On Fri 2016-08-26 14:50:12 -0400, intrigeri wrote:
> Since then, NetworkManager gained the ability to randomize MAC
> addresses [1]. If we delegate the bulk of the work to it, then this
> becomes:
>
> a) We remove the modules blacklist logic.
> b) We set up a boot-time firewall that blocks all outgoing connections
> to non-loopback interfaces.
> c) Once the user has made their decision wrt. MAC spoofing (that is,
> in tails-unblock-network, run by PostLogin, just as it is now):
>
> 1. We record that decision in some place where all legitimate
> interested parties can check it out.
> 2. We configure NM accordingly.
> 3. We replace the boot-time firewall with the production one.
> 4. We start NetworkManager.
>
> Here again, hotplugged interfaces are not as well protected against
> permanent MAC address leaks as the coldplugged ones. But this is
> a compromise we are already doing in our current design.
fwiw, i prefer mac address spoofing at the udev layer since it means the
first userspace tool to see the device gets a chance to set the mac
address immediately.
It's easy enough to do by dropping a file in
/etc/systemd/network/99-default.link with the contents:
[Link]
MACAddressPolicy=random
Note that we will also need to tell network-manager to not automatically
reset the MAC address to a its permanent one though, since the defaults
for that setting are wrong:
https://bugzilla.gnome.org/show_bug.cgi?id=770611
for the versions of nm with that crappy default setting, you'll also
want to include a file
/etc/NetworkManager/conf.d/20-mac-addr-preserve.conf with the contents:
[device-mac-addr-preserve]
ethernet.cloned-mac-address=preserve
wifi.cloned-mac-address=preserve
Regards,
--dkg
