From 9f4f6839de7a43bbd11c24345f16029046b094ca Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Tue, 26 Sep 2023 15:49:04 -0700
Subject: [PATCH] Update Desktop Linux Hardening.md

Signed-off-by: Tommy <contact@tommytran.io>
---
 content/posts/linux/Desktop Linux Hardening.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md
index 2daddff..6bdc0a7 100644
--- a/content/posts/linux/Desktop Linux Hardening.md	
+++ b/content/posts/linux/Desktop Linux Hardening.md	
@@ -244,6 +244,13 @@ You could also set your default firewall zone to drop packets. To implement this
 firewall-cmd --set-default-zone=drop
 firewall-cmd --add-protocol=ipv6-icmp --permanent
 firewall-cmd --add-service=dhcpv6-client --permanent
+firewall-cmd --reload
+```
+
+On some distributions, `--set-default-zone` might be whitelisted by default which leads to bypasses. To disable this, turn on lockdown mode for `firewalld`:
+
+```
+sudo firewall-cmd --lockdown-on
 ```
 
 These firewalls use the [netfilter](https://netfilter.org/) framework and therefore cannot (without the help of strict [mandatory access control](#mandatory-access-control)) protect against malicious software running privileged on the system, which can insert their own routing rules that sidestep firewalld/ufw.