* [gentoo-user] firewall make.conf settings
@ 2008-01-24 14:59 James
2008-01-24 15:06 ` Ricardo Saffi Marques
2008-01-24 15:19 ` [gentoo-user] " tecnic5
0 siblings, 2 replies; 10+ messages in thread
From: James @ 2008-01-24 14:59 UTC (permalink / raw
To: gentoo-user
Hello,
I keep driving to make the size of the (gentoo) firewall as small(fast) as
posible to run on minimal resources. I have a mixture of old pentiums and
amd (k6) machines. I'd like to have one make.conf file for all the systems.
Anybody see anything wrong (not optimized) with these settings?
CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer"
CHOST="i586-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j2"
USE=" -* hardened acl ssl crypt nptl nptlonly"
Will -march=i586 work well with the amd k6 arch?
-fomit-frame-pointer (as no debugging wil)l occur on said machines)
Any comments on the USE flags? (a better way to minimize the installed
packages (which is vim and iptables and sshd)
James
--
gentoo-user@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [gentoo-user] firewall make.conf settings 2008-01-24 14:59 [gentoo-user] firewall make.conf settings James @ 2008-01-24 15:06 ` Ricardo Saffi Marques 2008-01-24 15:29 ` [gentoo-user] " James 2008-01-24 15:19 ` [gentoo-user] " tecnic5 1 sibling, 1 reply; 10+ messages in thread From: Ricardo Saffi Marques @ 2008-01-24 15:06 UTC (permalink / raw To: gentoo-user [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1: Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed, Size: 1191 bytes --] On Thu, 24 Jan 2008, James wrote: > Hello, > > I keep driving to make the size of the (gentoo) firewall as small(fast) as > posible to run on minimal resources. I have a mixture of old pentiums and > amd (k6) machines. I'd like to have one make.conf file for all the systems. > > Anybody see anything wrong (not optimized) with these settings? > > > CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" > CHOST="i586-pc-linux-gnu" > CXXFLAGS="${CFLAGS}" > MAKEOPTS="-j2" > USE=" -* hardened acl ssl crypt nptl nptlonly" > > Will -march=i586 work well with the amd k6 arch? > -fomit-frame-pointer (as no debugging wil)l occur on said machines) > > > Any comments on the USE flags? (a better way to minimize the installed > packages (which is vim and iptables and sshd) > > > > James > > -- > gentoo-user@lists.gentoo.org mailing list > Don't forget denyhosts and I'd also use metalog instead of syslog-ng. Regards, Saffi -- Ricardo Saffi Marques Laboratório de Administração e Segurança de Sistemas (LAS/IC) Universidade Estadual de Campinas (UNICAMP) Cell: +55 (19) 8128-0435 Skype: ricardo_saffi_marques Website: http://www.rsaffi.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* [gentoo-user] Re: firewall make.conf settings 2008-01-24 15:06 ` Ricardo Saffi Marques @ 2008-01-24 15:29 ` James 0 siblings, 0 replies; 10+ messages in thread From: James @ 2008-01-24 15:29 UTC (permalink / raw To: gentoo-user Ricardo Saffi Marques <saffi <at> las.ic.unicamp.br> writes: > Don't forget denyhosts and I'd also use metalog instead of syslog-ng. Hmmm, So you are suggesting to run 'denyhosts' directly on the firewall ? portage has version 0.8-r1 but I see version 2.6 for download..... Which version do you use? If newer than 0.8-rc1 How did you install it (overlay, compile sources) ? How much cpu/ram resources does denyhosts use, during an active attack? (guesstimate is ok)? On logging, I'm not sure how I want to handle this on old hardware with limited disk space. NO doubt I'll just stream it somewhere, but you have to be careful not to use too much processor/ram/resources on these old firewalls, so I may just set something up and have the ability to turn logging on/off depending on needs. It get's more complicated if it's just a remote firewall I manage for a friend..... They would not know what to do, no matter what application it's plugged into for analysis....... (gotta think about the logging/analysis issue some more).... James -- gentoo-user@lists.gentoo.org mailing list ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] firewall make.conf settings 2008-01-24 14:59 [gentoo-user] firewall make.conf settings James 2008-01-24 15:06 ` Ricardo Saffi Marques @ 2008-01-24 15:19 ` tecnic5 2008-01-24 16:00 ` [gentoo-user] " James 1 sibling, 1 reply; 10+ messages in thread From: tecnic5 @ 2008-01-24 15:19 UTC (permalink / raw To: gentoo-user James <wireless@tampabay.rr.com> Enviado por: news <news@ger.gmane.org> 24/01/2008 15:59 Por favor, responda a gentoo-user Para: gentoo-user@lists.gentoo.org cc: Asunto: [gentoo-user] firewall make.conf settings Hello, I keep driving to make the size of the (gentoo) firewall as small(fast) as posible to run on minimal resources. I have a mixture of old pentiums and amd (k6) machines. I'd like to have one make.conf file for all the systems. Anybody see anything wrong (not optimized) with these settings? CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" CHOST="i586-pc-linux-gnu" CXXFLAGS="${CFLAGS}" MAKEOPTS="-j2" USE=" -* hardened acl ssl crypt nptl nptlonly" Will -march=i586 work well with the amd k6 arch? -fomit-frame-pointer (as no debugging wil)l occur on said machines) Any comments on the USE flags? (a better way to minimize the installed packages (which is vim and iptables and sshd) James -- gentoo-user@lists.gentoo.org mailing list If you'd like to use the same make.conf for different machines you should make sure they all have same processors or, at least, same family of processors; in your case, I recommend using -mcpu instead of -march. Keep in mind that K6 processors have their own -marc=k6 and might not be comptable with -march=i586. More in /etc/make.conf.example. About USE flags, I recommend using "-va" options on every merge, check wich USE flags are enabled or disabled for each package and dinamicaly make your USE variable up. HTH, Abraham Marín Pérez <tecnic5@silvanoc.com> -- gentoo-user@lists.gentoo.org mailing list ^ permalink raw reply [flat|nested] 10+ messages in thread
* [gentoo-user] Re: firewall make.conf settings 2008-01-24 15:19 ` [gentoo-user] " tecnic5 @ 2008-01-24 16:00 ` James 2008-01-24 16:27 ` tecnic5 0 siblings, 1 reply; 10+ messages in thread From: James @ 2008-01-24 16:00 UTC (permalink / raw To: gentoo-user <tecnic5 <at> silvanoc.com> writes: >If you'd like to use the same make.conf for different machines you should >make sure they all have same processors or, at least, same family of > >processors; in your case, I recommend using -mcpu instead of -march. Keep >in mind that K6 processors have their own -marc=k6 and might not be >comptable with -march=i586. More in /etc/make.conf.example. Good point: -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" CHOST="i586-pc-linux-gnu" changed to: CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer" or CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer" <????? Remember I want one set of binaries for both k6 and old pentiums> -- gentoo-user@lists.gentoo.org mailing list ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] Re: firewall make.conf settings 2008-01-24 16:00 ` [gentoo-user] " James @ 2008-01-24 16:27 ` tecnic5 2008-01-24 17:24 ` Hemmann, Volker Armin 0 siblings, 1 reply; 10+ messages in thread From: tecnic5 @ 2008-01-24 16:27 UTC (permalink / raw To: gentoo-user James <wireless@tampabay.rr.com> Enviado por: news <news@ger.gmane.org> 24/01/2008 17:00 Por favor, responda a gentoo-user Para: gentoo-user@lists.gentoo.org cc: Asunto: [gentoo-user] Re: firewall make.conf settings <tecnic5 <at> silvanoc.com> writes: >If you'd like to use the same make.conf for different machines you should >make sure they all have same processors or, at least, same family of > >processors; in your case, I recommend using -mcpu instead of -march. Keep >in mind that K6 processors have their own -marc=k6 and might not be >comptable with -march=i586. More in /etc/make.conf.example. Good point: -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" CHOST="i586-pc-linux-gnu" changed to: CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer" or CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer" <????? Remember I want one set of binaries for both k6 and old pentiums> -- gentoo-user@lists.gentoo.org mailing list You're right, make it -mtune ;-). On the other hand, and according to Gentoo GCC optimization guide[1], both -mtune and -mcpu only take effect if there is no -march available, so I guess the later takes preference over the former. I'd use the first option of CFLAGS, hence. [1] http://www.gentoo.org/doc/en/gcc-optimization.xml#doc_chap2 HTH, Abraham Marín -- gentoo-user@lists.gentoo.org mailing list ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] Re: firewall make.conf settings 2008-01-24 16:27 ` tecnic5 @ 2008-01-24 17:24 ` Hemmann, Volker Armin 2008-01-24 18:37 ` James 0 siblings, 1 reply; 10+ messages in thread From: Hemmann, Volker Armin @ 2008-01-24 17:24 UTC (permalink / raw To: gentoo-user On Donnerstag, 24. Januar 2008, tecnic5@silvanoc.com wrote: > James <wireless@tampabay.rr.com> > Enviado por: news <news@ger.gmane.org> > 24/01/2008 17:00 > Por favor, responda a gentoo-user > > Para: gentoo-user@lists.gentoo.org > cc: > Asunto: [gentoo-user] Re: firewall make.conf settings > > <tecnic5 <at> silvanoc.com> writes: > >If you'd like to use the same make.conf for different machines you should > > > >make sure they all have same processors or, at least, same family of > > >processors; in your case, I recommend using -mcpu instead of -march. Keep > > > >in mind that K6 processors have their own -marc=k6 and might not be > >comptable with -march=i586. More in /etc/make.conf.example. > > Good point: > > -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: > > CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" > CHOST="i586-pc-linux-gnu" > > changed to: > CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer" > or > CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer" > sure about that? doesn't march include everything mtune would do? -- gentoo-user@lists.gentoo.org mailing list ^ permalink raw reply [flat|nested] 10+ messages in thread
* [gentoo-user] Re: firewall make.conf settings 2008-01-24 17:24 ` Hemmann, Volker Armin @ 2008-01-24 18:37 ` James 2008-01-24 19:39 ` Hemmann, Volker Armin 0 siblings, 1 reply; 10+ messages in thread From: James @ 2008-01-24 18:37 UTC (permalink / raw To: gentoo-user Hemmann, Volker Armin <volker.armin.hemmann <at> tu-clausthal.de> writes: > > -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: > > CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" > > CHOST="i586-pc-linux-gnu" > > changed to: > > CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer" > > or > > CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer" > sure about that? doesn't march include everything mtune would do? No, I'm not sure. The more I read the more I see different opinions! That's why I'm asking. Remember the goals are: 1) keep executible (binaries) as small as possible 2) use one make.conf on a master system to generate binaries for most old pentiums and the K6(amd) systems.... My gut tells me that CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" CHOST="i586-pc-linux-gnu" is the best choice in this cause. However, my 'gut' is more focused on the 'kiss' principal: (kiss whoever does the cooking and cleans the dishes)........ aka keep it simple. ??? -- gentoo-user@lists.gentoo.org mailing list ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] Re: firewall make.conf settings 2008-01-24 18:37 ` James @ 2008-01-24 19:39 ` Hemmann, Volker Armin 2008-01-25 8:15 ` tecnic5 0 siblings, 1 reply; 10+ messages in thread From: Hemmann, Volker Armin @ 2008-01-24 19:39 UTC (permalink / raw To: gentoo-user On Donnerstag, 24. Januar 2008, James wrote: > Hemmann, Volker Armin <volker.armin.hemmann <at> tu-clausthal.de> writes: > > > -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: > > > > > > CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" > > > CHOST="i586-pc-linux-gnu" > > > > > > changed to: > > > CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer" > > > or > > > CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer" > > > > sure about that? doesn't march include everything mtune would do? > > No, I'm not sure. The more I read the more I see different opinions! > That's why I'm asking. Remember the goals are: > 1) keep executible (binaries) as small as possible > 2) use one make.conf on a master system to generate binaries > for most old pentiums and the K6(amd) systems.... > > My gut tells me that > > CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" > CHOST="i586-pc-linux-gnu" > > is the best choice in this cause. However, my 'gut' is more focused > on the 'kiss' principal: (kiss whoever does the cooking and cleans > the dishes)........ aka keep it simple. well, I like your line ;) -- gentoo-user@lists.gentoo.org mailing list ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] Re: firewall make.conf settings 2008-01-24 19:39 ` Hemmann, Volker Armin @ 2008-01-25 8:15 ` tecnic5 0 siblings, 0 replies; 10+ messages in thread From: tecnic5 @ 2008-01-25 8:15 UTC (permalink / raw To: gentoo-user "Hemmann, Volker Armin" <volker.armin.hemmann@tu-clausthal.de> 24/01/2008 20:39 Por favor, responda a gentoo-user Para: gentoo-user@lists.gentoo.org cc: Asunto: Re: [gentoo-user] Re: firewall make.conf settings On Donnerstag, 24. Januar 2008, James wrote: > Hemmann, Volker Armin <volker.armin.hemmann <at> tu-clausthal.de> writes: > > > -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: > > > > > > CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" > > > CHOST="i586-pc-linux-gnu" > > > > > > changed to: > > > CFLAGS="-Os -mtune=i586 -pipe -fomit-frame-pointer" > > > or > > > CFLAGS="-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer" > > > > sure about that? doesn't march include everything mtune would do? > > No, I'm not sure. The more I read the more I see different opinions! > That's why I'm asking. Remember the goals are: > 1) keep executible (binaries) as small as possible > 2) use one make.conf on a master system to generate binaries > for most old pentiums and the K6(amd) systems.... > > My gut tells me that > > CFLAGS="-Os -march=i586 -pipe -fomit-frame-pointer" > CHOST="i586-pc-linux-gnu" > > is the best choice in this cause. However, my 'gut' is more focused > on the 'kiss' principal: (kiss whoever does the cooking and cleans > the dishes)........ aka keep it simple. well, I like your line ;) -- gentoo-user@lists.gentoo.org mailing list I like it too!! -march is more specific than -mtune, that means that it takes profit of processor-specific instructions to increase performance, but breaking compatiblity with other processors as a side effect. Since you will be using the same code for different processors you don't want to be *that* specific, so you'll have to stick on the more general -march option. That's my theory, however, there's some dark point: gcc guides usually state that the main difference between -march and -mtune is _backwards_ compatibility, but doesn't say anything about _family_ compatibility. Quoting Gentoo GCC Optimization guide: >> On x86 and x86-64 CPUs, -march will generate code specifically for that CPU using all its available instruction sets and the correct ABI; it will have no backwards compatibility for older/different CPUs. If you don't need to execute code on anything other than the system you're running Gentoo on, continue to use -march. You should only consider using -mtune when you need to generate code for older CPUs such as i386 and i486. -mtune produces more generic code than -march; though it will tune code for a certain CPU, it doesn't take into account available instruction sets and ABI. Don't use -mcpu on x86 or x86-64 systems, as it is deprecated for those arches. << So I guess it depends on how much time you have before your firewalls are production-ready. If you have plenty of time, I'd try -march out and see if no horrible crashes appear; if you don't want to play the crazy-lab-folk role, go for the safer -mtune. My two cents :-). Abraham -- gentoo-user@lists.gentoo.org mailing list ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2008-01-25 8:17 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-01-24 14:59 [gentoo-user] firewall make.conf settings James 2008-01-24 15:06 ` Ricardo Saffi Marques 2008-01-24 15:29 ` [gentoo-user] " James 2008-01-24 15:19 ` [gentoo-user] " tecnic5 2008-01-24 16:00 ` [gentoo-user] " James 2008-01-24 16:27 ` tecnic5 2008-01-24 17:24 ` Hemmann, Volker Armin 2008-01-24 18:37 ` James 2008-01-24 19:39 ` Hemmann, Volker Armin 2008-01-25 8:15 ` tecnic5
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox