Re: Restricting ICMP
- Original Message - From: Andy Farkas [EMAIL PROTECTED] To: Markie [EMAIL PROTECTED] Cc: Mark [EMAIL PROTECTED]; Ruben de Groot [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 3:20 PM Subject: Re: Restricting ICMP Is it? I thought it was setuid root for a reason :o) I just woke up, so it may well be I am just being stupid :o) Well, I didn't know ping needed suid. I stand corrected and apologise for any misleadings. /me is the stupid one... time to go to bed :) If it makes you feel any better, I feel rather stupid too. :) Here I was, thinking: Hmm, chmod g+s, as means of allowing only folks in wheel access, is not going to work; whereas the glaringly obvious solution: to remove execution-bits from o using chmod 4550, for some bizarre reason, escaped me. :) /me, feeling stupid too. - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
Is it? I thought it was setuid root for a reason :o)
...
I just woke up, so it may well be I am just being stupid :o)
Well, I didn't know ping needed suid. I stand corrected and apologise for
any misleadings.
/me is the stupid one... time to go to bed :)
--
:{ [EMAIL PROTECTED]
Andy Farkas
System Administrator
Speednet Communications
http://www.speednet.com.au/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
On Tue, Aug 12, 2003 at 12:28:40AM +, Mark wrote: [..] Sorry for the addendum; but I was not entirely clear. I want to restrict *outgoing* ICMP (traceroute and such) to anyone, but root. # chmod u-s /usr/sbin/traceroute /sbin/ping -- Jonathan Chen [EMAIL PROTECTED] -- If everything's under control, you're going too slow - Mario Andretti ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
lol. Must just be one of those days, eh? I can't get enough of them :o) - Original Message - From: Mark [EMAIL PROTECTED] To: Andy Farkas [EMAIL PROTECTED]; Markie [EMAIL PROTECTED] Cc: Ruben de Groot [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 2:42 PM Subject: Re: Restricting ICMP - Original Message - From: Andy Farkas [EMAIL PROTECTED] To: Markie [EMAIL PROTECTED] Cc: Mark [EMAIL PROTECTED]; Ruben de Groot [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 3:20 PM Subject: Re: Restricting ICMP Is it? I thought it was setuid root for a reason :o) I just woke up, so it may well be I am just being stupid :o) Well, I didn't know ping needed suid. I stand corrected and apologise for any misleadings. /me is the stupid one... time to go to bed :) If it makes you feel any better, I feel rather stupid too. :) Here I was, thinking: Hmm, chmod g+s, as means of allowing only folks in wheel access, is not going to work; whereas the glaringly obvious solution: to remove execution-bits from o using chmod 4550, for some bizarre reason, escaped me. :) /me, feeling stupid too. - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
On Wed, Aug 13, 2003 at 09:56:04AM +, Mark typed: - Original Message - From: Andy Farkas [EMAIL PROTECTED] SNIP I am just not very fond of the idea of local users starting ICMP wars over the net, using my server :) I have already had an instance where a web-user did an excessive ping attack on one of his buddies. And, naturally, I want to prevent that. The chmod u-s idea mentioned here, was a good idea. Except that, prefereably, I'd like all of wheel to have access, and the rest not. And that may be harder to implement. Not at all. chmod 4550 /sbin/ping -Ruben Thanks for your answer anyway, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
- Original Message -
From: Andy Farkas [EMAIL PROTECTED]
To: Mark [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, August 13, 2003 4:41 AM
Subject: Re: Restricting ICMP
Is there a way I can use ipfw to disallow ICMP from anyone,
but root? (FreeBSD 4.7R) I tried this:
${fwcmd} -q add 4 allow icmp from any to any
$ icmptype 0,3,8,11 in via
${outside}
${fwcmd} -q add 4 allow icmp from any to any uid root
${fwcmd} -q add 4 deny log icmp from any to any
man ipfw says:
uid user
Match all TCP or UDP packets sent by or received for a user.
A user may be matched by name or identification number.
...which sort of implies it wont work for icmp.
Why would you want this policy?
I am just not very fond of the idea of local users starting ICMP wars over
the net, using my server :) I have already had an instance where a web-user
did an excessive ping attack on one of his buddies. And, naturally, I want
to prevent that. The chmod u-s idea mentioned here, was a good idea. Except
that, prefereably, I'd like all of wheel to have access, and the rest not.
And that may be harder to implement.
Thanks for your answer anyway,
- Mark
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
- Original Message -
From: Mark [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 2:23 AM
Subject: Restricting ICMP
Hello,
Is there a way I can use ipfw to disallow ICMP from anyone, but
root? (FreeBSD 4.7R) I tried this:
${fwcmd} -q add 4 allow icmp from any to any icmptype 0,3,8,11 in
via ${outside}
${fwcmd} -q add 4 allow icmp from any to any uid root
${fwcmd} -q add 4 deny log icmp from any to any
But that, obviously, does not do what I want it to, as it keeps
denying everything going out. It may not even be possible to
restrict ICMP that way, but it never hurts to ask. :)
Sorry for the addendum; but I was not entirely clear. I want to restrict
*outgoing* ICMP (traceroute and such) to anyone, but root.
- Mark
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
- Original Message -
From: Andy Farkas [EMAIL PROTECTED]
To: Mark [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, August 13, 2003 1:01 PM
Subject: Re: Restricting ICMP
Mark wrote:
I am just not very fond of the idea of local users starting ICMP wars
over
the net, using my server :) I have already had an instance where a
web-user
did an excessive ping attack on one of his buddies. And, naturally, I
want
to prevent that. The chmod u-s idea mentioned here, was a good idea.
Except
that, prefereably, I'd like all of wheel to have access, and the rest
not.
And that may be harder to implement.
If your users play up, put your BOFH hat on and lart them.
chmod'ing /sbin/ping is useless - users can compile their own version of
ping.
Is it? I thought it was setuid root for a reason :o)
[EMAIL PROTECTED]:/home/mrboo$ ls -l /sbin/ping
-r-sr-xr-x 1 toor wheel 469492 Aug 11 14:57 /sbin/ping
No but really, copy ping to your user home, as a user, from
/usr/src/sbin/ping and compile it yourself...
[EMAIL PROTECTED]:/home/mrboo/ping$ make
Warning: Object directory not changed from original /usr/home/mrboo/ping
cc -O -pipe -march=pentium2 -DIPSEC-Wsystem-headers -Werror -Wall -Wno-f
ormat-y2k -Wno-uninitialized -c ping.c
./ping
cc -O -pipe -march=pentium2 -DIPSEC-Wsystem-headers -Werror -Wall -Wno-f
ormat-y2k -Wno-uninitialized -o ping ping.o -lm -lipsec
bonegzip -cn ping.8 ping.8.gz
[EMAIL PROTECTED]:/home/mrboo/ping$ ./ping bone
ping: socket: Operation not permitted
[EMAIL PROTECTED]:/home/mrboo/ping$
I just woke up, so it may well be I am just being stupid :o)
Make your users aware that abusing ping (and other net resources) will get
them kicked and banned from your system.
--
:{ [EMAIL PROTECTED]
Andy Farkas
System Administrator
Speednet Communications
http://www.speednet.com.au/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
On Wed, Aug 13, 2003 at 10:01:03PM +1000, Andy Farkas typed:
Mark wrote:
I am just not very fond of the idea of local users starting ICMP wars over
the net, using my server :) I have already had an instance where a web-user
did an excessive ping attack on one of his buddies. And, naturally, I want
to prevent that. The chmod u-s idea mentioned here, was a good idea. Except
that, prefereably, I'd like all of wheel to have access, and the rest not.
And that may be harder to implement.
If your users play up, put your BOFH hat on and lart them.
chmod'ing /sbin/ping is useless - users can compile their own version of
ping.
They can compile all they want, but they can't make the command suid root,
which is required for ping to work.
[EMAIL PROTECTED]:/home/ruben cp /sbin/ping .
[EMAIL PROTECTED]:/home/ruben ./ping localhost
ping: socket: Operation not permitted
So I would say taking away the s bit (or the execute bit for others) can
be very usefull.
-Ruben
Make your users aware that abusing ping (and other net resources) will get
them kicked and banned from your system.
--
:{ [EMAIL PROTECTED]
Andy Farkas
System Administrator
Speednet Communications
http://www.speednet.com.au/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
Mark wrote:
I am just not very fond of the idea of local users starting ICMP wars over
the net, using my server :) I have already had an instance where a web-user
did an excessive ping attack on one of his buddies. And, naturally, I want
to prevent that. The chmod u-s idea mentioned here, was a good idea. Except
that, prefereably, I'd like all of wheel to have access, and the rest not.
And that may be harder to implement.
If your users play up, put your BOFH hat on and lart them.
chmod'ing /sbin/ping is useless - users can compile their own version of
ping.
Make your users aware that abusing ping (and other net resources) will get
them kicked and banned from your system.
--
:{ [EMAIL PROTECTED]
Andy Farkas
System Administrator
Speednet Communications
http://www.speednet.com.au/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
Is there a way I can use ipfw to disallow ICMP from anyone, but root?
(FreeBSD 4.7R) I tried this:
${fwcmd} -q add 4 allow icmp from any to any icmptype 0,3,8,11 in via
${outside}
${fwcmd} -q add 4 allow icmp from any to any uid root
${fwcmd} -q add 4 deny log icmp from any to any
man ipfw says:
uid user
Match all TCP or UDP packets sent by or received for a user. A
user may be matched by name or identification number.
..which sort of implies it wont work for icmp.
Why would you want this policy?
--
:{ [EMAIL PROTECTED]
Andy Farkas
System Administrator
Speednet Communications
http://www.speednet.com.au/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
