[Networkmanager] Can public/trusted network setting return to UI?

Andrei Borzenkov arvidjaar at gmail.com
Wed Jun 21 14:42:00 UTC 2023 

On 21.06.2023 17:19, Petr Menšík wrote:
> The problem with that approach is I would like to configure also other
> services based on that. Not only ports open to receive requests from
> outside, but also permission to join the interface with mdns service and
> send queries over it.
> 
> Is it possible to receive this information to dispatcher script, which
> might customize settings based on its value? Can I adjust services,
> stopping them instead of just blocking access to them?
> 
> I would like to set default values for few values, like:
> 
> public:
> 
> connection.lldp:                        no
> connection.mdns:                        no
> connection.llmnr:                       no
> connection.dns-over-tls:                yes
> ipv4.dhcp-send-hostname      no
> 

See "man NetworkManager.conf" for description how to set default values. 
ipv4.dhcp-send-hostname is not listed as supported though, I do not know 
if it is just missing documentation.

> possibly with ipv4.ignore-auto-dns=yes, and ipv4.dns=8.8.8.8
> 
> for trusted:
> 
> connection.lldp:                        default
> connection.mdns:                        yes
> connection.llmnr:                       yes
> connection.dns-over-tls:           opportunistic
> ipv4.dhcp-send-hostname      yes
> 
> I would like to kind of pre-configure different "groups" and assign
> connections to one of them. If I don't override value in connection
> itself, use values from the group. Not to manually specify the same for
> regionjet.cz SSID, CDWIFI SSID, airport SSID and similar places again
> and again. Is something similar possible without having a tool, which
> will copy values on network connection creation?
> 
> Kind of derived classes in C++, which get more and more specialized. How
> hard would be implementing something like that?
> 
> On 21. 06. 23 14:33, Thomas Haller wrote:
>> On Tue, 2023-06-20 at 22:28 +0200, Petr Menšík wrote:
>>> Hello!
>>>
>>> I am old enough to remember there were once specification for each
>>> connection, into which type of network it belongs. I kind of like it
>>> and
>>> it would make sense to me if it returned into configuration not only
>>> from command line.
>>>
>>> There is still connection.zone, but at least UI from GNOME does not
>>> allow editing it from the GUI applet.
>>>
>>> Why do I want it?
>>>
>>> Basically I have two different approaches for to network I connect:
>>>
>>> - public network. Conferences, hotels, café or train. Usually all I
>>> want
>>> is internet connectivity.  I want my privacy protection as strong as
>>> it
>>> can be. DNS over TLS if possible, no avahi, no services open to
>>> network.
>>>
>>> - trusted network. My home, work, or networks of my friends or
>>> relatives. I may want to interact with other devices on this network.
>>> That might be smart TV for sharing photos or choosing movie, transfer
>>> of
>>> files, printer to print on. I want Avahi to discover services and
>>> publish my machines name. I do not care about DNS to be encrypted too
>>> much, more important is every name has to work. Privacy is reduced to
>>> simplify identification of devices.
>>>
>>> Is there a reason why nothing similar is offered now? With my avahi
>>> maintainer hat on, I had to say it does not have runtime
>>> reconfiguration
>>> yet. For me, having at least connection.zone like select box in UI
>>> for
>>> connection to networks would be great. Is there some reasoning why it
>>> has disappeared?
>>
>> Hi,
>>
>> the "connection.zone" property is all that NetworkManager does about
>> firewall. It only applies, if you also use firewalld. You would
>> configure the zones in firewalld, and "connection.zone" refers to that.
>>
>> I seem to remember, that nm-connection-editor hides the configuration
>> option, if it detects that firewalld is not enabled. I guess you are
>> looking at gnome-control-center? I don't know whether it supports the
>> zone. If it doesn't, it possibly should. RFE/patch welcome. The
>> workaround is to configure the zone using nmcli:
>>
>>     $ nmcli connection modify "$PROFILE" connection.zone "$ZONE"
>>
>> Make sure to enable and use firewalld.
>>
>>
>> Thomas
>>

More information about the Networkmanager mailing list