PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code

Update Desktop Linux Hardening.md

Browse Source 
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2023-09-26 15:49:04 -07:00 committed by GitHub
parent af966f8e52
commit 9f4f6839de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
content/posts/linux/Desktop Linux Hardening.md
View File

@ -244,6 +244,13 @@ You could also set your default firewall zone to drop packets. To implement this
firewall-cmd --set-default-zone=drop
firewall-cmd --add-protocol=ipv6-icmp --permanent
firewall-cmd --add-service=dhcpv6-client --permanent
firewall-cmd --reload
```
On some distributions, `--set-default-zone` might be whitelisted by default which leads to bypasses. To disable this, turn on lockdown mode for `firewalld`:
```
sudo firewall-cmd --lockdown-on
```
These firewalls use the [netfilter](https://netfilter.org/) framework and therefore cannot (without the help of strict [mandatory access control](#mandatory-access-control)) protect against malicious software running privileged on the system, which can insert their own routing rules that sidestep firewalld/ufw.