svn commit: r301226 - in head: etc etc/defaults etc/periodic/security etc/rc.d lib lib/libblacklist libexec libexec/blacklistd-helper share/mk tools/build/mk usr.sbin usr.sbin/blacklistctl usr.sbin...

Ian Lepore ian at freebsd.org
Mon Jun 6 17:00:18 UTC 2016 

On Mon, 2016-06-06 at 12:38 -0400, Kurt Lidl wrote:
> On 6/5/16 2:39 PM, Matteo Riondato wrote:
> > 
> > > On Jun 2, 2016, at 3:06 PM, Kurt Lidl <lidl at FreeBSD.Org> wrote:
> > > 
> > > Author: lidl
> > > Date: Thu Jun  2 19:06:04 2016
> > > New Revision: 301226
> > > URL: https://svnweb.freebsd.org/changeset/base/301226
> > > 
> > > Log:
> > >  Add basic blacklist build support
> > > 
> > [snip]
> > > Modified: head/etc/defaults/rc.conf
> > > =================================================================
> > > =============
> > > --- head/etc/defaults/rc.conf	Thu Jun  2 18:41:33 2016	
> > > (r301225)
> > > +++ head/etc/defaults/rc.conf	Thu Jun  2 19:06:04 2016	
> > > (r301226)
> > > @@ -270,6 +270,8 @@ hastd_program="/sbin/hastd"	# path to
> > > ha
> > > hastd_flags=""			# Optional flags to hastd.
> > > ctld_enable="NO"		# CAM Target Layer / iSCSI target
> > > daemon.
> > > local_unbound_enable="NO"	# local caching resolver
> > > +blacklistd_enable="YES" 	# Run blacklistd daemon
> > > (YES/NO).
> > > +blacklistd_flags=""		# Optional flags for
> > > blacklistd(8).
> > 
> > What is the rationale for having this enabled by default?
> 
> Well, from a certain standpoint, it will encourage more people to
> enable
> the packet filtering it in their pf.conf and get the benefit of
> having
> a system-wide blacklist notification system running.
> 
> Without a one-line change to enable the blocking in the pf.conf file,
> it won't do any blocking.
> 
> > Is any of the services that use it (in their default config)
> > enabled by default?
> 
> I suppose, technically speaking, no there are no daemons with
> blacklist
> support enabled by default. I am planning to commit the sshd support
> tomorrow morning, and even *that* daemon isn't enabled by default.
> 
> I am happy enough to turn off the blacklist daemon by default. You
> are 
> the first person to question this since I posted the review back near
> the beginning of April.
> 
> -Kurt

Probably everyone assumed (like I did) that it would be disabled by
default, and didn't notice that wasn't the case.  Your response
indicates the problem with "default enabled"... you mention enabling
packet filtering in pf.conf, my response is:  WTF is pf.conf and why
are you assuming I do any kind of packet filtering?

I have literally dozens of systems here running freebsd, only one of
them runs ipfw, and most of them are systems with small memory and
wimpy processors, so why would I want extra do-nothing network daemons
running on them by default?

-- Ian

More information about the svn-src-head mailing list