From 473bba3df3bb12de8821eada2aa68ad392f570ea Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 26 Sep 2023 23:18:52 -0700 Subject: [PATCH] Fix Firewalld bypass (#156) * Update Desktop Linux Hardening.md Co-authored-by: wj25czxj47bu6q <96372288+wj25czxj47bu6q@users.noreply.github.com> Signed-off-by: Tommy --------- Signed-off-by: Tommy Co-authored-by: wj25czxj47bu6q <96372288+wj25czxj47bu6q@users.noreply.github.com> --- content/posts/linux/Desktop Linux Hardening.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 2daddff..54b01ff 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -244,8 +244,11 @@ You could also set your default firewall zone to drop packets. To implement this firewall-cmd --set-default-zone=drop firewall-cmd --add-protocol=ipv6-icmp --permanent firewall-cmd --add-service=dhcpv6-client --permanent +firewall-cmd --reload ``` +On some distributions, it may be possible for unauthorized users or applications to make firewall changes through polkit. To disable this, enable firewalld _lockdown mode_ with `sudo firewall-cmd --lockdown-on`. + These firewalls use the [netfilter](https://netfilter.org/) framework and therefore cannot (without the help of strict [mandatory access control](#mandatory-access-control)) protect against malicious software running privileged on the system, which can insert their own routing rules that sidestep firewalld/ufw. There are some per‑binary outbound firewalls such as [OpenSnitch](https://github.com/evilsocket/opensnitch) and [Portmaster](https://safing.io/portmaster/) that you could use as well. But, just like firewalld and ufw, they are bypassable.