From 7afc24e97d34cb203aef4bd8eaee53db10766f55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gustavo=20I=C3=B1iguez=20Goia?= <gooffy1@gmail.com>
Date: Sun, 5 Feb 2023 11:35:26 +0100
Subject: [PATCH] Update Rules.md

---
 wiki/Rules.md | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/wiki/Rules.md b/wiki/Rules.md
index 03f7e1e9..9655e4d9 100644
--- a/wiki/Rules.md
+++ b/wiki/Rules.md
@@ -174,7 +174,8 @@ Example of a complex rule using the operator _list_, saved from the GUI (Note: v
 
 - Allow systemd-resolved only to your DNS nameservers:
   * Allow systemd-resolved connect only to your DNS nameservers + port 53 + UID
-    
+
+
 - Limit what an application can do as much as possible:
   * Filter by executable + command line: You don't want to allow `curl` or `wget` system wide. Instead, allow only a particular command line, for example:
   
@@ -184,7 +185,11 @@ Example of a complex rule using the operator _list_, saved from the GUI (Note: v
 
     You can narrow it further, by allowing `from this command line` + `from this User ID` + `to this IP` + `to this port`
 
-- Again: https://github.com/evilsocket/opensnitch/wiki/Rules-examples#filtering-python-scripts-applicable-to-java-and-others-interpreters
+- Don't allow python3 binary system-wide:
+  * As explained above, filter by executable + command line + (... more parameters ...)
+    If you allow python3, you'll allow ANY python3 script, so be careful.
+
+    https://github.com/evilsocket/opensnitch/wiki/Rules-examples#filtering-python-scripts-applicable-to-java-and-others-interpreters
 
 - Disable unprivileged namespaces to prevent rules bypass