bushw Posted Saturday at 01:48 AM Posted Saturday at 01:48 AM Armbian uses Netplan by default to manage network settings. But when it uses NetworkManager as renderer, it silently changes iptables rules—without asking, without telling. *Neither Netplan nor NetworkManager are supposed to manage firewall settings.* But they do it anyway, behind the scenes. That kind of behavior—making security changes without user consent—feels a lot like what malware does. 0 Quote
eselarm Posted Saturday at 08:02 AM Posted Saturday at 08:02 AM (edited) When I got my ROCK3A around 2024-12-01 I thought it was a good idea to use a newest Linux userspace so I started with Armbian Ubuntu minimal image. Just getting to know the board HW and only SD-card and serial console and RJ45 that was fine, but soon the problems started. I managed to install NetworkManager and disable networkd, so I could copy a rather complex set of NM files from my other SBC, NanoPi-R6C that is using bridges VLANs and libvirt KVM. Same as I did earlier copy that same *.nmconnection files from RaspberryPi4 (PiOS bullseye/bookworm) . And just changing a cloned-mac address entry essentially in 1 .nmconnection file initially so my router assigns the correct IP address (just initial setting), changed that later. Long story short, it turns out that you need netplan.io and that generates .nmconnection files in /etc/NetworkManager/system-connections/, at least that was my conclusion after doing tricks with apt, maybe it is different, I did not want to waste time on it anymore. Same .nmconnection files (same content) are somewhere in /var or so, I forgot where and those seem to be generated from netplan yaml files. I once constructed yaml files to get 64-bit Ubuntu server image running on RPi4 when RPL only had 32-bit ARMv6 raspbian, but already then I thought never again that netplan stuff. I already removed all snapd stuff myself. So after wasting way too much time I just created a clone image on an SD-card from a Btrfs snapshot of my running NanoPi-R6C, copied some U-Boot and kernel and DTB files then done. Could start even VMs on dedicated VLANs etc. That by the way is also an issue with Ubuntu, they keep certain files needed for running KVM different from Bookworm, so VMs did not start, I needed to look at Ubuntu fora to figure out what the issue was. I forgot what as I wiped it all. So my opinion is more or less that Canonical has some vendor lock-ins here and there and/or 'cookies' to keep you stay with them (Ubuntu). Not internet-browser cookies, but goodies, like adding BSD code to Linux (ZFS). As the world of SBCs is almost exclusively about pre-installed images with most people not able to boot an iso CD-ROM and install Linux themselves, it is easy getting into peoples homes. For me, netplan is like hidden malware as I am unable to just install NetworkManager without also getting netplan and then needing to know/learn 3 network config scripting things. Opensuse Tumbleweed also has its own network managing tool (wicked), but at least that can be ignored if you want NetworkManager (dedicated switch in YaST). Same for Debian although manual apt packages and services actions. And then there is nmtui tool that works via serial console, so for me a key feature to configure networking initially in a good interactive way. It is much easier than reading yaml docs or nmcli command options docs. So lesson learned is that I avoid Armbian Ubuntu, also Armbian Bookworm minimal. Only if downloadable Armbian Bookworm images where NM is default I would maybe use, else just clone 1 of my own installations. For own image generation with Armbian build, there is option to use NM, so I noted that somewhere. Pity is that recommended/supported build host environment is Ubuntu. I did most builds on Armbian Bookworm lately, works fine. But last time I started it on Trixie it failed. Will try again sometime soon. Edited Saturday at 08:12 AM by eselarm 0 Quote
laibsch Posted Saturday at 07:14 PM Posted Saturday at 07:14 PM please be more specific, what happened exactly? where did you get that statement that netplan or networkmanager are not supposed to touch firewall settings? when you bring a network interface up or down that can obviously affect firewall rules. 0 Quote
Cancer Posted yesterday at 03:30 PM Posted yesterday at 03:30 PM fully agree with author statement. The same as change from ethx to endx is a step in wrong direction. Somebody was using windows too much. ifconfig is not even installed by default because of ip command. Distribution managers should be forced to stop such things. @laibsch "when you bring a network interface up or down that can obviously affect firewall rules" Is it a joke? 0 Quote
laibsch Posted yesterday at 03:47 PM Posted yesterday at 03:47 PM this is not a vote but a technical discussion, @Cancer. your hostile tone and unfounded accusations of "somebody was using windows too much" are out of place (and simply laughable). consider yourself warned. and if you don't understand the technicalities maybe it's best to keep quiet? and yes, of course bringing up or down a network interface can obviously affect the firewall. and distribution managers are free to do whatever they want with their distribution, it is theirs not yours. entitled much? this is FOSS, you have the code, change it if you don't like it. but otherwise, keep your entitled and ungrateful attitude to yourself. thank you. 0 Quote
