Re: [gentoo-user] Re: firewall make.conf settings
Hemmann, Volker Armin [EMAIL PROTECTED] 24/01/2008 20:39 Por favor, responda a gentoo-user Para: gentoo-user@lists.gentoo.org cc: Asunto: Re: [gentoo-user] Re: firewall make.conf settings On Donnerstag, 24. Januar 2008, James wrote: Hemmann, Volker Armin volker.armin.hemmann at tu-clausthal.de writes: -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: CFLAGS=-Os -march=i586 -pipe -fomit-frame-pointer CHOST=i586-pc-linux-gnu changed to: CFLAGS=-Os -mtune=i586 -pipe -fomit-frame-pointer or CFLAGS=-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer sure about that? doesn't march include everything mtune would do? No, I'm not sure. The more I read the more I see different opinions! That's why I'm asking. Remember the goals are: 1) keep executible (binaries) as small as possible 2) use one make.conf on a master system to generate binaries for most old pentiums and the K6(amd) systems My gut tells me that CFLAGS=-Os -march=i586 -pipe -fomit-frame-pointer CHOST=i586-pc-linux-gnu is the best choice in this cause. However, my 'gut' is more focused on the 'kiss' principal: (kiss whoever does the cooking and cleans the dishes) aka keep it simple. well, I like your line ;) -- gentoo-user@lists.gentoo.org mailing list I like it too!! -march is more specific than -mtune, that means that it takes profit of processor-specific instructions to increase performance, but breaking compatiblity with other processors as a side effect. Since you will be using the same code for different processors you don't want to be *that* specific, so you'll have to stick on the more general -march option. That's my theory, however, there's some dark point: gcc guides usually state that the main difference between -march and -mtune is _backwards_ compatibility, but doesn't say anything about _family_ compatibility. Quoting Gentoo GCC Optimization guide: On x86 and x86-64 CPUs, -march will generate code specifically for that CPU using all its available instruction sets and the correct ABI; it will have no backwards compatibility for older/different CPUs. If you don't need to execute code on anything other than the system you're running Gentoo on, continue to use -march. You should only consider using -mtune when you need to generate code for older CPUs such as i386 and i486. -mtune produces more generic code than -march; though it will tune code for a certain CPU, it doesn't take into account available instruction sets and ABI. Don't use -mcpu on x86 or x86-64 systems, as it is deprecated for those arches. So I guess it depends on how much time you have before your firewalls are production-ready. If you have plenty of time, I'd try -march out and see if no horrible crashes appear; if you don't want to play the crazy-lab-folk role, go for the safer -mtune. My two cents :-). Abraham -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] Re: firewall make.conf settings
Ricardo Saffi Marques saffi at las.ic.unicamp.br writes: Don't forget denyhosts and I'd also use metalog instead of syslog-ng. Hmmm, So you are suggesting to run 'denyhosts' directly on the firewall ? portage has version 0.8-r1 but I see version 2.6 for download. Which version do you use? If newer than 0.8-rc1 How did you install it (overlay, compile sources) ? How much cpu/ram resources does denyhosts use, during an active attack? (guesstimate is ok)? On logging, I'm not sure how I want to handle this on old hardware with limited disk space. NO doubt I'll just stream it somewhere, but you have to be careful not to use too much processor/ram/resources on these old firewalls, so I may just set something up and have the ability to turn logging on/off depending on needs. It get's more complicated if it's just a remote firewall I manage for a friend. They would not know what to do, no matter what application it's plugged into for analysis... (gotta think about the logging/analysis issue some more) James -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] Re: firewall make.conf settings
tecnic5 at silvanoc.com writes: If you'd like to use the same make.conf for different machines you should make sure they all have same processors or, at least, same family of processors; in your case, I recommend using -mcpu instead of -march. Keep in mind that K6 processors have their own -marc=k6 and might not be comptable with -march=i586. More in /etc/make.conf.example. Good point: -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: CFLAGS=-Os -march=i586 -pipe -fomit-frame-pointer CHOST=i586-pc-linux-gnu changed to: CFLAGS=-Os -mtune=i586 -pipe -fomit-frame-pointer or CFLAGS=-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer ? Remember I want one set of binaries for both k6 and old pentiums -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: firewall make.conf settings
