Re: [PATCH 0/4] Network Zones support

Jiri Popelka wrote:
> On 06/30/2011 11:11 PM, Dan Williams wrote:
>> On Tue, 2011-06-28 at 19:03 +0200, Thomas Woerner wrote:
>>> we were talking some time ago about classification of network 
>>> connections according to their trust level in network zones.

Nice, that's something SuSEfirewall2 would benefit from too :-)

>> For #6, when should the signal be emitted?  When NM *starts* to
>> configure the device even before IP addresses are acquired and assigned?
>> Ethernet static IP configuration is quite fast, so there could be a race
>> condition here if the firewall isn't fast enough applying the policy.
>> Do we care about that?

Ideally NM should signal the firewall as soon as the interface is
available (but not up yet) and wait until the firewall is done.
The rules need to be established before the link is ready as e.g. IPv6
autoconfig likely completes before IPv4 DHCP ie even before NM would
consider the connection fully up. A hostile network could even delay
DHCP to extend the time window. If the interface previously was in a
trusted zone the machine might be wide open.
OTOH the risk could be mitigated if the firewall resets the interface
rules to a restrictive set on connection termination.

Btw, how does NM or rather nm-applet know what zone names are valid?
I suppose there needs to be dbus service that returns a list of zones
(with translations, descriptions, icons, ...), right?


 (o_   Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]