Re: connection to disable an interface

From: Thomas Haller <thaller redhat com>
To: Andrei Borzenkov <arvidjaar gmail com>, networkmanager-list gnome org
Subject: Re: connection to disable an interface
Date: Sat, 14 May 2022 21:54:16 +0200

On Sat, 2022-05-14 at 22:43 +0300, Andrei Borzenkov wrote:

On 14.05.2022 22:24, Thomas Haller wrote:

Hi,


On Sat, 2022-05-14 at 07:38 +0300, Andrei Borzenkov via
networkmanager-
list wrote:



The background is a security requirement. Unused interfaces
must
ideally remain disabled at the physical layer when a cable is
plugged
in. Ideally, the LEDs would also remain dark.


It sounds like

no-auto-default=*

mostly does what you want.



that option merely disables that NetworkManager will automatically
generate a profile for ethernet devices, that don't have a profile
yet.
Such profiles are called "Wired connection 1", which is how you can
recognize it.

This does very little magic, you can manually create a profile to
the
same effect. In any case, NetworkManager would have already set the
interface IFF_UP at this point -- regardless of "(no-)auto-
default".


Sure, but usual question is - what are the expected threats? Simply
having interface up does not hurt anyone (except may be audit
company).
But having automatic profile on interface allows someone to connect
PC
with DHCP server and so get known IP address to (attempt to) access
the
server. This is prevented by no-auto-default.


you are right!

Thomas

Follow-Ups:
- Re: connection to disable an interface
  - From: Adrian Freihofer

References:
- connection to disable an interface
  - From: Adrian Freihofer
- Re: connection to disable an interface
  - From: Andrei Borzenkov
- Re: connection to disable an interface
  - From: Thomas Haller
- Re: connection to disable an interface
  - From: Andrei Borzenkov

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]