-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Eric H. Christensen wrote: >Authentication is based on WEP/WPA/WPA2 passphrase, possibly a MAC >address (BSSID), and 802.1 authentication. I guess you refer to using 802.1X with an EAP method that provides mutual authentication, authenticating both the supplicant and the authentication server to each other. As a test I opened the Network Manager connection editor and put my Ethernet connection in the home zone while connected to my home network which doesn't have 802.1X. The filtering rules were immediately changed. There were no protests and no warnings. Obviously nothing tries to ensure that only authenticated networks are put in a trusted zone. Network Manager uses this same connection for all Ethernet networks I connect to. I see no indication that the home zone wouldn't be used for other networks, if I hadn't already changed it back to "public". Perhaps an authenticated network would become a separate connection, but I estimate that approximately zero homes and smaller offices use 802.1X on wired networks. >This is wireless, however. Hardline connections will always >be a bit more secure and the auto zone there will make more sense. Given that many wireless home networks use WPA2 these days, but few if any wired home networks use 802.1X, it looks like with FirewallD wired connections may actually be *less* secure than wireless connections. I strongly suspect that many users put both their wired and wireless networks in the home zone when at home. Then when they go elsewhere, Wifi networks will be considered different connections and will be in the public zone by default, but any Ethernets they connect to will be treated as the home network, which many users probably don't realize. This difference may be temporary though. Sooner or later ISPs will be forced to start providing IPv6 to customers, and then NAT will no longer function as a firewall. It remains to be seen how home networks will evolve then. It may be that people are so used to being crippled by their NAT routers that they will buy home routers with zealous firewalls in them, blocking all incoming IPv6 traffic and disrupting peer-to-peer communication like NAT does. Or it may happen that homes and small offices finally get fully functional Internet. In the latter case link-layer encryption like WPA2 won't protect anything anymore, as all the computers will be addressable from the outside anyway, and then protocols designed for an isolated friendly network will be equally insecure on both wired and wireless networks. - -- Björn Persson Sent from my computer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBCgAGBQJSQy6fAAoJEOE4WtzWSuY//Y0P/jnRYdG11mMfgLYrGI/qSjiz PfvJPrpE5M6OFi9Lg3zHS7oPPqF8oYIXkq69dhr2AFqN6LhGP/PJOdXtANXxUNz7 rc0Gm2fcIr7uiuUjqYv9/SBDlyPZnhDzqOZRk7g3TM/LffHL11VTSe/7TGZ7Rlkl ncdZfWk/UomFzVd5SKyCYQy9DWIkUfKN8NpGmj1lDYU0u+LeA4Bsg4V1uozIQ3HI FjiBk+9/pVYsVbm8FObFKJ5gkruJgeYKbTL3X/OunNA+OWWTfltxI3USst/EbEeT JTlM3naLF87i3U6uHBN2/KMNYJSD+M8xX8sL8mYA9zbMf1VxPlQ4qaX6WEzZ7LcV EBuztC1lia2jUBldmwDs+G5oht17uGAHAQB5aK7zwigtlYAaBTjLBItYxJ0TfXJD s08wAVfgD/cF7gE3kpjOI4fntbtI/RLvU8fzUvl7CRbSPz0sSg/vIY8O6DmGKD2S oC7H/aMsI6zS/MI+sjCVenY7YbyuSi3A89XxEAQ30EwDxPfMJCqNgtfWiRcSqLnv azHHUrObanvTinXs+JXw62ey1g8560KBnX2AmYRucbbHi72ENbtdwWXEZrIyhVbU 2F2ofFCyDfCO8N8G9LUYJ0Xwfgw3KRevB7ZhE5UVbJoxnCRkjShum6HNxkY+bKiy fM7zEi6BPIEFa4drFX0r =Zz4b -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
