1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
# Example configuration snippet for NetworkManager to
# overwrite some default value for more privacy.
# Drop this file for example to /etc/NetworkManager/conf.d/30-anon.conf
#
# See man NetworkManager.conf(5) for how default values
# work. See man nm-settings(5) for the connection properties.
#
#
# This enables some privacy setting by default. The defaults
# apply only to settings that do not explicitly configure
# a per-connection override.
# That means, if the connection profile has
#
# $ nmcli connection show "$CON_NAME" |
# grep '^\(connection.stable-id\|ipv6.addr-gen-mode\|ipv6.ip6-privacy\|802-11-wireless.cloned-mac-address\|802-11-wireless.mac-address-randomization\|802-3-ethernet.cloned-mac-address\|ipv4.dhcp-client-id\|ipv6.dhcp-duid\)'
# connection.stable-id: --
# 802-3-ethernet.cloned-mac-address: --
# 802-11-wireless.cloned-mac-address: --
# 802-11-wireless.mac-address-randomization:default
# ipv4.dhcp-client-id: --
# ipv6.ip6-privacy: -1 (unknown)
# ipv6.addr-gen-mode: stable-privacy
# ipv6.dhcp-duid: --
#
# then the default values are inherited and thus both the MAC
# address, IPv6 host identifier, and DHCP identifiers are randomized.
# Also, ipv6 private addresses (RFC4941) are used in
# addition.
#
#
# The connection's stable-id is really a token associated with the identity
# of the connection. It means, by setting it to different values, different
# addresses and DHCP options are generated.
# For some profiles it can make sense to reuse the same stable-id
# (and thus share MAC address and IPv6 host identifier) for the duration
# of the current boot, but still exclusive to the connection profile.
# Thus, explicitly set the stable-id like:
#
# $ nmcli connection modify "$CON_NAME" connection.stable-id '${CONNECTION}/${BOOT}'
#
# ... or keep it stable across reboots, but still distinct per profile:
#
# $ nmcli connection modify "$CON_NAME" connection.stable-id '${CONNECTION}'
#
# ... or use the same stable IDs for a bunch of profiles
#
# $ nmcli connection modify "$CON_NAME" connection.stable-id 'my-home-wifi yada yada'
#
# ... or use the same IDs for a bunch of profiles, but only for the current boot
#
# $ nmcli connection modify "$CON_NAME" connection.stable-id 'my-home-wifi yada yada/${BOOT}'
[device-anon]
wifi.scan-rand-mac-address=yes
[connection-anon]
connection.stable-id=${RANDOM}
ethernet.cloned-mac-address=stable
wifi.cloned-mac-address=stable
ipv6.ip6-privacy=2
# RFC 7844 "DHCP Anonymity Profiles" mandates in combination with
# MAC address randomization:
# connection.stable-id=${RANDOM}
# ethernet.cloned-mac-address=stable
# wifi.cloned-mac-address=stable
# ipv4.dhcp-client-id=mac
# ipv6.dhcp-duid=ll
# In case, the interface cannot use MAC address randomization,
# RFC 7844 recomments
# connection.stable-id=${RANDOM}
# ipv4.dhcp-client-id=stable
# ipv6.dhcp-duid=stable-llt
# See https://tools.ietf.org/html/rfc7844#section-3.5
# https://tools.ietf.org/html/rfc7844#section-4.3
#
# In this example however, the defaults are set to a stable identifier
# depending on the connection.stable-id.
ipv4.dhcp-client-id=stable
ipv6.dhcp-duid=stable-uuid
|
