Preventing UEFI from internet access?

[Leonardo.b]

This question is mainly adressed to the paranoid guys I know frequent the forum - hello people.
You are warned: I know nothing about this, and probably my question is idiot (but harmless).

So; is there a way to prevent UEFI from connecting to the internet?
Can I suppose that inside the bios .bin there is something similar to the firmware blob used by my wifi chipset?
Can I fulfill that region with zeroes and reflash the bios?

Oh - that probably doesn't make any sense.

Don't try.
Leonardo.

[pa4wdh]

UEFI bins are usually signed, so reverse engineering and modifying has a low chance to work.

Some random ideas:
If you're really paranoid, make sure you have a motherboard which can use an open source bios. I don't have any experience with this, but i know there a just a few motherboards which are supported.

An other way is to verify if your UEFI is actually using the internet, so you need an other PC and tools like tcpdump or wireshark to analyze the traffic.

If your UEFI wants to access the internet it needs configuration (IP, gateway, etc) and it will probably use DHCP to obtain that. Disabling DHCP and using static configuration where you need internet access might be a nice workaround.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com

[Logicien]

I think that the UEFI/BIOS is mainly programmed by the compagny who own it. If you want modifications to this microcode only them can help you. You can look to Welcome_to_coreboot to know if your material is supported, if yes it can give you an alternative to your UEFI/BIOS constructor. One thing who can be done right now is to disable the right of the UEFI/BIOS to boot on any network card and disable the wake on land feature too in it's configuration setup.
_________________
Paul

[Ant P.]

The only way to be certain is to be in control of the router/firewall it connects to.

[Leonardo.b]

It took me some time to understand what DHCP, IP, gateway etc mean...
pa4wdh, I like your random ideas. The last one is especially evil.
Anyway, managing the router/firewall sounds like the most solid solution.

Now I think I'll play with this.
Do you know about an "Iptables Made Simple" lecture for a complete beginner?
I am reading the pietinger guide on the German forum right now.

Iptables seem a bit a mess. I like PF syntax much more.
Does BSD Gentoo still breath?

And let me a last question.
What does happen if I plug my laptop directly in the ethernet cable connected to the road? The one plugged in the WiFi router, right now.
Is the home router's firewall the only thing that prevent all the world wide web to come into my laptop?

Thanks for everything,
Leonardo

[Etal]

Consider using nftables instead of iptables, much easier to follow.

https://wiki.gentoo.org/wiki/nftables
https://wiki.archlinux.org/index.php/nftables

[Buffoon]

[Leonardo.b]

Ook.
This seem something I should really take care about.

[figueroa]

Not necessary to make light of your router's NAT. If you don't have open ports via your router from the Internet to your PC, you should be invisible. If you do open ports, know how to protect them.

Check them: https://www.grc.com/shieldsup
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi

[Leonardo.b]

Good. It is interesting.
I feel a bit like this now: https://imgs.xkcd.com/comics/fixing_problems.png
But it's probably normal. Swim or drown - it's what I say.