NetworkManager.conf hardening for privacy

Questions
1

Hi

It seems I learned documentation of NetworkManager.

And, can you please check whether i am doing right, because it is first time i ever change something like this.

Here is what i drafted

[main]
hostname-mode=none

[connection]
connection.stable-id="${RANDOM}" #is this correct?
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random
ipv4.dhcp-client-id=stable #maybe =mac?
ipv6.dhcp-duid=stable-uuid #maybe =random?
ipv6.addr-gen-mode=stable-privacy #maybe =random?
ipv6.ip6-privacy=2
ipv4.dhcp-send-hostname=false
ipv6.dhcp-send-hostname=false
connection.mdns=no
connection.llmnr=no
generate-mac-address-mask=FF:FF:FF:00:00:00  3C:28:6D:00:00:00

Other variants from varios forums (not sure about them)

ipv4.dhcp-client-id=stable-${RANDOM}
connection.stable-id=${CONNECTION}/${BOOT}/${RANDOM}

# Optional: force new random stable-id on every boot
connection.stable-id=${BOOT}


# MOST interesting -->
# Claimed as "MAC-based client-id/IAID" replacement of machine-id derived values
# MEANS identifiers change together with randomized MAC???
ipv4.dhcp-client-id=mac
ipv4.dhcp-iaid=mac
ipv6.dhcp-duid=ll

Last one should deceive networks that it is “real” MAC, not randomized since captive can demand real OUI and i don’t feel comfortable revealing my brand, let alone MAC

My idea to hide myself from public networks. I already enabled random MAC, but i see that machine-idused in DHCP ID, which can be used to track me. So i wonder if this config will help me WITHOUT constant rotation of machine-id.

Some guides in internet says i should put ipv4.dhcp-client-id=mac but won’t it kill all the purpose of hiding? Also, i didn’t test but some guides says that something like ipv4.dhcp-client-id=mac is mac that randomised by ethernet.cloned-mac-address=random / wifi.cloned-mac-address=random. But i am not sure. I will be very pleased if someone check

generate-mac-address-mask=FF:FF:FF:00:00:00 3C:28:6D:00:00:00 it is better than without. Without captive portal see random mac and can ban it. This spoofs like real one

OUI for it can be taken from list

I will be very pleased for review, critics and advices

[GUIDE REQUEST] We need guide of recommeded privacy configs for linux
2

One thing that can be good to know if this is for your roaming setup:

Some APs/routers out there have limited tables in things like DHCP and ARP and run into scenarios like them filling up faster than they’re used making them fall over and stop accepting new clients until they get rebooted. Not exceedingly rare in hotels, trains, coffee shops and stuff. Just to say be careful you don’t DoS the LAN when you’re at the edge of coverage and it keeps auto-reconnecting. Maybe it’s a low-tier device designed for 255 clients and after a couple of hours on an unstable link you’re 200 of them… Not great if it also happens to not evict properly until some timeout after 6-24h.