Date: Tue, 25 Jul 2000 00:54:50 -0700 From: Kent Stewart <kstewart@urx.com> To: cjclark@alum.mit.edu Cc: Sam Carleton <scarleton@miltonstreet.com>, FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: allowing pings out from my firewall Message-ID: <397D47CA.CD544750@urx.com> References: <397D0CC8.D6E2B382@miltonstreet.com> <397D171E.117F789E@urx.com> <20000724231001.C258@pool0653.cvx20-bradley.dialup.e>
next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J. Clark" wrote: > > On Mon, Jul 24, 2000 at 09:27:10PM -0700, Kent Stewart wrote: > > > > > > Sam Carleton wrote: > > > > > > Alfred Perlstein wrote: > > > > > > > * Sam Carleton <scarleton@miltonstreet.com> [000724 13:49] wrote: > > > > > I have a normal user on my FreeBSD box that needs to run ping and > > > > > traceroute. I do NOT want to give this user the ability to su in as > > > > > > > > root. What do I need to do so this user can run ping and > > > traceroute? > > > > > > > > Ping and traceroute are suid therefore you don't need to be root > > > > to use them, they automatically grant the appropriate level of > > > > privledge to perform the operations needed. > > > > > > I was wrong, I (as root) just tried to ping something and I got the > > > error > > > message: > > > > > > ping: sendto: Permission denied > > > > > > After thinking about this for a moment, I realized that I believe this > > > to > > > be a firewall issue. I have the "simply" firewall running on this > > > 4.0-STABLE > > > machine and I think it is the firewall that is stopping ping from going > > > out. How > > > do I modify the firewall to allow pings and traceroute to get out? > > > > See the "Setting-up a Dual-Homed Host..." at > > http://www.mostgraveconcern.com/freebsd/. He has an example of > > allowing ping and another for setting up traceroute. The traceroute > > only permits 30 hop's. > > You know, you can always do traceroute(8) with TCP. You don't need the > special UDP rules; the packets would pass most firewalls that allow > outgoing TCP connections. Still need to let in the ICMP. I started out with just ICMP and it didn't work. I added UDP and it did. I just did a man traceroute and will have to try TCP. There are a few things that aren't working the way I do things. I'm trying to figure out who has to change. If I have to change, that is what I think aliases were created for. At the same time, if I can cut a rule, I will. I figure every rule you add slows things down a little bit. I'll see how far I get tonight. Kent > -- > Crist J. Clark cjclark@alum.mit.edu -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ Bomber dropping fire retardant in front of Hanford Wild fire. http://kstewart.urx.com/kstewart/bomber.jpg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397D47CA.CD544750>