Restricting ICMP
Mark
admin at asarian-host.net
Wed Aug 13 02:56:07 PDT 2003
----- Original Message -----
From: "Andy Farkas" <andyf at speednet.com.au>
To: "Mark" <admin at asarian-host.net>
Cc: <freebsd-questions at freebsd.org>
Sent: Wednesday, August 13, 2003 4:41 AM
Subject: Re: Restricting ICMP
> >
> > Is there a way I can use ipfw to disallow ICMP from anyone,
> > but root? (FreeBSD 4.7R) I tried this:
> >
> > ${fwcmd} -q add 4 allow icmp from any to any
> > $ icmptype 0,3,8,11 in via
> > ${outside}
> > ${fwcmd} -q add 4 allow icmp from any to any uid root
> > ${fwcmd} -q add 4 deny log icmp from any to any
>
> man ipfw says:
>
> uid user
> Match all TCP or UDP packets sent by or received for a user.
> A user may be matched by name or identification number.
>
> ...which sort of implies it wont work for icmp.
>
> Why would you want this policy?
I am just not very fond of the idea of local users starting ICMP wars over
the net, using my server :) I have already had an instance where a web-user
did an excessive ping attack on one of his buddies. And, naturally, I want
to prevent that. The chmod u-s idea mentioned here, was a good idea. Except
that, prefereably, I'd like all of wheel to have access, and the rest not.
And that may be harder to implement.
Thanks for your answer anyway,
- Mark
More information about the freebsd-questions
mailing list