robertoj Posted yesterday at 03:58 PM Posted yesterday at 03:58 PM XD take your concerns to Canonical 0 Quote
Cancer Posted yesterday at 04:09 PM Posted yesterday at 04:09 PM (edited) It's not about technicalities but basic logic. We have here situation where one program which should offer on/off functionality affects config of another one. @laibsch I'm not sure why have you reacted this way. Maybe i'm not proffessional but it's about linux and users should at least point on such things @robertoj Naturally, it's not about armbian itself, but generally linux related. F.e. when i configure another samba instance usual way and find it's not working by looking in logs and finding after some lost time that interface name has changed. How many people are requesting isssue with samba and loosing time just because of that? Edited yesterday at 04:10 PM by Cancer 0 Quote
laibsch Posted yesterday at 04:29 PM Posted yesterday at 04:29 PM 16 minutes ago, Cancer said: We have here situation where one program which should offer on/off functionality affects config of another one. I agree that would normally be a bug. And Debian would agree and in turn us. We have not established that being the case yet, though. At least not for me since @bushw has not yet responded. @Cancer Do you have an example for me to look into? 16 minutes ago, Cancer said: when i configure another samba instance usual way and find it's not working by looking in logs and finding after some lost time that interface name has changed Please do tell us more. 0 Quote
MaxT Posted yesterday at 04:39 PM Posted yesterday at 04:39 PM How many people are requesting isssue with samba and loosing time just because of that?I guess they are free to spend that time to develop own samba implementation 0 Quote
ag123 Posted 14 hours ago Posted 14 hours ago accordingly, one can remove Netplan if one don't like it https://www.baeldung.com/linux/etc-network-interfaces-netplan-switch and that actually even with Netplan one can configure a different renderer, e.g. Network-Manager https://docs.armbian.com/User-Guide_Networking/ or for that matter, I think it is feasible to remove Netplan altogether and just use Network Manager, if one prefers that or even for that matter switch back to the raw lowest level /etc/network/interfaces as described in the 1st link In addition show the detailed sequence of events and provide details that: Quote Netplan by default to manage network settings. But when it uses NetworkManager as renderer, it silently changes iptables rules—without asking, without telling. if you cannot show this in detail, then what is your basis of saying that it happens? Note that normally, there is a sequence of events, the interfaces need to be setup first hand, then that the firewall (e.g. iptables) is configured after that. What you need to proof in addition, is that Netplan or NetworkManager *revoke or change* your iptables / firewall setup if they are configured after Netplan / NetworkManager setup the interfaces. i.e. that it is potentially malicious if all that you mention can be rigiously proven then that perhaps we can file that with mitre and have the world cybersecurity issue a major CVE about it. https://attack.mitre.org/ https://www.cve.org/ i.e. that the whole world and every web server, every vps, anyone any servers running wordpress on linux, any webs running linux, everyone including the whole amazonaws, azure, google cloud, redhat ibm, etc etc running linux follow up and fix *all the servers in the Internet* 0 Quote
ag123 Posted 14 hours ago Posted 14 hours ago @Cancer Why you need to drop ifconfig for ip: https://opensource.com/article/21/1/ifconfig-ip-linux If you’re still using ifconfig, you’re living in the past https://ubuntu.com/blog/if-youre-still-using-ifconfig-youre-living-in-the-past there are certain things in this article that can be done in ip command that takes more than just ifconfig to do the same. Introduction to Linux interfaces for virtual networking https://developers.redhat.com/blog/2018/10/22/introduction-to-linux-interfaces-for-virtual-networking#vlan ^ this matters if you are bothered about containers, docker, virtual machines, virtualbox, vpn, wireguard, vlan, etc etc otherwise, if you don't need any of containers, docker, virtual machines, virtualbox, vpn, wireguard, vlan, etc etc you can live with ifconfig in a certain sense, the availability of this network infrastructure in linux along with ip command as one of the tools accounts for the modern trillion $ cloud services: amazon aws, google cloud, azure, ibm redhat, and practically every other vps, web, any sort of cloud services on Internet that runs on linux today. anyway, to get ifconfig it is simply sudo apt install net-tools https://www.fosslinux.com/121757/how-to-install-missing-ifconfig-command-on-linux.htm 0 Quote