James [EMAIL PROTECTED] Enviado por: news [EMAIL PROTECTED] 24/01/2008 17:00 Por favor, responda a gentoo-user Para: gentoo-user@lists.gentoo.org cc: Asunto: [gentoo-user] Re: firewall make.conf settings tecnic5 at silvanoc.com writes: If you'd like to use the same make.conf for different machines you should make sure they all have same processors or, at least, same family of processors; in your case, I recommend using -mcpu instead of -march. Keep in mind that K6 processors have their own -marc=k6 and might not be comptable with -march=i586. More in /etc/make.conf.example. Good point: -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: CFLAGS=-Os -march=i586 -pipe -fomit-frame-pointer CHOST=i586-pc-linux-gnu changed to: CFLAGS=-Os -mtune=i586 -pipe -fomit-frame-pointer or CFLAGS=-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer ? Remember I want one set of binaries for both k6 and old pentiums -- gentoo-user@lists.gentoo.org mailing list You're right, make it -mtune ;-). On the other hand, and according to Gentoo GCC optimization guide[1], both -mtune and -mcpu only take effect if there is no -march available, so I guess the later takes preference over the former. I'd use the first option of CFLAGS, hence. [1] http://www.gentoo.org/doc/en/gcc-optimization.xml#doc_chap2 HTH, Abraham MarĂn -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: firewall make.conf settings
On Donnerstag, 24. Januar 2008, [EMAIL PROTECTED] wrote: James [EMAIL PROTECTED] Enviado por: news [EMAIL PROTECTED] 24/01/2008 17:00 Por favor, responda a gentoo-user Para: gentoo-user@lists.gentoo.org cc: Asunto: [gentoo-user] Re: firewall make.conf settings tecnic5 at silvanoc.com writes: If you'd like to use the same make.conf for different machines you should make sure they all have same processors or, at least, same family of processors; in your case, I recommend using -mcpu instead of -march. Keep in mind that K6 processors have their own -marc=k6 and might not be comptable with -march=i586. More in /etc/make.conf.example. Good point: -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: CFLAGS=-Os -march=i586 -pipe -fomit-frame-pointer CHOST=i586-pc-linux-gnu changed to: CFLAGS=-Os -mtune=i586 -pipe -fomit-frame-pointer or CFLAGS=-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer sure about that? doesn't march include everything mtune would do? -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] Re: firewall make.conf settings
Hemmann, Volker Armin volker.armin.hemmann at tu-clausthal.de writes: -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: CFLAGS=-Os -march=i586 -pipe -fomit-frame-pointer CHOST=i586-pc-linux-gnu changed to: CFLAGS=-Os -mtune=i586 -pipe -fomit-frame-pointer or CFLAGS=-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer sure about that? doesn't march include everything mtune would do? No, I'm not sure. The more I read the more I see different opinions! That's why I'm asking. Remember the goals are: 1) keep executible (binaries) as small as possible 2) use one make.conf on a master system to generate binaries for most old pentiums and the K6(amd) systems My gut tells me that CFLAGS=-Os -march=i586 -pipe -fomit-frame-pointer CHOST=i586-pc-linux-gnu is the best choice in this cause. However, my 'gut' is more focused on the 'kiss' principal: (kiss whoever does the cooking and cleans the dishes) aka keep it simple. ??? -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: firewall make.conf settings
On Donnerstag, 24. Januar 2008, James wrote: Hemmann, Volker Armin volker.armin.hemmann at tu-clausthal.de writes: -mcpu is deprecated, according to the examples file as of gcc 3.4, SO: CFLAGS=-Os -march=i586 -pipe -fomit-frame-pointer CHOST=i586-pc-linux-gnu changed to: CFLAGS=-Os -mtune=i586 -pipe -fomit-frame-pointer or CFLAGS=-Os -march=i586 -mtune=i586 -pipe -fomit-frame-pointer sure about that? doesn't march include everything mtune would do? No, I'm not sure. The more I read the more I see different opinions! That's why I'm asking. Remember the goals are: 1) keep executible (binaries) as small as possible 2) use one make.conf on a master system to generate binaries for most old pentiums and the K6(amd) systems My gut tells me that CFLAGS=-Os -march=i586 -pipe -fomit-frame-pointer CHOST=i586-pc-linux-gnu is the best choice in this cause. However, my 'gut' is more focused on the 'kiss' principal: (kiss whoever does the cooking and cleans the dishes) aka keep it simple. well, I like your line ;) -- gentoo-user@lists.gentoo.org mailing list
