On Fri, 2013-09-20 at 20:33 -0400, Matthew Miller wrote: > On Sat, Sep 21, 2013 at 12:40:15AM +0200, Björn Persson wrote: > > >> Anyone can broadcast an SSID. How does FirewallD authenticate the > > >> network connection? > > >FirewallD is not responsible for such authentication/AP validation. > > >Firewall as such is not meant to assure you're connecting to where you > > >want. > > It's FirewallD that introduces the zone concept. FirewallD is therefore > > responsible for ensuring that the network has been authenticated before > > it switches to a zone that assumes an isolated and friendly network. Of > > course FirewallD can delegate the authentication to another program, > > but simply stating that FirewallD is not responsible doesn't answer the > > question. > > I haven't looked, but I assume that it's not actually the SSID that makes > them unique but rather done by NetworkManager UUID. See > <https://wiki.gnome.org/NetworkManagerConfiguration>. So, the attack I think > you're talking about would be someone making a network with the same SSID as > one you trust. NetworkManager won't automatically connect to that, and it > even if you do, it won't automatically put them in the same zone. Yes, this is definitely the case. I don't recall the details of exactly how it does it, but I definitely recall reading a post explaining that NM doesn't just rely on the SSID broadcast: just because you connect to a wireless network with the SSID "foobar" and that becomes a 'connection' in the NM UI with the name "foobar", which you can assign to a given firewall zone, it doesn't mean NM will then happily auto-connect to any old SSID named "foobar" and use the same firewall zone. (Firewall zones are kind of irrelevant; that kind of behaviour on NM's part would be crazy dangerous even without firewall zones). NM does store some kind of fairly strong identifying information on the network and will only consider it to be the same network and re-connect automatically using the stored authentication information and configuration if it's sure it really *is* the same network. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