Igor Posted 12 hours ago Posted 12 hours ago On 8/30/2025 at 10:02 AM, eselarm said: Pity is that recommended/supported build host environment is Ubuntu. We appreciate idea, but we have to look at the health of the whole ecosystem. Our build framework deals with many boards and non-standard low-level components (e.g., U-Boot), and right now it builds reliably only on Ubuntu Jammy. Even Noble isn’t fully compatible yet; adding Debian (unofficially, to some degree, it already works for many years) at this stage would likely cause regressions. As Ubuntu is more present in embedded world, making Debian recommended would costs a lot more from budget we don't have while bringing nothing in return. 12 hours ago, Cancer said: Naturally, it's not about armbian itself, but generally linux related Exactly. There are many issues in FOSS and there is little we can do. We didn't develop any of those tools - we provide them. Networking stack is an important part, it has its own diversity and this should be in users domain. I think our logic for providing images is a good compromise - we provide Debian and Ubuntu images, we provide them once with systemd-networkd (minimal) and the rest with NetworkManager. Now to keep some consistency and make it simple for non experts, using NetPlan as a central config point also makes sense - for most of use cases and most of users. Those who needs special handling of net stack, its easy to replace them with something else. 0 Quote
bushw Posted 11 hours ago Author Posted 11 hours ago 3 hours ago, ag123 said: if you cannot show this in detail, then what is your basis of saying that it happens? To be honest, I'm shocked that I need to provide evidence. I assumed this was common knowledge — at the very least among the forum moderators — and that we'd be discussing how it's even possible for the recommended package to behave this way. How to reproduce it? Just implement "mode: ap" in netplan config and check your iptables chains. 0 Quote
Werner Posted 9 hours ago Posted 9 hours ago 1 hour ago, bushw said: at the very least among the forum moderators Forum moderatores are there to provide guidance in discussion and take action if things get out of control. Having a wide varity of knowledge in various areas is desireable but not mandatory. As for myself I did not know about that either. 0 Quote
ag123 Posted 7 hours ago Posted 7 hours ago @bushw Quote Just implement "mode: ap" in netplan config and check your iptables chains ok this is what i saw in my setup running as an ap (I used netplan and NetworkManager - but I do not use its AP (wifi hotspot) features ) > sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ^ empty sudo nft list ruleset ^ empty my setup is documented here: https://gist.github.com/ag88/de02933ba65500376d1ff48e504b1bf3 I'm running and using hostapd for AP, for one thing hostapd produce logs for every client that connects to the wifi AP, that is far better than the 'built-in' 'easy' AP say with NetworkManager. Now I'd try to explain why you observe what you observe: --------- Network Manager could be using DNSmasq https://en.wikipedia.org/wiki/Dnsmasq https://thekelleys.org.uk/dnsmasq/doc.html when it setup the AP, it creates an NAT so that the wifi-subnet can access the upstream network https://tldp.org/HOWTO/html_single/Masquerading-Simple-HOWTO/ in addition,, DNSmasq also provides a dhcp server (to distribute ip addresses to the connecting wifi clients) and ipv6 router advertisement. that is what makes it 'simple'. don't like that? install and setup hostapd https://w1.fi/hostapd/ install and setup a dhcp server if you need it https://www.isc.org/dhcp/ install and setup radvd if you need ipv6 https://github.com/radvd-project/radvd those 3 above can normally be installed via apt next configure and setup the network interfaces and hostapd like what I did: key is (*unmanage* the WiFi interface and use hostapd to manage it, manual configure it) https://gist.github.com/ag88/de02933ba65500376d1ff48e504b1bf3 then you can choose to setup a network bridge or routing as you deemed fit. or even NAT - via ip tables or nftables https://wiki.nftables.org/wiki-nftables/index.php/Main_Page ^ if you do this, then that is what dnsmasq (probably called by NetworkManager) tries to do for you to make it 'easy' but if you configure everything yourself, using hostapd and the respective individual tools (dhcp server, radvd etc), no interference from Netplan, NetworkManager , dnsmasq, doesn't touch your iptables or nftables --- this mode: AP for wifi interface is a *feature* that you used in NetworkManager (dnsmasq) this is different from saying that Netplan and/or NetworkManager * *maliciously* change firewall configs for all possible combinations of network interfaces and configurations* don't like that AP feature / implementation in NetworkManager? you could probably take it up with RedHat https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/networking_guide/getting_started_with_networkmanager I'm not sure what other ways are there to configure the AP in NetworkManager so that it doesn't do NAT you would need to