From owner-svn-src-all@freebsd.org Mon Jun 6 17:52:38 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19AD3B6D3A2; Mon, 6 Jun 2016 17:52:38 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CE0E01CB2; Mon, 6 Jun 2016 17:52:37 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1b9yhW-0005Wl-Gt; Mon, 06 Jun 2016 20:52:34 +0300 Date: Mon, 6 Jun 2016 20:52:34 +0300 From: Slawa Olhovchenkov To: Andrey Chernov Cc: Ian Lepore , lidl@FreeBSD.org, Matteo Riondato , svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r301226 - in head: etc etc/defaults etc/periodic/security etc/rc.d lib lib/libblacklist libexec libexec/blacklistd-helper share/mk tools/build/mk usr.sbin usr.sbin/blacklistctl usr.sbin... Message-ID: <20160606175234.GG75625@zxy.spb.ru> References: <201606021906.u52J649H019481@repo.freebsd.org> <90df7c5b-7680-3de0-68ba-ab9bd1c9d73e@FreeBSD.org> <1465232404.1188.5.camel@freebsd.org> <9aafd3b8-ebe2-5ac8-e91b-31ffed34eff1@freebsd.org> <1465233764.1188.9.camel@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2016 17:52:38 -0000 On Mon, Jun 06, 2016 at 08:25:01PM +0300, Andrey Chernov wrote: > On 06.06.2016 20:22, Ian Lepore wrote: > > On Mon, 2016-06-06 at 20:06 +0300, Andrey Chernov wrote: > >> As variant, I keep hope blacklist sh helper will teach about ipfw > >> soon, > >> it looks possible. Then it can be re-enabled by default. > > > > No, it should still not be enabled by default. Maybe it should be > > enabled in response to some question in the installer, or maybe even > > better, enabled only if some firewall software that understands it is > > also enabled. But afaik, all the available firewalls are disabled by > > default in defaults/rc.conf, and this should be too. > > BTW, it is good idea: to check first, is supported firewall enabled, and > only then enable blacklistd by default. What purpose? SUDDENLY lockout access to own host after some mistake in password? I am already touch issuse with default enforcing DNSSEC in unbound and broken date in CMOS -- inposible to do any DNS queries and imposible to automatic time sync.