From 27fcdb4c8269511b0648f4d0faf56bcc684e7d4c Mon Sep 17 00:00:00 2001 From: Tommy Date: Thu, 28 Sep 2023 05:39:20 -0700 Subject: [PATCH] Update content/posts/linux/Desktop Linux Hardening.md Co-authored-by: wj25czxj47bu6q <96372288+wj25czxj47bu6q@users.noreply.github.com> Signed-off-by: Tommy --- content/posts/linux/Desktop Linux Hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index ee1835e..a943331 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -247,7 +247,7 @@ firewall-cmd --add-service=dhcpv6-client --permanent firewall-cmd --reload ``` -On some distributions, it may be possible for applications running as a `wheel` or `sudo` user to make firewall changes through polkit. To disable this, enable firewalld _lockdown mode_ with `sudo firewall-cmd --lockdown-on`. +On some distributions, it may be possible for applications running as a `wheel` or `sudo` user to make firewall changes through polkit. To prevent this, enable firewalld _lockdown mode_ with `sudo firewall-cmd --lockdown-on`. These firewalls use the [netfilter](https://netfilter.org/) framework and therefore cannot (without the help of strict [mandatory access control](#mandatory-access-control)) protect against malicious software running privileged on the system, which can insert their own routing rules that sidestep firewalld/ufw.