Random idea that hit me while writing https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248/7: one potential threat vector for USB devices is if they provide a virtual Ethernet interface. This would allow the device to attack arbitrary services with open ports on the host. A firewall would help here (maybe, depends on whether it blocked the LAN or not), but what might help even more is if NetworkManager didn’t automatically connect the system to any wired network interfaces it sees.
Would it be desirable to turn off this wired autoconnect feature by default? Users could still use wired networks, they would just have to explicitly connect to them using the network management widget.
Let me ask you this though if you set it to manual connection for NetworkManager or what ever equivalent setting. Would a device that is already wired in before the machine starts still require manual connecting or would it get loaded. Honestly I would find it annoying if I plugged in ethernet to my device to my router then booted up my system to then have to manual connect. You would have to see test this to see how that works.
Besides xfce4-notifyd or whatever the desktop nofication popup for telling you wifi networks available I don’t think it will notify that a new wired is available?
I don’t know if wired connections get notifications or not, my “network” (alright, it’s a cellular hotspot with some laptops connected to it) is purely wireless so I don’t really work with wired connections much. I would kind of hope NetworkManager would allow “trust on first use” with wired networks if at all possible though, similar to how it treats WiFi. Then you could explicitly connect the first time but not subsequent times, thus avoiding things like a USB device pretending to be Ethernet in order to hack things.