About F19 Firewall

Adam Williamson awilliam at redhat.com
Wed Sep 25 08:56:41 UTC 2013

On Fri, 2013-09-20 at 20:33 -0400, Matthew Miller wrote:
> On Sat, Sep 21, 2013 at 12:40:15AM +0200, Björn Persson wrote:
> > >> Anyone can broadcast an SSID. How does FirewallD authenticate the
> > >> network connection?
> > >FirewallD is not responsible for such authentication/AP validation.
> > >Firewall as such is not meant to assure you're connecting to where you
> > >want.
> > It's FirewallD that introduces the zone concept. FirewallD is therefore
> > responsible for ensuring that the network has been authenticated before
> > it switches to a zone that assumes an isolated and friendly network. Of
> > course FirewallD can delegate the authentication to another program,
> > but simply stating that FirewallD is not responsible doesn't answer the
> > question.
> I haven't looked, but I assume that it's not actually the SSID that makes
> them unique but rather done by NetworkManager UUID. See
> <https://wiki.gnome.org/NetworkManagerConfiguration>. So, the attack I think
> you're talking about would be someone making a network with the same SSID as
> one you trust. NetworkManager won't automatically connect to that, and it
> even if you do, it won't automatically put them in the same zone.

Yes, this is definitely the case. I don't recall the details of exactly
how it does it, but I definitely recall reading a post explaining that
NM doesn't just rely on the SSID broadcast: just because you connect to
a wireless network with the SSID "foobar" and that becomes a
'connection' in the NM UI with the name "foobar", which you can assign
to a given firewall zone, it doesn't mean NM will then happily
auto-connect to any old SSID named "foobar" and use the same firewall
zone. (Firewall zones are kind of irrelevant; that kind of behaviour on
NM's part would be crazy dangerous even without firewall zones). NM does
store some kind of fairly strong identifying information on the network
and will only consider it to be the same network and re-connect
automatically using the stored authentication information and
configuration if it's sure it really *is* the same network.
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net

More information about the devel mailing list