From owner-freebsd-questions Mon Jul 24 23:44:59 2000 Delivered-To: freebsd-questions@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id 647A737BBFD for ; Mon, 24 Jul 2000 23:44:50 -0700 (PDT) (envelope-from cjc@pool0379.cvx20-bradley.dialup.earthlink.net) Received: from pool0379.cvx20-bradley.dialup.earthlink.net (pool0379.cvx20-bradley.dialup.earthlink.net [209.179.251.124]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id XAA14050; Mon, 24 Jul 2000 23:44:46 -0700 (PDT) Received: (from cjc@localhost) by pool0830.cvx20-bradley.dialup.earthlink.net (8.9.3/8.9.3) id XAA01008; Mon, 24 Jul 2000 23:10:02 -0700 (PDT) Date: Mon, 24 Jul 2000 23:10:01 -0700 From: "Crist J. Clark" To: Kent Stewart Cc: Sam Carleton , FreeBSD Questions Subject: Re: allowing pings out from my firewall Message-ID: <20000724231001.C258@pool0653.cvx20-bradley.dialup.e> Reply-To: cjclark@alum.mit.edu References: <397D0CC8.D6E2B382@miltonstreet.com> <397D171E.117F789E@urx.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <397D171E.117F789E@urx.com>; from kstewart@urx.com on Mon, Jul 24, 2000 at 09:27:10PM -0700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Jul 24, 2000 at 09:27:10PM -0700, Kent Stewart wrote: > > > Sam Carleton wrote: > > > > Alfred Perlstein wrote: > > > > > * Sam Carleton [000724 13:49] wrote: > > > > I have a normal user on my FreeBSD box that needs to run ping and > > > > traceroute. I do NOT want to give this user the ability to su in as > > > > > > root. What do I need to do so this user can run ping and > > traceroute? > > > > > > Ping and traceroute are suid therefore you don't need to be root > > > to use them, they automatically grant the appropriate level of > > > privledge to perform the operations needed. > > > > I was wrong, I (as root) just tried to ping something and I got the > > error > > message: > > > > ping: sendto: Permission denied > > > > After thinking about this for a moment, I realized that I believe this > > to > > be a firewall issue. I have the "simply" firewall running on this > > 4.0-STABLE > > machine and I think it is the firewall that is stopping ping from going > > out. How > > do I modify the firewall to allow pings and traceroute to get out? > > See the "Setting-up a Dual-Homed Host..." at > http://www.mostgraveconcern.com/freebsd/. He has an example of > allowing ping and another for setting up traceroute. The traceroute > only permits 30 hop's. You know, you can always do traceroute(8) with TCP. You don't need the special UDP rules; the packets would pass most firewalls that allow outgoing TCP connections. Still need to let in the ICMP. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message