Restricting ICMP

[Mark]

----- Original Message ----- 
From: "Andy Farkas" <andyf at speednet.com.au>
To: "Mark" <admin at asarian-host.net>
Cc: <freebsd-questions at freebsd.org>
Sent: Wednesday, August 13, 2003 4:41 AM
Subject: Re: Restricting ICMP


> >
> > Is there a way I can use ipfw to disallow ICMP from anyone,
> > but root? (FreeBSD 4.7R) I tried this:
> >
> > ${fwcmd} -q add 4 allow icmp from any to any
> > $ icmptype 0,3,8,11 in via
> > ${outside}
> > ${fwcmd} -q add 4 allow icmp from any to any uid root
> > ${fwcmd} -q add 4 deny log icmp from any to any
>
> man ipfw says:
>
>   uid user
>     Match all TCP or UDP packets sent by or received for a user.
>     A user may be matched by name or identification number.
>
> ...which sort of implies it wont work for icmp.
>
> Why would you want this policy?

I am just not very fond of the idea of local users starting ICMP wars over
the net, using my server :) I have already had an instance where a web-user
did an excessive ping attack on one of his buddies. And, naturally, I want
to prevent that. The chmod u-s idea mentioned here, was a good idea. Except
that, prefereably, I'd like all of wheel to have access, and the rest not.
And that may be harder to implement.

Thanks for your answer anyway,

- Mark