From 633620fd40ee4d0f63759ea84947962d20fab616 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20I=C3=B1iguez=20Goia?= Date: Sun, 11 Jun 2023 02:26:55 +0200 Subject: [PATCH] Update Rules.md --- wiki/Rules.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/wiki/Rules.md b/wiki/Rules.md index a374de5d..211a2237 100644 --- a/wiki/Rules.md +++ b/wiki/Rules.md @@ -189,11 +189,10 @@ Example of a complex rule using the operator _list_, saved from the GUI (Note: v - Allow DNS queries only to your configured DNS nameservers: ⚠️ DNS protocol can be used to exfiltrate information from local networks. - * Allow `systemd-resolved`, `dnsmasq`, dnscrypt-proxy`, etc, connect only to your DNS nameservers + port 53 + UID. + * Allow `systemd-resolved`, `dnsmasq`, `dnscrypt-proxy`, etc, connect only to your DNS nameservers + port 53 + UID. * Besides allowing connections to remote DNS servers (9.9.9.9 for example), you may need to allow connections to localhost IPs (127.0.0.1, etc) - * The easiest way would we to delete your existing systemd-resolve rule, let it ask you again to allow/deny it, click on the `[+]` button and then select from the pop-up `from this command line` __AND__ to IP x.x.x.x __AND___ to port xxx - Even more - + * If you already allowed these stub resolvers, the easiest way would we to delete the existing rule, let it ask you again to allow/deny it, click on the `[+]` button and then select from the pop-up `from this command line` __AND__ to IP x.x.x.x __AND___ to port xxx + - Limit what an application can do as much as possible: * Filter by executable + command line: You don't want to allow `curl` or `wget` system wide. Instead, allow only a particular command line, for example: