From owner-svn-src-head@freebsd.org Mon Jun 6 17:22:52 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B6486B6DCE6 for ; Mon, 6 Jun 2016 17:22:52 +0000 (UTC) (envelope-from ian@freebsd.org) Received: from outbound1a.eu.mailhop.org (outbound1a.eu.mailhop.org [52.58.109.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0CD40179A for ; Mon, 6 Jun 2016 17:22:51 +0000 (UTC) (envelope-from ian@freebsd.org) X-MHO-User: 4cc98b95-2c0b-11e6-ac92-3142cfe117f2 X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information X-Originating-IP: 73.34.117.227 X-Mail-Handler: DuoCircle Outbound SMTP Received: from ilsoft.org (unknown [73.34.117.227]) by outbound1.eu.mailhop.org (Halon Mail Gateway) with ESMTPSA; Mon, 6 Jun 2016 17:22:51 +0000 (UTC) Received: from rev (rev [172.22.42.240]) by ilsoft.org (8.15.2/8.14.9) with ESMTP id u56HMivE006457; Mon, 6 Jun 2016 11:22:44 -0600 (MDT) (envelope-from ian@freebsd.org) Message-ID: <1465233764.1188.9.camel@freebsd.org> Subject: Re: svn commit: r301226 - in head: etc etc/defaults etc/periodic/security etc/rc.d lib lib/libblacklist libexec libexec/blacklistd-helper share/mk tools/build/mk usr.sbin usr.sbin/blacklistctl usr.sbin... From: Ian Lepore To: Andrey Chernov , lidl@FreeBSD.org, Matteo Riondato Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Date: Mon, 06 Jun 2016 11:22:44 -0600 In-Reply-To: <9aafd3b8-ebe2-5ac8-e91b-31ffed34eff1@freebsd.org> References: <201606021906.u52J649H019481@repo.freebsd.org> <90df7c5b-7680-3de0-68ba-ab9bd1c9d73e@FreeBSD.org> <1465232404.1188.5.camel@freebsd.org> <9aafd3b8-ebe2-5ac8-e91b-31ffed34eff1@freebsd.org> Content-Type: text/plain; charset="us-ascii" X-Mailer: Evolution 3.16.5 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2016 17:22:52 -0000 On Mon, 2016-06-06 at 20:06 +0300, Andrey Chernov wrote: > On 06.06.2016 20:00, Ian Lepore wrote: > > Probably everyone assumed (like I did) that it would be disabled by > > default, and didn't notice that wasn't the case. Your response > > indicates the problem with "default enabled"... you mention > > enabling > > packet filtering in pf.conf, my response is: WTF is pf.conf and > > why > > are you assuming I do any kind of packet filtering? > > > > I have literally dozens of systems here running freebsd, only one > > of > > them runs ipfw, and most of them are systems with small memory and > > wimpy processors, so why would I want extra do-nothing network > > daemons > > running on them by default? > > As variant, I keep hope blacklist sh helper will teach about ipfw > soon, > it looks possible. Then it can be re-enabled by default. No, it should still not be enabled by default. Maybe it should be enabled in response to some question in the installer, or maybe even better, enabled only if some firewall software that understands it is also enabled. But afaik, all the available firewalls are disabled by default in defaults/rc.conf, and this should be too. -- Ian