Re: connection to disable an interface



On 14.05.2022 22:24, Thomas Haller wrote:
Hi,


On Sat, 2022-05-14 at 07:38 +0300, Andrei Borzenkov via networkmanager-
list wrote:


The background is a security requirement. Unused interfaces must
ideally remain disabled at the physical layer when a cable is
plugged
in. Ideally, the LEDs would also remain dark.


It sounds like

no-auto-default=*

mostly does what you want.


that option merely disables that NetworkManager will automatically
generate a profile for ethernet devices, that don't have a profile yet.
Such profiles are called "Wired connection 1", which is how you can
recognize it.

This does very little magic, you can manually create a profile to the
same effect. In any case, NetworkManager would have already set the
interface IFF_UP at this point -- regardless of "(no-)auto-default".


Sure, but usual question is - what are the expected threats? Simply
having interface up does not hurt anyone (except may be audit company).
But having automatic profile on interface allows someone to connect PC
with DHCP server and so get known IP address to (attempt to) access the
server. This is prevented by no-auto-default.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]