Thursday, February 19, 2015

The Ultimate OpenBSD Firewall?


Strong words.  Can they be substantiated?

In my haste to depart from an i386-based OpenBSD firewall/router at home, I accidentally purchased a Sun T5220 (big brother to a T5110) with an 8-Core 1.6GHz UltraSPARC T2 CPU and 64GB of RAM.

I do mean "accidentally" - I made a ridiculously low offer on one via eBay, the seller countered, and I "accidentally" accepted.  I won't get into that explanation at the moment as it's more complex than I can justify to the household accountant, but let's just say I'm probably in trouble when it arrives.


Those woes aside, let's look at what makes this device interesting from a price:performance ratio!

  • 1.6GHz
    • 8-Cores
    • 8-Threads/core
    • On-die crypto functionality (unlikely to work under OpenBSD at the moment or ever)
  • 64GB PC2-5300 FB-DIMM DRAM
  • 4x 10/100/1000 onboard copper gigabit ethernet
  • 6x PCI-E x8 slots
  • 8x SAS/SATA slots
  • 2U form factor
  • Dedicated 10/100 ILOM network management port
  • Serial console access
  • Obscenely loud jet engine take-off sound

I'd like to use this thing as my home firewall.  I am well aware that it is a power hog compared to my Alix, but I need to keep my basement at a particular temperature anyway, so this can serve double-duty. (Or that's how I'm initially justifying it).  I also know it's grotesque overkill for any firewalling duty I could possibly imagine, but overkill is a lifestyle decision and if only for these three words, I'll make it happen:

BECAUSE I CAN


I'm also aware that OpenBSD SMP on a machine like this is less than ideal, Ted Unangst had some thoughts he's illustrated here.  Again, that being stated, I'm still in because older technology - new to me - is still fascinating and OpenBSD's SPARC64 port is still alive and well-maintained.  One of my goals is to learn more about alternate architectures, and there's simply no better way than to eat your own proverbial dog food.  What magnificent dog food this is..


The machine hasn't arrived yet, so I'm simply preparing the small bits and pieces that I may require.  One of the trickier aspects could be a firmware update.  This requires an installation of Sun Solaris 11, as well as the acquisition of its necessary firmware files, which are guarded by some proprietary Oracle Support Identifier and registration.  Making the firmware acquisition difficult and/or expensive makes little to absolutely no sense when dealing with mission-critical infrastructure.  I feel this is a classically-stupid decision by Oracle - unfortunately par for the course from what I can discern.  Can anyone help with this?


A quick google turned up the firmware file on a nondescript site that was one revision behind (147307-11.zipthe latest (147307-12.zip) .  I'm not sure which firmware is best-suited for my purpose, or if I'll even need it, but I plan to see if the OpenBSD Sparc64 installation "just works" without the update.  If so, and I notice no aberrant behaviour, I will probably just stick to what's on the device.


Since it was sold sans drives, I'll also need to acquire at least one drive to test with, and/or to install Solaris on should that become necessary for a firmware update in the future.  I might also see if the PCI-E to PCI riser card works for various network/wireless adapters and/or crypto accelerators.  I'm eyeballing the Dell K961K (aka PESB62) PCI-E crypto accelerator with a Broadcom 5862 chipset..  Who knows if OpenBSD will recognize it, but just about any security processor is worth ~$25, if only to tinker with.


More updates will be provided in short order.  In the mean time, here's a simplified infodoc that describes how to reset the ILOM (Integrated Lights Out Management) password back to 'changeme' should yours not be default.


One other quick mention is that OpenBSD supports guest domains, as described by Mark Kettenis (kettenis@) here on undeadly.


SO, here's the 5.7-current dmesg - I've highlighted the interesting bits below - note the ubsec0 device lit up!


