From owner-svn-src-all@freebsd.org Mon Jun 6 17:00:18 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 84387B6D33F for ; Mon, 6 Jun 2016 17:00:18 +0000 (UTC) (envelope-from ian@freebsd.org) Received: from outbound1a.eu.mailhop.org (outbound1a.eu.mailhop.org [52.58.109.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0397B11BD for ; Mon, 6 Jun 2016 17:00:17 +0000 (UTC) (envelope-from ian@freebsd.org) X-MHO-User: 21d12382-2c08-11e6-ac92-3142cfe117f2 X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information X-Originating-IP: 73.34.117.227 X-Mail-Handler: DuoCircle Outbound SMTP Received: from ilsoft.org (unknown [73.34.117.227]) by outbound1.eu.mailhop.org (Halon Mail Gateway) with ESMTPSA; Mon, 6 Jun 2016 17:00:11 +0000 (UTC) Received: from rev (rev [172.22.42.240]) by ilsoft.org (8.15.2/8.14.9) with ESMTP id u56H04hm006425; Mon, 6 Jun 2016 11:00:04 -0600 (MDT) (envelope-from ian@freebsd.org) Message-ID: <1465232404.1188.5.camel@freebsd.org> Subject: Re: svn commit: r301226 - in head: etc etc/defaults etc/periodic/security etc/rc.d lib lib/libblacklist libexec libexec/blacklistd-helper share/mk tools/build/mk usr.sbin usr.sbin/blacklistctl usr.sbin... From: Ian Lepore To: lidl@FreeBSD.org, Matteo Riondato Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Date: Mon, 06 Jun 2016 11:00:04 -0600 In-Reply-To: <90df7c5b-7680-3de0-68ba-ab9bd1c9d73e@FreeBSD.org> References: <201606021906.u52J649H019481@repo.freebsd.org> <90df7c5b-7680-3de0-68ba-ab9bd1c9d73e@FreeBSD.org> Content-Type: text/plain; charset="us-ascii" X-Mailer: Evolution 3.16.5 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2016 17:00:18 -0000 On Mon, 2016-06-06 at 12:38 -0400, Kurt Lidl wrote: > On 6/5/16 2:39 PM, Matteo Riondato wrote: > > > > > On Jun 2, 2016, at 3:06 PM, Kurt Lidl wrote: > > > > > > Author: lidl > > > Date: Thu Jun 2 19:06:04 2016 > > > New Revision: 301226 > > > URL: https://svnweb.freebsd.org/changeset/base/301226 > > > > > > Log: > > > Add basic blacklist build support > > > > > [snip] > > > Modified: head/etc/defaults/rc.conf > > > ================================================================= > > > ============= > > > --- head/etc/defaults/rc.conf Thu Jun 2 18:41:33 2016 > > > (r301225) > > > +++ head/etc/defaults/rc.conf Thu Jun 2 19:06:04 2016 > > > (r301226) > > > @@ -270,6 +270,8 @@ hastd_program="/sbin/hastd" # path to > > > ha > > > hastd_flags="" # Optional flags to hastd. > > > ctld_enable="NO" # CAM Target Layer / iSCSI target > > > daemon. > > > local_unbound_enable="NO" # local caching resolver > > > +blacklistd_enable="YES" # Run blacklistd daemon > > > (YES/NO). > > > +blacklistd_flags="" # Optional flags for > > > blacklistd(8). > > > > What is the rationale for having this enabled by default? > > Well, from a certain standpoint, it will encourage more people to > enable > the packet filtering it in their pf.conf and get the benefit of > having > a system-wide blacklist notification system running. > > Without a one-line change to enable the blocking in the pf.conf file, > it won't do any blocking. > > > Is any of the services that use it (in their default config) > > enabled by default? > > I suppose, technically speaking, no there are no daemons with > blacklist > support enabled by default. I am planning to commit the sshd support > tomorrow morning, and even *that* daemon isn't enabled by default. > > I am happy enough to turn off the blacklist daemon by default. You > are > the first person to question this since I posted the review back near > the beginning of April. > > -Kurt Probably everyone assumed (like I did) that it would be disabled by default, and didn't notice that wasn't the case. Your response indicates the problem with "default enabled"... you mention enabling packet filtering in pf.conf, my response is: WTF is pf.conf and why are you assuming I do any kind of packet filtering? I have literally dozens of systems here running freebsd, only one of them runs ipfw, and most of them are systems with small memory and wimpy processors, so why would I want extra do-nothing network daemons running on them by default? -- Ian