experiment if you are using the mode: AP feature in NetworkManager, there are likely various config options https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/proc_configuring-rhel-as-a-wpa2-or-wpa3-personal-access-point_configuring-and-managing-networking https://www.baeldung.com/linux/nmcli-wap-sharing-internet doing everything manually for WiFi AP using hostapd land individual tools, lets you control every single aspects of the network configs, I prefer this myself over the 'simple' approach e.g. that offered by NetworkManager, this include your firewall rules iptables, nftables etc, it is in part because the 'simple' AP offered by NetworkManager does so using NAT which is basically firewall rulesets i.e. iptables, nftables, if you don't want it to 'touch' that, then you would need to setup things manually and not use NetworkManager's AP mode. 0 Quote
Cancer Posted 4 hours ago Posted 4 hours ago 7 hours ago, ag123 said: If you’re still using ifconfig, you’re living in the past I don't like brainless matrix. Not using ifconfig however newer doesn't always mean better especially when it's not fool proof configured. Nevermind. When in new basic images we have 3 programs/processes instead of one for network and system after reboot doesn't come to back without checking configuration something is wrong. if one is new to new config must find what manages the network. Question is who are images for? Not for newbies for sure. Correct me if I'm wrong in any point: I can see in docs on main pages that netplan.io controls configuration. Really? Network manager does it however is masked and netplan is redirected to network manager config from what I've seen. When somebody doesn't know newer stuff must investigate/ask/look for solution or having at least admin knowledge in this matter. docs say that at first boot I should see: ``` Internet connection was not detected. Connect via wireless? [Y/n] y Multiple wireless adaptors detected. (...) ``` Never have seen such thing at all in armbian Docs should show defaults properly and if one needs more the rest in deeper details. However it doesn't look 0 Quote
ag123 Posted 3 hours ago Posted 3 hours ago @Cancer Netplan is from Canonical, so I'd guess ubuntu would likely use a similar setup https://netplan.io/ https://netplan.readthedocs.io/en/stable/netplan-tutorial/#running-netplan-for-the-first-time https://docs.armbian.com/User-Guide_Networking/ and the renderers can be NetworkManager or Systemd-Networkd as described in their pages as well. The setup is less than intuitive, but that I'm more familiar with NetworkManager. What I did instead is that, for my netplan config /etc/netplan/10-dhcp-all-interfaces.yaml: network: version: 2 renderer: NetworkManager # Different than 'networkd' I only used a 'minimal' config as like above. That would make it use NetworkManager as the renderer. I think it is also necessary to install NetworkManager for some e.g. 'minimal IOT' images apt install NetworkManager Then that if you are running it with a keyboard, monitor with gnome graphical interface you can use a gui editor like nm-connection-editor network-manager-applet https://wiki.archlinux.org/title/NetworkManager to setup the network configs, the Gui is kind of 'guided' and tends to be 'easier' for beginners. if you don't have that I think there is nmtui - text based with (ncurses) menus nmcli - command line cli configs if you are using nmcli say operating from a text console, there are some tutorials you may find through a web (e.g. google) search https://www.cyberciti.biz/faq/redhat-network-interface-configuration/ https://www.tecmint.com/nmcli-configure-network-connection/ https://www.cyberciti.biz/faq/how-to-add-network-bridge-with-nmcli-networkmanager-on-linux/ https://dev.to/faaiq_amarullah/managing-networking-based-on-rhel-8-202e in general, while editing network interfaces, I take 'ample precautions' and operate over the serial debug console (using a usb-uart dongle), as you may get 'locked out' if you are in one of the network connections that you are editing. If you are using a full desktop say with a monitor and keyboard, that's ok as well. I think the 'iot minimal' images some of those use Systemd-Networkd as default, so some of the setup may still be in Systemd e.g. Systemd-resolved. That could affect your DNS resolver configs, what I did is I googled for configs about Systemd-resolved and maintained my primary and secondary (DNS) nameservers in /etc/systemd/resolved.conf I'm not too sure if that is after all necessary. NetworkManager is 'higher level' than configuration commands as like ip or ifconfig, in a sense that it 'manages' the interfaces. while ip and ipconfig are normally per-invocation command, NetworkManager stores its setup in /etc/NetworkManager. One should normally use the gui or nmcli / nmtui commands to configure them instead of editing the files directly. And remember to save the configs as permanent instead of temporary while using the gui, nmcli or nmtui. With that normally the configs will persist across reboots. This is probably more organised perhaps 'simplier' than say editing scripts