Re: single module compile
On Sun, 06 Jul 2003, Shango Oluwa wrote:
> Following insight into the automatic route table entries by kernel
> 2.2.20 (thanks Bernd!) I have been advised to compile network
> interfaces on my firewall router as modules. This makes sense to me,
> as the cards can be ifup'ed and ifdown'ed on the fly,
You can bring a network interface up or down on the fly regardless of
how it is compiled (static or modular), and it will be down until you
tell it otherwise no matter what you do.
> and additionally it is supposed to improve security vs. bad
> boys...(any comments regarding this?)
Sure. There is no difference to the _security_ of a system that uses
modules vs one that does not. Once someone has root access, as required
to load a module, they can write direct to a disk or to the system
memory with a problem.
Not having modules available /may/, but probably does not, make it
fractionally harder for someone incompetent to take over your box, but
provides no real protection at all.
That said, I prefer to use a fully static (no modules) kernel on my
firewall and dedicated machines. This is _not_ a security issue -- it's
a management issue.
With a fully static kernel, I can know that my drivers are all available
all the time without the need of a filesystem, set of tools and the like
to bring them up.
Daniel
--
Real programmers can write assembly code in any language. :-)
-- Larry Wall in <8571@jpl-devvax.JPL.NASA.GOV>
Reply to: