[gentoo-user] firewall make.conf settings

[gentoo-user] firewall make.conf settings

[James]

Hello,

I keep driving to make the size of the (gentoo) firewall as small(fast) as
posible to run on minimal resources. I have a mixture of old pentiums and
 amd (k6) machines. I'd like to have one make.conf file for all the systems.

Anybody see anything wrong (not optimized) with these settings?


CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
CHOST="i586-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j2"
USE=" -* hardened acl ssl crypt nptl nptlonly"

Will -march=i586 work well with the amd k6 arch?
-fomit-frame-pointer (as no debugging wil)l occur on said machines)


Any comments on the USE flags?  (a better way to minimize the installed
packages (which is vim and iptables and sshd)



James

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] firewall make.conf settings

[Ricardo Saffi Marques]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed, Size: 1191 bytes --]

On Thu, 24 Jan 2008, James wrote:

> Hello,
>
> I keep driving to make the size of the (gentoo) firewall as small(fast) as
> posible to run on minimal resources. I have a mixture of old pentiums and
> amd (k6) machines. I'd like to have one make.conf file for all the systems.
>
> Anybody see anything wrong (not optimized) with these settings?
>
>
> CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
> CHOST="i586-pc-linux-gnu"
> CXXFLAGS="${CFLAGS}"
> MAKEOPTS="-j2"
> USE=" -* hardened acl ssl crypt nptl nptlonly"
>
> Will -march=i586 work well with the amd k6 arch?
> -fomit-frame-pointer (as no debugging wil)l occur on said machines)
>
>
> Any comments on the USE flags?  (a better way to minimize the installed
> packages (which is vim and iptables and sshd)
>
>
>
> James
>
> -- 
> gentoo-user@lists.gentoo.org mailing list
>

Don't forget denyhosts and I'd also use metalog instead of syslog-ng.

Regards,

Saffi

--
Ricardo Saffi Marques
Laboratório de Administração e Segurança de Sistemas (LAS/IC)
Universidade Estadual de Campinas (UNICAMP)
Cell: +55 (19) 8128-0435
Skype: ricardo_saffi_marques
Website: http://www.rsaffi.com

Re: [gentoo-user] firewall make.conf settings

[tecnic5]

James <wireless@tampabay.rr.com>
Enviado por: news <news@ger.gmane.org>
24/01/2008 15:59
Por favor, responda a gentoo-user
 
        Para:   gentoo-user@lists.gentoo.org
        cc: 
        Asunto: [gentoo-user] firewall make.conf settings

Hello,

I keep driving to make the size of the (gentoo) firewall as small(fast) as
posible to run on minimal resources. I have a mixture of old pentiums and
 amd (k6) machines. I'd like to have one make.conf file for all the 
systems.

Anybody see anything wrong (not optimized) with these settings?


CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
CHOST="i586-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j2"
USE=" -* hardened acl ssl crypt nptl nptlonly"

Will -march=i586 work well with the amd k6 arch?
-fomit-frame-pointer (as no debugging wil)l occur on said machines)


Any comments on the USE flags?  (a better way to minimize the installed
packages (which is vim and iptables and sshd)


James

-- 
gentoo-user@lists.gentoo.org mailing list



If you'd like to use the same make.conf for different machines you should 
make sure they all have same processors or, at least, same family of 
processors; in your case, I recommend using -mcpu instead of -march. Keep 
in mind that K6 processors have their own -marc=k6 and might not be 
comptable with -march=i586. More in /etc/make.conf.example.

About USE flags, I recommend using "-va" options on every merge, check 
wich USE flags are enabled or disabled for each package and dinamicaly 
make your USE variable up.


HTH,
Abraham Marín Pérez <tecnic5@silvanoc.com>
--
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: firewall make.conf settings

[James]

Ricardo Saffi Marques <saffi <at> las.ic.unicamp.br> writes:


> Don't forget denyhosts and I'd also use metalog instead of syslog-ng.

Hmmm,

So you are suggesting to run 'denyhosts' directly on the firewall ?

portage has version 0.8-r1 but I see version 2.6 for download.....

Which version do you use? If newer than 0.8-rc1 How did you install it 
(overlay, compile sources) ?

How much cpu/ram resources does denyhosts use, during an active
attack? (guesstimate is ok)?


