From owner-freebsd-questions@FreeBSD.ORG Wed Aug 13 06:09:17 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A405937B401 for ; Wed, 13 Aug 2003 06:09:17 -0700 (PDT) Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5F9A43FBD for ; Wed, 13 Aug 2003 06:09:15 -0700 (PDT) (envelope-from mail23@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.12.9/8.12.9) with ESMTP id h7DD9KrQ086245; Wed, 13 Aug 2003 15:09:24 +0200 (CEST) (envelope-from bulk@ei.bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.12.9/8.12.9/Submit) id h7DD9FpD086244; Wed, 13 Aug 2003 15:09:15 +0200 (CEST) Date: Wed, 13 Aug 2003 15:09:15 +0200 From: Ruben de Groot To: Andy Farkas Message-ID: <20030813130915.GA86196@ei.bzerk.org> Mail-Followup-To: Ruben de Groot , Andy Farkas , Mark , freebsd-questions@freebsd.org References: <200308130956.H7D9U28E022832@asarian-host.net> <20030813215540.T90272-100000@hewey.af.speednet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030813215540.T90272-100000@hewey.af.speednet.com.au> User-Agent: Mutt/1.4.1i cc: freebsd-questions@freebsd.org Subject: Re: Restricting ICMP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Aug 2003 13:09:17 -0000 On Wed, Aug 13, 2003 at 10:01:03PM +1000, Andy Farkas typed: > Mark wrote: > > > I am just not very fond of the idea of local users starting ICMP wars over > > the net, using my server :) I have already had an instance where a web-user > > did an excessive ping attack on one of his buddies. And, naturally, I want > > to prevent that. The chmod u-s idea mentioned here, was a good idea. Except > > that, prefereably, I'd like all of wheel to have access, and the rest not. > > And that may be harder to implement. > > If your users play up, put your BOFH hat on and lart them. > > chmod'ing /sbin/ping is useless - users can compile their own version of > ping. They can compile all they want, but they can't make the command suid root, which is required for ping to work. ruben@ei:/home/ruben> cp /sbin/ping . ruben@ei:/home/ruben> ./ping localhost ping: socket: Operation not permitted So I would say taking away the s bit (or the execute bit for others) can be very usefull. -Ruben > Make your users aware that abusing ping (and other net resources) will get > them kicked and banned from your system. > > -- > > :{ andyf@speednet.com.au > > Andy Farkas > System Administrator > Speednet Communications > http://www.speednet.com.au/ > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"