Re: [PATCH 0/4] Network Zones support

From: Thomas Woerner <twoerner redhat com>
To: Ludwig Nussel <ludwig nussel suse de>
Cc: networkmanager-list gnome org
Subject: Re: [PATCH 0/4] Network Zones support
Date: Wed, 27 Jul 2011 16:31:10 +0200

Hello Ludwig,

On 07/27/2011 01:45 PM, Ludwig Nussel wrote:

Jiri Popelka wrote:

On 06/30/2011 11:11 PM, Dan Williams wrote:

On Tue, 2011-06-28 at 19:03 +0200, Thomas Woerner wrote:

we were talking some time ago about classification of network
connections according to their trust level in network zones.


Nice, that's something SuSEfirewall2 would benefit from too :-)

For #6, when should the signal be emitted?  When NM *starts* to
configure the device even before IP addresses are acquired and assigned?
Ethernet static IP configuration is quite fast, so there could be a race
condition here if the firewall isn't fast enough applying the policy.
Do we care about that?


Ideally NM should signal the firewall as soon as the interface is
available (but not up yet) and wait until the firewall is done.

NM will send out a signal before a connection will be established. Itmight not be possible to wait for the firewall to finish configurationbefore getting the interface up, but this still needs to be verified. Wewill try to make this possible.

The rules need to be established before the link is ready as e.g. IPv6
autoconfig likely completes before IPv4 DHCP ie even before NM would
consider the connection fully up. A hostile network could even delay
DHCP to extend the time window. If the interface previously was in a
trusted zone the machine might be wide open.

If NM is taking down a connection, then it will send a signal that theconnection and the matching interface should be removed from the zone(and should not make it into the trusted zone in my opinion). Thereforean interface should not belong to a zone before a connection with thatinterface will be established.

OTOH the risk could be mitigated if the firewall resets the interface
rules to a restrictive set on connection termination.

firewalld will use the untrusted zone here. But it would also bepossible to use another zone as the default zone - even depending on theconnection type.

Btw, how does NM or rather nm-applet know what zone names are valid?
I suppose there needs to be dbus service that returns a list of zones
(with translations, descriptions, icons, ...), right?

Yes, it might be good to get the zone list and zone related informationfrom the service dealing with the firewall. But this is not fully done yet.

We thought of default zones to start with: (fully) trusted, home, work,public, (fully) untrusted.

In the future additional zones could be added. If a preselected zone ismissing or not available, the connection could fall back to the defaultzone (maybe per connection type).

cu
Ludwig

Thanks,
Thomas

--
Thomas Woerner
Software Engineer            Phone: +49-711-96437-310
Red Hat GmbH                 Fax  : +49-711-96437-111
Hauptstaetterstr. 58         Email: Thomas Woerner <twoerner redhat com>
D-70178 Stuttgart            Web  : http://www.redhat.de/

Follow-Ups:
- Re: [PATCH 0/4] Network Zones support
  - From: Dan Williams

References:
- [PATCH 0/4] Network Zones support
  - From: Jiri Popelka
- Re: [PATCH 0/4] Network Zones support
  - From: Ludwig Nussel

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]