Recompiling the kernel


 

 

 

 

 

Introduction to this web page

This page is about recompiling the kernel, in order to have a kernel in the firewall that is matched to the function of the firewall.

A firewall is about packet filtering, so it doesn`t need a kernel that can process numerous different kinds of applications.

By removing the extra functionality from the kernel, the kernel should be able to perform the task of packet filtering more efficiently.

Another change that can be made to the kernel is to reduce the number of modules it needs to use, by building some of the module functionality into the kernel itself.

 

Recompiling the kernel

For information on how to recompile a kernel in Red Hat Linux 9, read the page on Recompiling the kernel in Red Hat Linux 9

 

The changes

All the changes to be made to the kernel are initiated by changing the .config file, I used xconfig for this, and all the section descriptions below refer to the way sections are described in xconfig. The section descriptions may be different in menuconfig.

The following sections were removed :-

  • Code Maturity level options / Prompt for development ...

  • Processor type and function / Toshiba laptop support

  • Processor type and function / Dell laptop support

  • General setup / PCMCIA support

  • Multidevice support (Raid and LVM)

  • Networking options / IP:multicasting

  • Networking options / IPX

  • Networking options / Appletalk

  • Networking options / DECnet

  • SCSI support

  • I20

  • Network Device support / Wireless LAN non-ham radio

  • Network Device support / Token Ring

  • Network Device support / Fibre channel driver support

  • Network Device support / WAN interfaces support

  • Amateur radio support

  • IrDA support

  • ISDN support

  • Sound card support

  • Bluetooth support

 

The following items were changed by setting all the sub-items to be built into the kernel, instead of being compiled as modules :-

  • Networking options / IP:netfilter configuration

 

Results

Once installed and running on a pc running in a lab environment, this new kernel did appear to result in a faster transfer time through the firewall. It still has to be ported to a firewall running in a production environment.

 

Other changes

It is fairly certain that more sections of the original kernel could be taken out, but this is probably a law of diminishing returns - more and more investigation, with less and less sections that can be removed.

Also, it is likely that other sections could be converted from modules to integration within the kernel - any modules that are part of the packet transfer route - for example, the network card drivers.

A more sensible approach at this point would probably be to look at importing later kernels and later versions of iptables.

 


© 2004 Ron Turner


Return to the Firewall index page