[Networkmanager] Prevent activation of network connection

Orion Poplawski orion at nwra.com
Tue Dec 20 17:10:10 UTC 2022 

On 12/20/22 03:02, Thomas Haller wrote:
> On Mon, 2022-12-19 at 16:31 -0700, Orion Poplawski wrote:
>> Is it possible to prevent activation of a connection via a dispatcher
>> pre-up
>> script or similar?  I'm trying to recreate the effect of the Windows
>> "Disable
>> Simultaneous Connection to Non-domain and Domain" GP setting -
>> https://winaero.com/disable-simultaneous-connection-to-non-domain-and-domain-in-windows-10/
>>
>> Thank you.
>>
> 
> Hi,
> 
> 
> I think not. Well, you can call `nmcli connection down` from a
> dispatcher script. But then activation already stated. Also, it will
> block future autoconnect.
> 
> If you have a more complex policy about autoconnect, I think that you
> would disable "connection.autoconnect" in the profile, and let your
> scripts/tool handle the activation.
> 
> 
> It seems what you ask for, is a more elaborate policy about how
> profiles can autoconnect, and moreover, how they conflict. That would
> be an interesting feature, but relatively hard to design correctly.
> 
> 
> Thomas

What do you mean by "it will block future autoconnect"?

It's not just autoconnect - it's what is allowed to connect/activate at all.
In the Windows policy when enabled, if a machine is connected to a "domain"
network (one in which a domain controller is accessible) a user cannot
activate a non-domain network.

This arises out of the following NIST 800-171 control:

3.13.7 Prevent remote devices from simultaneously establishing non-remote
connections with organizational systems and communicating via some other
connection to resources in external networks (i.e. split tunneling)


This often is understood in relationship to VPN connections, but we see
essentially the same situation where users can be on an internal network
connection via Ethernet and on our visitor Wi-Fi simultaneously.  The Windows
policy handles this, and we're trying to implement the equivalent for Linux.

Ideally we would be able to mark the internal connections in some way as
"internal" or "domain" and when one of those were active, no other connections
that were not marked the same would be able to be activated.

Orion


-- 
Orion Poplawski
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3847 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.freedesktop.org/archives/networkmanager/attachments/20221220/5d661286/attachment.bin>

More information about the Networkmanager mailing list