Date: Mon, 06 Jun 2016 11:00:04 -0600 From: Ian Lepore <ian@freebsd.org> To: lidl@FreeBSD.org, Matteo Riondato <rionda@gmail.com> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r301226 - in head: etc etc/defaults etc/periodic/security etc/rc.d lib lib/libblacklist libexec libexec/blacklistd-helper share/mk tools/build/mk usr.sbin usr.sbin/blacklistctl usr.sbin... Message-ID: <1465232404.1188.5.camel@freebsd.org> In-Reply-To: <90df7c5b-7680-3de0-68ba-ab9bd1c9d73e@FreeBSD.org> References: <201606021906.u52J649H019481@repo.freebsd.org> <BC308CA2-2EE2-448A-9641-0BB769045868@gmail.com> <90df7c5b-7680-3de0-68ba-ab9bd1c9d73e@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2016-06-06 at 12:38 -0400, Kurt Lidl wrote: > On 6/5/16 2:39 PM, Matteo Riondato wrote: > > > > > On Jun 2, 2016, at 3:06 PM, Kurt Lidl <lidl@FreeBSD.Org> wrote: > > > > > > Author: lidl > > > Date: Thu Jun 2 19:06:04 2016 > > > New Revision: 301226 > > > URL: https://svnweb.freebsd.org/changeset/base/301226 > > > > > > Log: > > > Add basic blacklist build support > > > > > [snip] > > > Modified: head/etc/defaults/rc.conf > > > ================================================================= > > > ============= > > > --- head/etc/defaults/rc.conf Thu Jun 2 18:41:33 2016 > > > (r301225) > > > +++ head/etc/defaults/rc.conf Thu Jun 2 19:06:04 2016 > > > (r301226) > > > @@ -270,6 +270,8 @@ hastd_program="/sbin/hastd" # path to > > > ha > > > hastd_flags="" # Optional flags to hastd. > > > ctld_enable="NO" # CAM Target Layer / iSCSI target > > > daemon. > > > local_unbound_enable="NO" # local caching resolver > > > +blacklistd_enable="YES" # Run blacklistd daemon > > > (YES/NO). > > > +blacklistd_flags="" # Optional flags for > > > blacklistd(8). > > > > What is the rationale for having this enabled by default? > > Well, from a certain standpoint, it will encourage more people to > enable > the packet filtering it in their pf.conf and get the benefit of > having > a system-wide blacklist notification system running. > > Without a one-line change to enable the blocking in the pf.conf file, > it won't do any blocking. > > > Is any of the services that use it (in their default config) > > enabled by default? > > I suppose, technically speaking, no there are no daemons with > blacklist > support enabled by default. I am planning to commit the sshd support > tomorrow morning, and even *that* daemon isn't enabled by default. > > I am happy enough to turn off the blacklist daemon by default. You > are > the first person to question this since I posted the review back near > the beginning of April. > > -Kurt Probably everyone assumed (like I did) that it would be disabled by default, and didn't notice that wasn't the case. Your response indicates the problem with "default enabled"... you mention enabling packet filtering in pf.conf, my response is: WTF is pf.conf and why are you assuming I do any kind of packet filtering? I have literally dozens of systems here running freebsd, only one of them runs ipfw, and most of them are systems with small memory and wimpy processors, so why would I want extra do-nothing network daemons running on them by default? -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1465232404.1188.5.camel>