From owner-freebsd-questions@FreeBSD.ORG Wed Aug 13 02:56:07 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F4D237B401 for ; Wed, 13 Aug 2003 02:56:07 -0700 (PDT) Received: from asarian-host.net (mail.asarian-host.net [194.109.160.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09AD443FBD for ; Wed, 13 Aug 2003 02:56:06 -0700 (PDT) (envelope-from admin@asarian-host.net) Comments: To protect the identity of the sender, certain header fields are either not shown, or masked. Anonymous email accounts can be requested by filling in the appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi Received: (from root@localhost) by mail.asarian-host.net (8.12.9/8.12.9) id h7D9u4Qw022840 for freebsd-questions@freebsd.org; Wed, 13 Aug 2003 11:56:04 +0200 (CEST) (envelope-from admin@asarian-host.net) From: Mark Message-Id: <200308130956.H7D9U28E022832@asarian-host.net> Date: Wed, 13 Aug 2003 09:56:04 GMT X-Authenticated-Sender: admin@asarian-host.net X-Trace: k5p5NjUF/W07KRmm6I/h3/3/Rn6Sw1pF1FJ8ZzcjlmT2/BsRD+f3IvGlX5R7Q4nVH27RGRXiebDd7caAhKShZA== X-Complaints-To: abuse@asarian-host.net X-Abuse-Info: Please be sure to forward a copy of ALL headers X-Abuse-Info: Otherwise we are unable to process your complaint Organization: Asarian-host To: "Andy Farkas" References: <20030813123805.Y90272-100000@hewey.af.speednet.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Auth: Asarian-host PGP signature iQEVAwUAPzoLNDFqW1BleBN9AQE/0Af/fSWJUj9ARYeFFyAdWnh+XwJ3N5Kqw4nF 50bI7Yo179yiM8Zro6R1P46iHHxtW/msyqsgqm9emSKKfdWF8x1fCbOeJDGpMBGv 6HA1Dqh+N0idevUGUeIiIspTvxuT189ib+tIX/G5a4ai9DkLprB1/2b2OLCyutpA JYx4S2qFJmaSYpRn/TGsxaX9PTty+2Rwz9c59/GZd2Ffpz6Z+t1E7b+EmOxpcxlT mvK8NJAksGGHVe0J4n34Gc5EoZZ88LbO5QetMnaYUBgjymhSheby2SMZh3CrfE9q 9qqBYfNC/eVSKkG7rZ/mpFne/YN3WXVYz0Gn2wHTQQsDoz9PMX47qg== =3ZY9 cc: freebsd-questions@freebsd.org Subject: Re: Restricting ICMP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Aug 2003 09:56:07 -0000 ----- Original Message ----- From: "Andy Farkas" To: "Mark" Cc: Sent: Wednesday, August 13, 2003 4:41 AM Subject: Re: Restricting ICMP > > > > Is there a way I can use ipfw to disallow ICMP from anyone, > > but root? (FreeBSD 4.7R) I tried this: > > > > ${fwcmd} -q add 4 allow icmp from any to any > > $ icmptype 0,3,8,11 in via > > ${outside} > > ${fwcmd} -q add 4 allow icmp from any to any uid root > > ${fwcmd} -q add 4 deny log icmp from any to any > > man ipfw says: > > uid user > Match all TCP or UDP packets sent by or received for a user. > A user may be matched by name or identification number. > > ...which sort of implies it wont work for icmp. > > Why would you want this policy? I am just not very fond of the idea of local users starting ICMP wars over the net, using my server :) I have already had an instance where a web-user did an excessive ping attack on one of his buddies. And, naturally, I want to prevent that. The chmod u-s idea mentioned here, was a good idea. Except that, prefereably, I'd like all of wheel to have access, and the rest not. And that may be harder to implement. Thanks for your answer anyway, - Mark