console is /virtual-devices@100/console@1
Copyright (c) 1982, 1986, 1989, 1991, 1993
        The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2015 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 5.7-current (GENERIC.MP) #495: Sun Mar 15 22:00:12 MDT 2015
    deraadt@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC.MP
real mem = 68585259008 (65408MB)
avail mem = 67501309952 (64374MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root: SPARC Enterprise T5220
cpu0 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu1 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu2 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu3 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu4 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu5 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu6 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu7 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu8 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu9 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu10 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu11 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu12 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu13 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu14 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu15 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu16 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu17 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu18 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu19 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu20 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu21 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu22 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu23 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu24 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu25 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu26 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu27 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu28 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu29 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu30 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu31 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu32 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu33 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu34 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu35 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu36 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu37 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu38 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu39 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu40 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu41 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu42 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu43 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu44 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu45 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu46 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu47 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu48 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu49 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu50 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu51 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu52 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu53 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu54 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu55 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu56 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu57 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu58 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu59 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu60 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu61 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu62 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
cpu63 at mainbus0: SUNW,UltraSPARC-T2 (rev 0.0) @ 1581.586 MHz
vbus0 at mainbus0
"flashprom" at vbus0 not configured
cbus0 at vbus0
vldc0 at cbus0
vldcp0 at vldc0 chan 0x14: ivec 0x28, 0x29 channel "spds"
"sunvts" at vldc0 chan 0x6 not configured
"sunmc" at vldc0 chan 0x7 not configured
"explorer" at vldc0 chan 0x8 not configured
"led" at vldc0 chan 0x9 not configured
"flashupdate" at vldc0 chan 0xa not configured
"ipmi" at vldc0 chan 0xc not configured
"system-management" at vldc0 chan 0xd not configured
vldc1 at cbus0
"spfma" at vldc1 chan 0x5 not configured
vldc2 at cbus0
vldcp1 at vldc2 chan 0x0: ivec 0x0, 0x1 channel "hvctl"
"ldom-primary" at vldc2 chan 0x1 not configured
"fmactl" at vldc2 chan 0x3 not configured
vldc3 at cbus0
"ldmfma" at vldc3 chan 0x4 not configured
"n2cp" at vbus0 not configured
"ncp" at vbus0 not configured
vrng0 at vbus0
vcons0 at vbus0: ivec 0x111, console
vrtc0 at vbus0
"niu" at mainbus0 not configured
vpci0 at mainbus0: bus 2 to 18, dvma map 80000000-ffffffff
pci0 at vpci0
ppb0 at pci0 dev 0 function 0 "PLX PEX 8533" rev 0xaa
pci1 at ppb0 bus 3
ppb1 at pci1 dev 1 function 0 "PLX PEX 8533" rev 0xaa
pci2 at ppb1 bus 4
ppb2 at pci2 dev 0 function 0 "PLX PEX 8517" rev 0xac
pci3 at ppb2 bus 5
ppb3 at pci3 dev 1 function 0 "PLX PEX 8517" rev 0xac
pci4 at ppb3 bus 6
ppb4 at pci4 dev 0 function 0 "PLX PEX 8112" rev 0xaa
pci5 at ppb4 bus 7
ohci0 at pci5 dev 0 function 0 "NEC USB" rev 0x43: ivec 0x16, version 1.0
ohci1 at pci5 dev 0 function 1 "NEC USB" rev 0x43: ivec 0x17, version 1.0
ehci0 at pci5 dev 0 function 2 "NEC USB" rev 0x04: ivec 0x14
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "NEC EHCI root hub" rev 2.00/1.00 addr 1
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "NEC OHCI root hub" rev 1.00/1.00 addr 1
usb2 at ohci1: USB revision 1.0
uhub2 at usb2 "NEC OHCI root hub" rev 1.00/1.00 addr 1
ppb5 at pci3 dev 2 function 0 "PLX PEX 8517" rev 0xac
pci6 at ppb5 bus 8
em0 at pci6 dev 0 function 0 "Intel 82571EB" rev 0x06: ivec 0x17, address 00:21:28:6d:9b:3c
em1 at pci6 dev 0 function 1 "Intel 82571EB" rev 0x06: ivec 0x14, address 00:21:28:6d:9b:3d
ppb6 at pci3 dev 3 function 0 "PLX PEX 8517" rev 0xaa
pci7 at ppb6 bus 9
em2 at pci7 dev 0 function 0 "Intel 82571EB" rev 0x06: ivec 0x14, address 00:21:28:6d:9b:3e
em3 at pci7 dev 0 function 1 "Intel 82571EB" rev 0x06: ivec 0x15, address 00:21:28:6d:9b:3f
ppb7 at pci1 dev 2 function 0 "PLX PEX 8533" rev 0xaa
pci8 at ppb7 bus 10
mpi0 at pci8 dev 0 function 0 "Symbios Logic SAS1068E" rev 0x04: msi
mpi0: UNUSED, firmware 1.27.2.0
scsibus1 at mpi0: 112 targets
sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed naa.5000cca792c4138e
sd0: 953869MB, 512 bytes/sector, 1953525168 sectors
ppb8 at pci1 dev 8 function 0 "PLX PEX 8533" rev 0xaa
pci9 at ppb8 bus 11
ppb9 at pci9 dev 0 function 0 "PLX PEX 8533" rev 0xaa
pci10 at ppb9 bus 12
ppb10 at pci10 dev 1 function 0 "PLX PEX 8533" rev 0xaa: msi
pci11 at ppb10 bus 13
ppb11 at pci10 dev 2 function 0 "PLX PEX 8533" rev 0xaa: msi
pci12 at ppb11 bus 14
ppb12 at pci10 dev 8 function 0 "PLX PEX 8533" rev 0xaa: msi
pci13 at ppb12 bus 15
ppb13 at pci10 dev 9 function 0 "PLX PEX 8533" rev 0xaa: msi
pci14 at ppb13 bus 16
ppb14 at pci10 dev 10 function 0 "PLX PEX 8533" rev 0xaa: msi
pci15 at ppb14 bus 17
ppb15 at pci1 dev 9 function 0 "PLX PEX 8533" rev 0xaa: msi
ubsec0 at pci15 dev 0 function 0 "Broadcom 5862" rev 0x01: 3DES MD5 SHA1 AES, ivec 0x15
pci16 at ppb15 bus 18
"pci-performance-counters" at mainbus0 not configured
ebus0 at mainbus0
com0 at ebus0 addr ca0000-ca0007 ivec 0x13: ns16550a, 16 byte fifo
uhub3 at uhub0 port 4 "Cypress Semiconductor USB2 Hub" rev 2.00/0.0b addr 2
umass0 at uhub3 port 4 configuration 1 interface 0 "OEM Mass Storage plus" rev 2.00/0.00 addr 3
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
cd0 at scsibus2 targ 1 lun 0: SCSI0 5/cdrom removable serial.09280000EF0123456789
uhidev0 at uhub3 port 4 configuration 1 interface 1 "OEM Mass Storage plus" rev 2.00/0.00 addr 3
uhidev0: iclass 3/0
uhid0 at uhidev0: input=1, output=1, feature=0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
bootpath: /pci@0,0/pci@0,0/pci@2,0/scsi@0,0/disk@0,0

