mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Update Rules.md

Browse source
This commit is contained in:
Gustavo Iñiguez Goia 2023-02-05 11:35:26 +01:00 committed by GitHub
parent a32abc99e0
commit 7afc24e97d
Failed to generate hash of commit
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
wiki/Rules.md
View file

@ -174,7 +174,8 @@ Example of a complex rule using the operator _list_, saved from the GUI (Note: v
- Allow systemd-resolved only to your DNS nameservers:
* Allow systemd-resolved connect only to your DNS nameservers + port 53 + UID
- Limit what an application can do as much as possible:
* Filter by executable + command line: You don't want to allow `curl` or `wget` system wide. Instead, allow only a particular command line, for example:
@ -184,7 +185,11 @@ Example of a complex rule using the operator _list_, saved from the GUI (Note: v
You can narrow it further, by allowing `from this command line` + `from this User ID` + `to this IP` + `to this port`
- Again: https://github.com/evilsocket/opensnitch/wiki/Rules-examples#filtering-python-scripts-applicable-to-java-and-others-interpreters
- Don't allow python3 binary system-wide:
* As explained above, filter by executable + command line + (... more parameters ...)
If you allow python3, you'll allow ANY python3 script, so be careful.
https://github.com/evilsocket/opensnitch/wiki/Rules-examples#filtering-python-scripts-applicable-to-java-and-others-interpreters
- Disable unprivileged namespaces to prevent rules bypass