diff --git a/root/etc/NetworkManager/conf.d/dhcp-hostname.conf b/root/etc/NetworkManager/conf.d/dhcp-hostname.conf index fe4b50e..6c6ceed 100644 --- a/root/etc/NetworkManager/conf.d/dhcp-hostname.conf +++ b/root/etc/NetworkManager/conf.d/dhcp-hostname.conf @@ -1,20 +1,12 @@ # Do not send the system hostname to DHCP servers. # -# By default NetworkManager includes the system hostname in DHCP -# requests so the DHCP server can label leases or register dynamic DNS -# records. Many networks do not use this information, and sending it -# unnecessarily exposes device identity. -# -# Disabling this slightly improves privacy when joining unknown -# networks, especially when MAC randomization is enabled. +# Normally NetworkManager includes the hostname in DHCP requests so the +# server can label leases or register dynamic DNS entries. Most networks +# do not rely on this, and disabling it slightly reduces information +# leaked about the device (especially when MAC randomization is used). # # Individual connections can override this if needed: -# nmcli connection modify ipv4.dhcp-send-hostname yes -# nmcli connection modify ipv6.dhcp-send-hostname yes - +# nmcli connection modify ipv4.dhcp-send-hostname yes ipv6.dhcp-send-hostname yes [connection] ipv4.dhcp-send-hostname=false - -# Only applies on networks using DHCPv6. Most IPv6 networks use SLAAC -# instead, in which case this setting has no effect. ipv6.dhcp-send-hostname=false diff --git a/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf b/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf index 3cc3913..665bc54 100644 --- a/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf +++ b/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf @@ -1,24 +1,10 @@ # Ignore DNS servers advertised by networks (e.g. via DHCP). # -# When enabled, NetworkManager will not automatically accept DNS servers provided -# by the network. Instead the system will continue using DNS servers configured -# globally (for example via systemd-resolved). +# This makes NetworkManager refuse automatically provided DNS and lets +# systemd-resolved fall back to the configured global resolvers instead. # -# This is useful when you want to enforce a specific DNS provider such as Quad9 -# or Cloudflare regardless of the network you connect to. This is generally a much -# better choice for privacy, as the advertised DNS providers from the network can -# often lead to local DNS servers which the network admin can monitor for activity -# tracking. -# -# WARNING: -# Some environments rely on DHCP-provided DNS for internal name resolution (corporate -# networks, captive portals, VPNs). Enabling this globally may break such environments -# unless the connection overrides the setting. -# -# Per-connection override example: -# nmcli connection modify ipv4.ignore-auto-dns no -# nmcli connection modify ipv6.ignore-auto-dns no - +# Individual connections can override this: +# nmcli connection modify ipv4.ignore-auto-dns no ipv6.ignore-auto-dns no [connection] ipv4.ignore-auto-dns=true ipv6.ignore-auto-dns=true diff --git a/root/etc/NetworkManager/conf.d/ipv6-privacy.conf b/root/etc/NetworkManager/conf.d/ipv6-privacy.conf deleted file mode 100644 index ac1ead4..0000000 --- a/root/etc/NetworkManager/conf.d/ipv6-privacy.conf +++ /dev/null @@ -1,51 +0,0 @@ -[connection] - -# Generate the stable SLAAC IPv6 address using RFC7217 ("stable privacy"). -# -# Normally IPv6 SLAAC can derive the interface identifier directly from -# the device MAC address using the legacy EUI-64 scheme. This exposes the -# hardware MAC inside the IPv6 address and allows long-term tracking. -# -# The "stable-privacy" mode instead derives the address from a secret -# kernel seed and the network prefix. This produces a deterministic -# address that stays stable within the same network but does not reveal -# the device MAC address. -ipv6.addr-gen-mode=stable-privacy - - -# Enable RFC4941 temporary IPv6 addresses and prefer them for outbound -# connections. -# -# These temporary addresses rotate periodically and are used for outgoing -# traffic to reduce the ability of remote servers to track the device -# across connections. -# -# The interface will still retain a stable address (generated above) for -# inbound connections, but outgoing traffic will prefer the temporary -# ones. -# -# Values: -# 0 = disable temporary addresses -# 1 = enable but prefer the stable address -# 2 = enable and prefer temporary addresses -ipv6.ip6-privacy=2 - - -# Use a per-connection DHCPv6 client identifier. -# -# When a network uses DHCPv6, the client must identify itself with a -# DHCP Unique Identifier (DUID). By default NetworkManager generates a -# single identifier derived from the system machine-id, meaning every -# network sees the same persistent identifier. -# -# The "stable-uuid" mode instead generates a different identifier per -# connection using the connection's stable-id and a host-specific secret. -# Each network therefore sees a different DHCPv6 identity while still -# receiving a stable identifier across reconnects. -# -# This prevents cross-network tracking while maintaining normal DHCPv6 -# lease behavior. -# -# Note: many IPv6 networks rely only on SLAAC and do not use DHCPv6, in -# which case this setting has no effect. -ipv6.dhcp-duid=stable-uuid diff --git a/root/etc/NetworkManager/conf.d/llmnr-mdns.conf b/root/etc/NetworkManager/conf.d/llmnr-mdns.conf index 605342b..676b15b 100644 --- a/root/etc/NetworkManager/conf.d/llmnr-mdns.conf +++ b/root/etc/NetworkManager/conf.d/llmnr-mdns.conf @@ -1,39 +1,8 @@ -# Control link-local name resolution protocols for connections. +# Disable link-local name resolution protocols. # -# LLMNR (Link-Local Multicast Name Resolution) and mDNS (Multicast DNS) -# allow hosts on the same local network to resolve hostnames without -# using a traditional DNS server. They use multicast queries on the -# local link and are commonly used for ad-hoc discovery (for example -# resolving nearby machines or services). -# -# These protocols can leak hostnames to the local network and may allow -# spoofing attacks on untrusted networks. For this reason they are often -# disabled on laptops that regularly join public or unknown networks. -# -# NetworkManager can control these features per connection when the -# active DNS plugin supports them (for example: dns-systemd-resolved). -# -# Values: -# -# 0 / "no" -# Disable the protocol entirely for the interface. -# No hostname registration and no multicast resolution. -# -# 1 / "resolve" -# Allow resolving hostnames via multicast queries but do not -# announce (register) this host's hostname on the network. -# -# 2 / "yes" -# Fully enable the protocol. The host registers its hostname and -# also performs multicast resolution. -# -# If the DNS backend does not support these protocols the settings have -# no effect. -# -# Per-connection override examples: -# nmcli connection modify connection.llmnr resolve -# nmcli connection modify connection.mdns resolve - +# LLMNR and mDNS allow devices on the same LAN to resolve hostnames +# without DNS. They are rarely needed on managed networks and can +# expose system information to the local network. [connection] -connection.llmnr=1 -connection.mdns=1 +connection.llmnr=0 +connection.mdns=0 diff --git a/root/etc/NetworkManager/conf.d/random_mac.conf b/root/etc/NetworkManager/conf.d/random_mac.conf index b6f623e..23f07cf 100644 --- a/root/etc/NetworkManager/conf.d/random_mac.conf +++ b/root/etc/NetworkManager/conf.d/random_mac.conf @@ -1,37 +1,15 @@ [device-mac-randomization] -# Randomize the MAC address used during WiFi scanning. -# -# When the system scans for nearby Wi-Fi networks it normally sends probe -# frames containing its MAC address. Without randomization, nearby networks -# could track the device even when it is not connected. -# -# This is already the default on most systems, but we set it explicitly. +# "yes" is already the default for scanning wifi.scan-rand-mac-address=yes [connection-mac-randomization] -# Default MAC address behavior for new connections. -# -# NetworkManager can replace the hardware MAC address with a randomized -# one when activating connections. This helps prevent networks from -# identifying and tracking the device. -# -# Possible values: -# permanent : use the hardware MAC -# preserve : keep whatever MAC the interface already has -# stable : randomize MAC once and associate it permanently with that network -# random : Randomize MAC for every connection -# -# We randomize the MAC address for every Wi-Fi and Ethernet connection by default, -# as it is the most privacy-respecting option and prevents the network from tracking -# the device across reconnects (assuming everything else was configured to support -# that protection too). -# -# If a specific network requires a stable MAC (for example when using -# DHCP reservations on a home router), override it per connection. Generally, you -# should prefer using stable for these purposes instead of permanent, as there's -# no real advantage in giving away the actual hardware MAC, even if it's your own -# network: -# nmcli connection modify wifi.cloned-mac-address stable -# nmcli connection modify ethernet.cloned-mac-address stable +# Randomize MAC for every ethernet connection ethernet.cloned-mac-address=random -wifi.cloned-mac-address=random +# Generate a random MAC for each WiFi and associate the two permanently +wifi.cloned-mac-address=stable + +# Opions: +# permanent: Use HardWare address +# preserve: Don’t change the MAC address of the device upon activation +# stable: Randomize once and associate it permanently with that network +# random: Randomize MAC for every connection diff --git a/root/etc/sysctl.d/40-ipv6-privacy.conf b/root/etc/sysctl.d/40-ipv6-privacy.conf deleted file mode 100644 index 6c4bb36..0000000 --- a/root/etc/sysctl.d/40-ipv6-privacy.conf +++ /dev/null @@ -1,27 +0,0 @@ -# Enable IPv6 temporary addresses (RFC 4941). -# -# On IPv6 networks using SLAAC (Stateless Address Autoconfiguration), -# hosts automatically generate their own addresses from the advertised -# network prefix. Normally this results in a single stable address that -# remains constant for the duration of the connection. -# -# Temporary addresses add additional short-lived IPv6 addresses that are -# periodically regenerated by the kernel. These addresses are preferred -# for outgoing connections (for example web browsing) so that remote -# services cannot reliably track a device by its stable IPv6 address. -# -# The stable address still exists and is used for: -# - inbound connections -# - local services -# - neighbor discovery -# -# Values: -# 0 = disable temporary addresses -# 1 = enable temporary addresses but prefer the stable address -# 2 = enable temporary addresses and prefer them for outbound traffic -# -# "default" applies to interfaces created after boot, while "all" -# applies the setting to existing interfaces as well. - -net.ipv6.conf.default.use_tempaddr = 2 -net.ipv6.conf.all.use_tempaddr = 2