root on sd0a (240c11545284cb82.a) swap on sd0b dump on sd0b

As much as I love this machine, it's probably not going to make the "cut" as my home firewall due to the whopping 277 watts of power consumption at idle.  I have serious reservation that it would ever sustain any utilization beyond idle, but still, at $0.115/KwH, that approximates to ~$24/month.  More on this soon, perhaps I could replace the qty 16 4GB DIMMs with qty 4 1GB DIMMs. My quick guesstimate is that it won't bring it much further down than ~200 watts.  Replacing the 2.5" 5400 RPM drive with a SSD might bring it down further, but not much.  I'm almost certain there is no power management functionality that will assist to this cause.

Here are some helpful ILOM commands to get started, for the uninitiated Sun masses...

2 comments:

  1. These machines are wonderful in my opinion.
    I have just taken a Sun Fire T2000 ( UltraSPARC T1 @ 1.2 GHz ) from the grave, and I'm playing with LDOMs and OpenBSD 5.7.

    [root@t2000 ~]# ldomctl status
    primary running OpenBSD running 12%
    munin running OpenBSD running 13%
    build running OpenBSD running 13%
    owncloud running OpenBSD running 7%
    build58 running OpenBSD running 12%


    It's just too fun to be true.

    The only drawback is that you can't change LDOMs configuration at runtime: it seems that you have to reboot.

    ReplyDelete
    Replies
    1. I've not tinkered with the LDOMs yet, but some hypervisor support was added to OpenBSD's snapshot -current release which may make it in by 5.9. I'm still looking for a reason to put this machine to work, but haven't discovered that quite yet. IMHO, the worst part is the power draw. In fact, I'd love to find some kind of Sparc64 that was closer to the 25 watt range, but this just isn't going to be it.

      Delete