From owner-freebsd-questions@FreeBSD.ORG Wed Aug 13 06:16:13 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A3F137B401 for ; Wed, 13 Aug 2003 06:16:13 -0700 (PDT) Received: from cmailm2.svr.pol.co.uk (cmailm2.svr.pol.co.uk [195.92.193.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35D8743FAF for ; Wed, 13 Aug 2003 06:16:11 -0700 (PDT) (envelope-from markie@notwentytwo.freeserve.co.uk) Received: from modem-2.aardvark.dialup.pol.co.uk ([217.134.0.2] helo=ape) by cmailm2.svr.pol.co.uk with smtp (Exim 4.14) id 19mvTu-0004NN-1n; Wed, 13 Aug 2003 14:16:02 +0100 Message-ID: <003101c3619d$34565a20$e400a8c0@ape> From: "Markie" To: "Andy Farkas" , "Mark" References: <20030813215540.T90272-100000@hewey.af.speednet.com.au> Date: Wed, 13 Aug 2003 14:17:08 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 cc: freebsd-questions@freebsd.org Subject: Re: Restricting ICMP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Aug 2003 13:16:13 -0000 ----- Original Message ----- From: "Andy Farkas" To: "Mark" Cc: Sent: Wednesday, August 13, 2003 1:01 PM Subject: Re: Restricting ICMP > Mark wrote: > > > I am just not very fond of the idea of local users starting ICMP wars over > > the net, using my server :) I have already had an instance where a web-user > > did an excessive ping attack on one of his buddies. And, naturally, I want > > to prevent that. The chmod u-s idea mentioned here, was a good idea. Except > > that, prefereably, I'd like all of wheel to have access, and the rest not. > > And that may be harder to implement. > > If your users play up, put your BOFH hat on and lart them. > > chmod'ing /sbin/ping is useless - users can compile their own version of > ping. Is it? I thought it was setuid root for a reason :o) mrboo@beast:/home/mrboo$ ls -l /sbin/ping -r-sr-xr-x 1 toor wheel 469492 Aug 11 14:57 /sbin/ping No but really, copy ping to your user home, as a user, from /usr/src/sbin/ping and compile it yourself... mrboo@beast:/home/mrboo/ping$ make Warning: Object directory not changed from original /usr/home/mrboo/ping cc -O -pipe -march=pentium2 -DIPSEC -Wsystem-headers -Werror -Wall -Wno-f ormat-y2k -Wno-uninitialized -c ping.c ./ping cc -O -pipe -march=pentium2 -DIPSEC -Wsystem-headers -Werror -Wall -Wno-f ormat-y2k -Wno-uninitialized -o ping ping.o -lm -lipsec bonegzip -cn ping.8 > ping.8.gz mrboo@beast:/home/mrboo/ping$ ./ping bone ping: socket: Operation not permitted mrboo@beast:/home/mrboo/ping$ I just woke up, so it may well be I am just being stupid :o) > Make your users aware that abusing ping (and other net resources) will get > them kicked and banned from your system. > > -- > > :{ andyf@speednet.com.au > > Andy Farkas > System Administrator > Speednet Communications > http://www.speednet.com.au/ > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >