About F19 Firewall

Björn Persson bjorn at xn--rombobjrn-67a.se
Wed Sep 25 18:42:38 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Eric H. Christensen wrote:
>Authentication is based on WEP/WPA/WPA2 passphrase, possibly a MAC
>address (BSSID), and 802.1 authentication.

I guess you refer to using 802.1X with an EAP method that provides
mutual authentication, authenticating both the supplicant and the
authentication server to each other.

As a test I opened the Network Manager connection editor and put my
Ethernet connection in the home zone while connected to my home network
which doesn't have 802.1X. The filtering rules were immediately changed.
There were no protests and no warnings. Obviously nothing tries to
ensure that only authenticated networks are put in a trusted zone.

Network Manager uses this same connection for all Ethernet networks I
connect to. I see no indication that the home zone wouldn't be used for
other networks, if I hadn't already changed it back to "public". Perhaps
an authenticated network would become a separate connection, but I
estimate that approximately zero homes and smaller offices use 802.1X
on wired networks.

>This is wireless, however.  Hardline connections will always
>be a bit more secure and the auto zone there will make more sense.

Given that many wireless home networks use WPA2 these days, but few if
any wired home networks use 802.1X, it looks like with FirewallD wired
connections may actually be *less* secure than wireless connections.

I strongly suspect that many users put both their wired and wireless
networks in the home zone when at home. Then when they go elsewhere,
Wifi networks will be considered different connections and will be in
the public zone by default, but any Ethernets they connect to will be
treated as the home network, which many users probably don't realize.

This difference may be temporary though. Sooner or later ISPs will be
forced to start providing IPv6 to customers, and then NAT will no longer
function as a firewall. It remains to be seen how home networks will
evolve then. It may be that people are so used to being crippled by
their NAT routers that they will buy home routers with zealous firewalls
in them, blocking all incoming IPv6 traffic and disrupting peer-to-peer
communication like NAT does. Or it may happen that homes and small
offices finally get fully functional Internet. In the latter case
link-layer encryption like WPA2 won't protect anything anymore, as all
the computers will be addressable from the outside anyway, and then
protocols designed for an isolated friendly network will be equally
insecure on both wired and wireless networks.

- -- 
Björn Persson

Sent from my computer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBCgAGBQJSQy6fAAoJEOE4WtzWSuY//Y0P/jnRYdG11mMfgLYrGI/qSjiz
PfvJPrpE5M6OFi9Lg3zHS7oPPqF8oYIXkq69dhr2AFqN6LhGP/PJOdXtANXxUNz7
rc0Gm2fcIr7uiuUjqYv9/SBDlyPZnhDzqOZRk7g3TM/LffHL11VTSe/7TGZ7Rlkl
ncdZfWk/UomFzVd5SKyCYQy9DWIkUfKN8NpGmj1lDYU0u+LeA4Bsg4V1uozIQ3HI
FjiBk+9/pVYsVbm8FObFKJ5gkruJgeYKbTL3X/OunNA+OWWTfltxI3USst/EbEeT
JTlM3naLF87i3U6uHBN2/KMNYJSD+M8xX8sL8mYA9zbMf1VxPlQ4qaX6WEzZ7LcV
EBuztC1lia2jUBldmwDs+G5oht17uGAHAQB5aK7zwigtlYAaBTjLBItYxJ0TfXJD
s08wAVfgD/cF7gE3kpjOI4fntbtI/RLvU8fzUvl7CRbSPz0sSg/vIY8O6DmGKD2S
oC7H/aMsI6zS/MI+sjCVenY7YbyuSi3A89XxEAQ30EwDxPfMJCqNgtfWiRcSqLnv
azHHUrObanvTinXs+JXw62ey1g8560KBnX2AmYRucbbHi72ENbtdwWXEZrIyhVbU
2F2ofFCyDfCO8N8G9LUYJ0Xwfgw3KRevB7ZhE5UVbJoxnCRkjShum6HNxkY+bKiy
fM7zEi6BPIEFa4drFX0r
=Zz4b
-----END PGP SIGNATURE-----


More information about the devel mailing list