) and faster but the kernel-used memory is nearly the same. As long as no sound card is initialized and no sound kernel module is loaded, the driver doesn't consume any resources (apart from the diskspace for the kernel module). Basically the same is valid for scsi host adapters and other stuff. The memory consumed by kernel code will remain the same. The latest phrack magazine describes ways to change kernel code without the need of loading modules or the possibility of loading a kernel module in the first place. The method uses /dev/kmem. By consequence, all argumentation about more security because kernel modules can't be loaded is obsolete.
I feel that a small kernel is not just more secure but also has more performance. Is this right ?
It shouldn't, no. One of the first things that I did after a fresh SuSE installation was to configure and compile the latest kernel, for just the reasons that you listed. In the meanwhile and with machines with 128MB RAM instead of 32 I don't see the reason any more to do this, I just use the RPM that comes with SuSE. In addition to more drivers the SuSE kernel even has some bugfixes that didn't make their way to the standard kernel yet (some of the core kernel people work for SuSE). After all, the decision about which kernel to use is up to personal taste.
Bye Markus
Thanks,
Roman.
--
- -
| Roman Drahtmüller