say using the 'old' way say in /etc/interfaces. After you configured interfaces e.g. with nmcli, nmtui or the gui editors, normally to check status of the interfaces you could run commands like nmcli c show (show connections) nmdli d status (show devices) etc to show the state of interfaces configured by NetworkManager. the 'lower level' commands like ip (or ifconfig (apt install net-tools to get that) ip link (show link status) ip a (show addresses) can also be used to check on the status of the intefaces. listing wifi APs I think is nmcli d wifi list connecting to an AP I think is nmcli d connect SSID password "wifipassword" name a_name_for_this_connection ifname wlan0 note that there are options for reconnect, normally it does that, if that is not desired you may need to edit that say via nmcli c edit connection etc 0 Quote
Cancer Posted 2 hours ago Posted 2 hours ago @ag123 I was writing about configuration from minimal armbian image for bananapi pro, you're writing something about gnome interface... your default 53 minutes ago, ag123 said: network: version: 2 renderer: NetworkManager it's in minimal armbian image default in the file /etc/netplan/armbian-default.yaml (different name for some reason known to Igor) and this file should be set to 600 as required by netplan while it isn't in the image. As I wrote before Network manager is masked 58 minutes ago, ag123 said: I think it is also necessary to install NetworkManager for some e.g. 'minimal IOT' images where have you taken this idea from? It's running so why do you want to install 1 hour ago, ag123 said: nmtui - text based with (ncurses) menus nmcli - command line cli configs nmtui is best of all. Hmm maybe also old and bad from someone's perspective Anyway , question is if network manager should be unmasked (what then?), or default netplan config changed to some dhcp settings for netplan to directly get info about network. How can i be sure that config will work after reboot? 0 Quote
ag123 Posted 1 hour ago Posted 1 hour ago @Cancer if NetworkManager is masked I'd unmask that for use with netplan e.g. systemctl unmask NetworkManager systemctl enable NetworkManager systemctl start NetworkManager In the 'minimal IOT' images for OrangePi Zero 3, NetworkManager is not shipped with my images. I'd need to install that myself. Perhaps for other boards or images, NetworkManager could have been included by default. (but like you mentioned masked) in my /etc/netplan/configfile.yaml , I configured it as like that 3 lines, removed other liines so that I used NetworkManager utilities to configure the interfaces. I think that is 'simplier' than fumbling with netplan yaml configs which I'm unfamiliar as well. I'm actually running a Wifi AP, but that the AP itself is not managed by NetworkManager, it is managed by hostapd, as given prior https://gist.github.com/ag88/de02933ba65500376d1ff48e504b1bf3 I prefer hostapd as like discussed with @bushw, I think NetworkManager WiFi AP uses dnsmasq by default and setup a NAT (i.e. configures firewall rules for NAT masquerade) https://thekelleys.org.uk/dnsmasq/doc.html and a dhcp server to distribute ip address to the Wifi clients. While this works, it may not be the configuration I prefer. The other thing is hostapd logs every wifi connection in journalctl logs, that is something I specifically want, so that I can check the connections if need be. NetworkManager it seemed do not log the connection attempts at the AP. As to the rational that NetworkManager WiFi AP uses dnsmasq and setup NAT, 'mess with firewall rules', I think that is because it is a 'canonical' configuration that 'just works'. Because otherwise you need to consider routing , bridging , whether to run dhcp server etc which don't have any standard setup for a 'WiFI AP' based network. I.e. the config is specific and unique to your network configuration (the whole physical network, not just the board) and you need to configure that manually, e.g. with using hostapd. you can build 'very complex' networks if you bother to go the distance, e.g. to do routing, ipv6, special NAT, special firewalling etc, to the extend if you have the skill, I think you can even configure clients to 'roam' across WiFI APs in your network, that is not 'mesh' but rather a full 'autoroam' setup of network configs. but everything is manual, custom and specific / unique to your physical network. on a different off-topic note, my WiFI AP (hotspot) that I configured as described in the gist has been running (very) well on my OrangePi Zero 3 'for months' practically as a desktop WiFI AP. Throughput is good (I get slightly above 100 Mbps due to OrangePi Zero 3 having a good wifi chip), Armbian runs well on it, and I even run various apps on it. e.g. I managed to run rpi-monitor on it there is a thread about OrangePi Zero 3 but that it seemed for the edge kernels and images, there may be 'some troubles', I've not tried it though. I'm not sure if it affects the 'stable' images, hopefully that the 'stable' images which is a bit older in terms of kernel releases are still ok. 0 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.