Re: [Whonix-devel] Development Discussion: Should Network Manager get installed by default?

[Vladimir A. <vla...@ap...>]

On 04/01/2013 05:31 PM, adrelanos wrote:
> Vladimir Arseniev:
>> On 04/01/2013 04:05 AM, adr...@ri... wrote:
>>> [https://sourceforge.net/p/whonix/wiki/Dev_NetworkManager/](https://sourceforge.net/p/whonix/wiki/Dev_NetworkManager/)
>>>
>>> URL: http://sourceforge.net/p/whonix/featureblog/2013/04/development-discussion-should-network-manager-get-installed-by-default/
>>
>> It's my impression that network manager (in Ubuntu etc, at least) may
>> alter various networking settings in order to maintain connectivity.
> 
> Yes, but not if they are configured with ifupdown in
> /etc/network/interfaces. According to 13.04 man page
> http://manpages.ubuntu.com/manpages/precise/en/man5/NetworkManager.conf.5.html
> (ifupdown plugin) it's still not planed.
> 
> I believe you mean, that NM can create, manage etc. new interfaces, but
> they won't write into /etc/network/interfaces and won't involve
> ifupdown, it uses it's own configuration files.

Good :)

>> I've used it with network-manager-openvpn as VPN client, and it's very
>> intuitive. But I'm not sure that I'd trust it managing Whonix's internal
>> network interface.
> 
> Well, in Whonix-Workstation case in worst case it leaks through Tor.
> 
> Just expanded that page.
> 
> Quote https://bugzilla.gnome.org/show_bug.cgi?id=689339#c4
> 
>> "*Please also understand that currently networkmanager is not a
> security tool at
> all. VPN plugins are regarded as connectivity plugins, not security
> plugins.*"
> 
> Missing auto-reconnect feature:
> https://bugzilla.gnome.org/show_bug.cgi?id=349151
> 
> So perhaps using NM to set up VPNs for security isn't a good idea.
> 
> Doesn't look like it has a fail closed mechanism:
> https://sourceforge.net/p/whonix/wiki/VPN/#fail-closed-mechanism

It's easy to install shorewall and rules that prevent leaks. See
https://www.wilderssecurity.com/showthread.php?p=2201706#post2201706