On logging, I'm not sure how I want to handle this on old hardware
with limited disk space. NO doubt I'll just stream it somewhere, but
you have to be careful not to use too much processor/ram/resources
on these old firewalls, so I may just set something up and have the
ability to turn logging on/off depending on needs. It get's more complicated
if it's just a remote firewall I manage for a friend.....
They would not know what to do, no matter what application
it's plugged into for analysis.......

(gotta think about the logging/analysis issue some more)....


James




-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: firewall make.conf settings

[James]

 <tecnic5 <at> silvanoc.com> writes:

>If you'd like to use the same make.conf for different machines you should 
>make sure they all have same processors or, at least, same family of >
>processors; in your case, I recommend using -mcpu instead of -march. Keep 
>in mind that K6 processors have their own -marc=k6 and might not be 
>comptable with -march=i586. More in /etc/make.conf.example.


Good point:

-mcpu is deprecated, according to the examples file as of gcc 3.4, SO:

CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
CHOST="i586-pc-linux-gnu"

changed to:
CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer"  
or
CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer"

<????? Remember I want one set of binaries for both k6 and old pentiums>




-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: firewall make.conf settings

[tecnic5]

James <wireless@tampabay.rr.com>
Enviado por: news <news@ger.gmane.org>
24/01/2008 17:00
Por favor, responda a gentoo-user
 
        Para:   gentoo-user@lists.gentoo.org
        cc: 
        Asunto: [gentoo-user] Re: firewall make.conf settings

 <tecnic5 <at> silvanoc.com> writes:

>If you'd like to use the same make.conf for different machines you should 

>make sure they all have same processors or, at least, same family of >
>processors; in your case, I recommend using -mcpu instead of -march. Keep 

>in mind that K6 processors have their own -marc=k6 and might not be 
>comptable with -march=i586. More in /etc/make.conf.example.


Good point:

-mcpu is deprecated, according to the examples file as of gcc 3.4, SO:

CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
CHOST="i586-pc-linux-gnu"

changed to:
CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer" 
or
CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer"

<????? Remember I want one set of binaries for both k6 and old pentiums>




-- 
gentoo-user@lists.gentoo.org mailing list


You're right, make it -mtune ;-). On the other hand, and according to 
Gentoo GCC optimization guide[1], both -mtune and -mcpu only take effect 
if there is no -march available, so I guess the later takes preference 
over the former. I'd use the first option of CFLAGS, hence.

[1] http://www.gentoo.org/doc/en/gcc-optimization.xml#doc_chap2

HTH,
Abraham Marín
--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: firewall make.conf settings

[Hemmann, Volker Armin]

On Donnerstag, 24. Januar 2008, tecnic5@silvanoc.com wrote:
> James <wireless@tampabay.rr.com>
> Enviado por: news <news@ger.gmane.org>
> 24/01/2008 17:00
> Por favor, responda a gentoo-user
>
>         Para:   gentoo-user@lists.gentoo.org
>         cc:
>         Asunto: [gentoo-user] Re: firewall make.conf settings
>
>  <tecnic5 <at> silvanoc.com> writes:
> >If you'd like to use the same make.conf for different machines you should
> >
> >make sure they all have same processors or, at least, same family of >
> >processors; in your case, I recommend using -mcpu instead of -march. Keep
> >
> >in mind that K6 processors have their own -marc=k6 and might not be
> >comptable with -march=i586. More in /etc/make.conf.example.
>
> Good point:
>
> -mcpu is deprecated, according to the examples file as of gcc 3.4, SO:
>
> CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
> CHOST="i586-pc-linux-gnu"
>
> changed to:
> CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer"
> or
> CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer"
>

sure about that? doesn't march include everything mtune would do?

-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: firewall make.conf settings

[James]

Hemmann, Volker Armin <volker.armin.hemmann <at> tu-clausthal.de> writes:


> > -mcpu is deprecated, according to the examples file as of gcc 3.4, SO:

> > CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
> > CHOST="i586-pc-linux-gnu"

> > changed to:
> > CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer"
> > or
> > CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer"

> sure about that? doesn't march include everything mtune would do?


No, I'm not sure. The more I read the more I see different opinions!
That's why I'm asking. Remember the goals are:
1) keep executible (binaries) as small as possible
2) use one make.conf on a master system to generate binaries
for most old pentiums and the K6(amd) systems....

My gut tells me that 

CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
CHOST="i586-pc-linux-gnu"

is the best choice in this cause. However, my 'gut' is more focused
on the 'kiss' principal:  (kiss whoever does the cooking and cleans
the dishes)........ aka keep it simple.

???




-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: firewall make.conf settings

[Hemmann, Volker Armin]

On Donnerstag, 24. Januar 2008, James wrote:
> Hemmann, Volker Armin <volker.armin.hemmann <at> tu-clausthal.de> writes:
> > > -mcpu is deprecated, according to the examples file as of gcc 3.4, SO:
> > >
> > > CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
> > > CHOST="i586-pc-linux-gnu"
> > >
> > > changed to:
> > > CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer"
> > > or
> > > CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer"
> >
> > sure about that? doesn't march include everything mtune would do?
>
> No, I'm not sure. The more I read the more I see different opinions!
> That's why I'm asking. Remember the goals are:
> 1) keep executible (binaries) as small as possible
> 2) use one make.conf on a master system to generate binaries
> for most old pentiums and the K6(amd) systems....
>
> My gut tells me that
>
> CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
> CHOST="i586-pc-linux-gnu"
>
> is the best choice in this cause. However, my 'gut' is more focused
> on the 'kiss' principal:  (kiss whoever does the cooking and cleans
> the dishes)........ aka keep it simple.

well, I like your line ;)
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: firewall make.conf settings

[tecnic5]

"Hemmann, Volker Armin" <volker.armin.hemmann@tu-clausthal.de>
24/01/2008 20:39
Por favor, responda a gentoo-user
 
        Para:   gentoo-user@lists.gentoo.org
        cc: 
        Asunto: Re: [gentoo-user] Re: firewall make.conf settings

On Donnerstag, 24. Januar 2008, James wrote:
> Hemmann, Volker Armin <volker.armin.hemmann <at> tu-clausthal.de> 
writes:
> > > -mcpu is deprecated, according to the examples file as of gcc 3.4, 
SO:
> > >
> > > CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
> > > CHOST="i586-pc-linux-gnu"
> > >
> > > changed to:
> > > CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer"
> > > or
> > > CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer"
> >
> > sure about that? doesn't march include everything mtune would do?
>
> No, I'm not sure. The more I read the more I see different opinions!
> That's why I'm asking. Remember the goals are:
> 1) keep executible (binaries) as small as possible
> 2) use one make.conf on a master system to generate binaries
> for most old pentiums and the K6(amd) systems....
>
> My gut tells me that
>
> CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
> CHOST="i586-pc-linux-gnu"
>
> is the best choice in this cause. However, my 'gut' is more focused
> on the 'kiss' principal:  (kiss whoever does the cooking and cleans
> the dishes)........ aka keep it simple.

well, I like your line ;)
-- 
gentoo-user@lists.gentoo.org mailing list


I like it too!!

-march is more specific than -mtune, that means that it takes profit of 
processor-specific instructions to increase performance, but breaking 
compatiblity with other processors as a side effect. Since you will be 
using the same code for different processors you don't want to be *that* 
specific, so you'll have to stick on the more general -march option.

That's my theory, however, there's some dark point: gcc guides usually 
state that the main difference between -march and -mtune is _backwards_ 
compatibility, but doesn't say anything about _family_ compatibility. 
Quoting Gentoo GCC Optimization guide:

>>
On x86 and x86-64 CPUs, -march will generate code specifically for that 
CPU using all its available instruction sets and the correct ABI; it will 
have no backwards compatibility for older/different CPUs. If you don't 
need to execute code on anything other than the system you're running 
Gentoo on, continue to use -march. You should only consider using -mtune 
when you need to generate code for older CPUs such as i386 and i486. 
-mtune produces more generic code than -march; though it will tune code 
for a certain CPU, it doesn't take into account available instruction sets 
and ABI. Don't use -mcpu on x86 or x86-64 systems, as it is deprecated for 
those arches. 
<<

So I guess it depends on how much time you have before your firewalls are 
production-ready. If you have plenty of time, I'd try -march out and see 
if no horrible crashes appear; if you don't want to play the 
crazy-lab-folk role, go for the safer -mtune.

My two cents :-).
Abraham

-- 
gentoo-user@lists.gentoo.org mailing list