Date: Wed, 13 Aug 2003 09:56:04 GMT From: Mark <admin@asarian-host.net> To: "Andy Farkas" <andyf@speednet.com.au> Cc: freebsd-questions@freebsd.org Subject: Re: Restricting ICMP Message-ID: <200308130956.H7D9U28E022832@asarian-host.net> References: <20030813123805.Y90272-100000@hewey.af.speednet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "Andy Farkas" <andyf@speednet.com.au>
To: "Mark" <admin@asarian-host.net>
Cc: <freebsd-questions@freebsd.org>
Sent: Wednesday, August 13, 2003 4:41 AM
Subject: Re: Restricting ICMP
> >
> > Is there a way I can use ipfw to disallow ICMP from anyone,
> > but root? (FreeBSD 4.7R) I tried this:
> >
> > ${fwcmd} -q add 4 allow icmp from any to any
> > $ icmptype 0,3,8,11 in via
> > ${outside}
> > ${fwcmd} -q add 4 allow icmp from any to any uid root
> > ${fwcmd} -q add 4 deny log icmp from any to any
>
> man ipfw says:
>
> uid user
> Match all TCP or UDP packets sent by or received for a user.
> A user may be matched by name or identification number.
>
> ...which sort of implies it wont work for icmp.
>
> Why would you want this policy?
I am just not very fond of the idea of local users starting ICMP wars over
the net, using my server :) I have already had an instance where a web-user
did an excessive ping attack on one of his buddies. And, naturally, I want
to prevent that. The chmod u-s idea mentioned here, was a good idea. Except
that, prefereably, I'd like all of wheel to have access, and the rest not.
And that may be harder to implement.
Thanks for your answer anyway,
- Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308130956.H7D9U28E022832>