iptables. 32 or 64?

[kitepilot at kitepilot.com]

I created a maintenance system for LFS that allows me to install specific 
configurations in what I Debug/Development/Production. 

"Production" only has strictly necessary software (compiler not being one of 
them) 

I can actually instantiate a full blown-fully functional LFS box in about 20 
minutes.  And I can upgrade packages!   :) 

And yes, compilers are bad...
ET 

 

Eric Shubert writes: 

> On 07/22/2012 04:04 AM, kitepilot at kitepilot.com wrote:
>> Hello World:
>> I run my firewall on a LFS box.
>> Everything on it is compiled from source.
>> No bells and whistles, only the essential software is installed.
>> The hardware is 64 bits but I've been running 32 bit OS.
>> This time around I am wondering...
>> The question is:
>> Is there any advantage to compiling the whole iptables enchilada in 64
>> bits?
>> Should it be avoided?
>> Please note that the 'normal' rules like 'more than 4GB and/or
>> 32-bit-adobe' do not apply here, what I am looking for is whether
>> filtering/marking will be faster/slower and (if known) why.
>> Any ideas?
>> Tnx
>> ET
> 
> I trust Joseph's answers to just about everything, including this. 
> 
> On a side note, I'd like to point out that having a compiler on a security 
> device such as a firewall (or any linux host for that matter) is a bit of 
> a security risk, as some malware relies on being able to compile the code 
> on the compromised host. So if your intention by using LFS is to make your 
> firewall more secure, you might be coming up short if you're building the 
> software on the firewall host itself. Personally, I use IPCop, which is 
> (also) LFS based. 
> 
> -- 
> -Eric 'shubes' 
> 
>  
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss