Fix Firewalld bypass (#156)

* Update Desktop Linux Hardening.md

Co-authored-by: wj25czxj47bu6q <96372288+wj25czxj47bu6q@users.noreply.github.com>
Signed-off-by: Tommy <contact@tommytran.io>

---------

Signed-off-by: Tommy <contact@tommytran.io>
Co-authored-by: wj25czxj47bu6q <96372288+wj25czxj47bu6q@users.noreply.github.com>
This commit is contained in:
Tommy 2023-09-26 23:18:52 -07:00 committed by GitHub
parent f408929d59
commit 473bba3df3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -244,8 +244,11 @@ You could also set your default firewall zone to drop packets. To implement this
firewall-cmd --set-default-zone=drop firewall-cmd --set-default-zone=drop
firewall-cmd --add-protocol=ipv6-icmp --permanent firewall-cmd --add-protocol=ipv6-icmp --permanent
firewall-cmd --add-service=dhcpv6-client --permanent firewall-cmd --add-service=dhcpv6-client --permanent
firewall-cmd --reload
``` ```
On some distributions, it may be possible for unauthorized users or applications to make firewall changes through polkit. To disable this, enable firewalld _lockdown mode_ with `sudo firewall-cmd --lockdown-on`.
These firewalls use the [netfilter](https://netfilter.org/) framework and therefore cannot (without the help of strict [mandatory access control](#mandatory-access-control)) protect against malicious software running privileged on the system, which can insert their own routing rules that sidestep firewalld/ufw. These firewalls use the [netfilter](https://netfilter.org/) framework and therefore cannot (without the help of strict [mandatory access control](#mandatory-access-control)) protect against malicious software running privileged on the system, which can insert their own routing rules that sidestep firewalld/ufw.
There are some per&#8209;binary outbound firewalls such as [OpenSnitch](https://github.com/evilsocket/opensnitch) and [Portmaster](https://safing.io/portmaster/) that you could use as well. But, just like firewalld and ufw, they are bypassable. There are some per&#8209;binary outbound firewalls such as [OpenSnitch](https://github.com/evilsocket/opensnitch) and [Portmaster](https://safing.io/portmaster/) that you could use as well. But, just like firewalld and ufw, they are bypassable.