Filter policies: ModemManager Reference Manual

Filter policies

The predefined filter policies are:

Whitelist only

This is a policy where only the MM_FILTER_RULE_EXPLICIT_WHITELIST rule is enabled.
```
# /usr/sbin/ModemManager --filter-policy=WHITELIST-ONLY
```
Default

This is a policy where the following rules are enabled:
- MM_FILTER_RULE_EXPLICIT_WHITELIST
- MM_FILTER_RULE_VIRTUAL
- MM_FILTER_RULE_NET
- MM_FILTER_RULE_CDC_WDM
- MM_FILTER_RULE_TTY
- MM_FILTER_RULE_TTY_BLACKLIST
- MM_FILTER_RULE_TTY_MANUAL_SCAN_ONLY
- MM_FILTER_RULE_TTY_PLATFORM_DRIVER
- MM_FILTER_RULE_TTY_DEFAULT_ALLOWED
This policy is the default one when a different one not explicitly selected, and is equivalent to the way ModemManager has worked in previous releases. This policy is the least restrictive one, and will end up allowing port probing of all TTYs not explicitly blacklisted in one way or another.
```
# /usr/sbin/ModemManager --filter-policy=DEFAULT
```
Strict

This is a policy where the following rules are enabled:
- MM_FILTER_RULE_EXPLICIT_WHITELIST
- MM_FILTER_RULE_VIRTUAL
- MM_FILTER_RULE_NET
- MM_FILTER_RULE_CDC_WDM
- MM_FILTER_RULE_TTY
- MM_FILTER_RULE_TTY_PLATFORM_DRIVER
- MM_FILTER_RULE_TTY_DRIVER
- MM_FILTER_RULE_TTY_ACM_INTERFACE
- MM_FILTER_RULE_TTY_WITH_NET
- MM_FILTER_RULE_TTY_DEFAULT_FORBIDDEN
This policy is stricter than the default one, as by default all TTYs are forbidden except for the ones explicitly allowed by one of the TTY-specific rules. Distributions or users should use this policy if they don't want ModemManager to mess around with TTY ports that may not be exposed by actual modems.
```
# /usr/sbin/ModemManager --filter-policy=STRICT
```
Paranoid

This policy is a mix of the Default and Strict ones:
- MM_FILTER_RULE_EXPLICIT_WHITELIST
- MM_FILTER_RULE_VIRTUAL
- MM_FILTER_RULE_NET
- MM_FILTER_RULE_CDC_WDM
- MM_FILTER_RULE_TTY
- MM_FILTER_RULE_TTY_BLACKLIST
- MM_FILTER_RULE_TTY_MANUAL_SCAN_ONLY
- MM_FILTER_RULE_TTY_PLATFORM_DRIVER
- MM_FILTER_RULE_TTY_DRIVER
- MM_FILTER_RULE_TTY_ACM_INTERFACE
- MM_FILTER_RULE_TTY_WITH_NET
- MM_FILTER_RULE_TTY_DEFAULT_FORBIDDEN
This policy is equivalent to the Strict policy, but where the ModemManager provided blacklist and manual scan only greylist are also used. It is not recommended to use this option in normal setups as the blacklists may be obsoleted in future ModemManager versions (in favor of using the Strict policy as default).
```
# /usr/sbin/ModemManager --filter-policy=PARANOID
```
Custom

Any of the previously defined predefined policies may be modified rule per rule by explicitly enabling or disabling rules via environment variables.

E.g. this would launch ModemManager with the Default filter policy but with all net and cdc-wdm ports forbidden completely:
```
# MM_FILTER_RULE_NET=0 \
  MM_FILTER_RULE_CDC_WDM=0 \
  /usr/sbin/ModemManager --filter-policy=DEFAULT
```
E.g. this would launch ModemManager with the Whitelist-only filter policy but also explicitly allowing all net and cdc-wdm ports. Note that in this case, all virtual net ports (e.g. 'lo') are also being allowed.
```
# MM_FILTER_RULE_NET=1 \
  MM_FILTER_RULE_CDC_WDM=1 \
  /usr/sbin/ModemManager --filter-policy=WHITELIST-ONLY
```