|
Recompiling the kernel
Introduction to this web pageThis page is about recompiling the kernel, in order to have a kernel in the firewall that is matched to the function of the firewall. A firewall is about packet filtering, so it doesn`t need a kernel that can process numerous different kinds of applications. By removing the extra functionality from the kernel, the kernel should be able to perform the task of packet filtering more efficiently. Another change that can be made to the kernel is to reduce the number of modules it needs to use, by building some of the module functionality into the kernel itself.
Recompiling the kernelFor information on how to recompile a kernel in Red Hat Linux 9, read the page on Recompiling the kernel in Red Hat Linux 9
The changesAll the changes to be made to the kernel are initiated by changing the .config file, I used xconfig for this, and all the section descriptions below refer to the way sections are described in xconfig. The section descriptions may be different in menuconfig. The following sections were removed :-
The following items were changed by setting all the sub-items to be built into the kernel, instead of being compiled as modules :-
ResultsOnce installed and running on a pc running in a lab environment, this new kernel did appear to result in a faster transfer time through the firewall. It still has to be ported to a firewall running in a production environment.
Other changesIt is fairly certain that more sections of the original kernel could be taken out, but this is probably a law of diminishing returns - more and more investigation, with less and less sections that can be removed. Also, it is likely that other sections could be converted from modules to integration within the kernel - any modules that are part of the packet transfer route - for example, the network card drivers. A more sensible approach at this point would probably be to look at importing later kernels and later versions of iptables.
© 2004 Ron Turner Return to the Firewall index page
|
|