About F19 Firewall

Björn Persson bjorn at xn--rombobjrn-67a.se
Wed Sep 25 18:42:38 UTC 2013

Hash: SHA512

Eric H. Christensen wrote:
>Authentication is based on WEP/WPA/WPA2 passphrase, possibly a MAC
>address (BSSID), and 802.1 authentication.

I guess you refer to using 802.1X with an EAP method that provides
mutual authentication, authenticating both the supplicant and the
authentication server to each other.

As a test I opened the Network Manager connection editor and put my
Ethernet connection in the home zone while connected to my home network
which doesn't have 802.1X. The filtering rules were immediately changed.
There were no protests and no warnings. Obviously nothing tries to
ensure that only authenticated networks are put in a trusted zone.

Network Manager uses this same connection for all Ethernet networks I
connect to. I see no indication that the home zone wouldn't be used for
other networks, if I hadn't already changed it back to "public". Perhaps
an authenticated network would become a separate connection, but I
estimate that approximately zero homes and smaller offices use 802.1X
on wired networks.

>This is wireless, however.  Hardline connections will always
>be a bit more secure and the auto zone there will make more sense.

Given that many wireless home networks use WPA2 these days, but few if
any wired home networks use 802.1X, it looks like with FirewallD wired
connections may actually be *less* secure than wireless connections.

I strongly suspect that many users put both their wired and wireless
networks in the home zone when at home. Then when they go elsewhere,
Wifi networks will be considered different connections and will be in
the public zone by default, but any Ethernets they connect to will be
treated as the home network, which many users probably don't realize.

This difference may be temporary though. Sooner or later ISPs will be
forced to start providing IPv6 to customers, and then NAT will no longer
function as a firewall. It remains to be seen how home networks will
evolve then. It may be that people are so used to being crippled by
their NAT routers that they will buy home routers with zealous firewalls
in them, blocking all incoming IPv6 traffic and disrupting peer-to-peer
communication like NAT does. Or it may happen that homes and small
offices finally get fully functional Internet. In the latter case
link-layer encryption like WPA2 won't protect anything anymore, as all
the computers will be addressable from the outside anyway, and then
protocols designed for an isolated friendly network will be equally
insecure on both wired and wireless networks.

- -- 
Björn Persson

Sent from my computer.
Version: GnuPG v2.0.19 (GNU/Linux)


More information about the devel mailing list