Re: Restricting ICMP
- Original Message - From: Andy Farkas [EMAIL PROTECTED] To: Markie [EMAIL PROTECTED] Cc: Mark [EMAIL PROTECTED]; Ruben de Groot [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 3:20 PM Subject: Re: Restricting ICMP Is it? I thought it was setuid root for a reason :o) I just woke up, so it may well be I am just being stupid :o) Well, I didn't know ping needed suid. I stand corrected and apologise for any misleadings. /me is the stupid one... time to go to bed :) If it makes you feel any better, I feel rather stupid too. :) Here I was, thinking: Hmm, chmod g+s, as means of allowing only folks in wheel access, is not going to work; whereas the glaringly obvious solution: to remove execution-bits from o using chmod 4550, for some bizarre reason, escaped me. :) /me, feeling stupid too. - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
Is it? I thought it was setuid root for a reason :o) ... I just woke up, so it may well be I am just being stupid :o) Well, I didn't know ping needed suid. I stand corrected and apologise for any misleadings. /me is the stupid one... time to go to bed :) -- :{ [EMAIL PROTECTED] Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
On Tue, Aug 12, 2003 at 12:28:40AM +, Mark wrote: [..] Sorry for the addendum; but I was not entirely clear. I want to restrict *outgoing* ICMP (traceroute and such) to anyone, but root. # chmod u-s /usr/sbin/traceroute /sbin/ping -- Jonathan Chen [EMAIL PROTECTED] -- If everything's under control, you're going too slow - Mario Andretti ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
lol. Must just be one of those days, eh? I can't get enough of them :o) - Original Message - From: Mark [EMAIL PROTECTED] To: Andy Farkas [EMAIL PROTECTED]; Markie [EMAIL PROTECTED] Cc: Ruben de Groot [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 2:42 PM Subject: Re: Restricting ICMP - Original Message - From: Andy Farkas [EMAIL PROTECTED] To: Markie [EMAIL PROTECTED] Cc: Mark [EMAIL PROTECTED]; Ruben de Groot [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 3:20 PM Subject: Re: Restricting ICMP Is it? I thought it was setuid root for a reason :o) I just woke up, so it may well be I am just being stupid :o) Well, I didn't know ping needed suid. I stand corrected and apologise for any misleadings. /me is the stupid one... time to go to bed :) If it makes you feel any better, I feel rather stupid too. :) Here I was, thinking: Hmm, chmod g+s, as means of allowing only folks in wheel access, is not going to work; whereas the glaringly obvious solution: to remove execution-bits from o using chmod 4550, for some bizarre reason, escaped me. :) /me, feeling stupid too. - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
On Wed, Aug 13, 2003 at 09:56:04AM +, Mark typed: - Original Message - From: Andy Farkas [EMAIL PROTECTED] SNIP I am just not very fond of the idea of local users starting ICMP wars over the net, using my server :) I have already had an instance where a web-user did an excessive ping attack on one of his buddies. And, naturally, I want to prevent that. The chmod u-s idea mentioned here, was a good idea. Except that, prefereably, I'd like all of wheel to have access, and the rest not. And that may be harder to implement. Not at all. chmod 4550 /sbin/ping -Ruben Thanks for your answer anyway, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
- Original Message - From: Andy Farkas [EMAIL PROTECTED] To: Mark [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 4:41 AM Subject: Re: Restricting ICMP Is there a way I can use ipfw to disallow ICMP from anyone, but root? (FreeBSD 4.7R) I tried this: ${fwcmd} -q add 4 allow icmp from any to any $ icmptype 0,3,8,11 in via ${outside} ${fwcmd} -q add 4 allow icmp from any to any uid root ${fwcmd} -q add 4 deny log icmp from any to any man ipfw says: uid user Match all TCP or UDP packets sent by or received for a user. A user may be matched by name or identification number. ...which sort of implies it wont work for icmp. Why would you want this policy? I am just not very fond of the idea of local users starting ICMP wars over the net, using my server :) I have already had an instance where a web-user did an excessive ping attack on one of his buddies. And, naturally, I want to prevent that. The chmod u-s idea mentioned here, was a good idea. Except that, prefereably, I'd like all of wheel to have access, and the rest not. And that may be harder to implement. Thanks for your answer anyway, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
- Original Message - From: Mark [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 2:23 AM Subject: Restricting ICMP Hello, Is there a way I can use ipfw to disallow ICMP from anyone, but root? (FreeBSD 4.7R) I tried this: ${fwcmd} -q add 4 allow icmp from any to any icmptype 0,3,8,11 in via ${outside} ${fwcmd} -q add 4 allow icmp from any to any uid root ${fwcmd} -q add 4 deny log icmp from any to any But that, obviously, does not do what I want it to, as it keeps denying everything going out. It may not even be possible to restrict ICMP that way, but it never hurts to ask. :) Sorry for the addendum; but I was not entirely clear. I want to restrict *outgoing* ICMP (traceroute and such) to anyone, but root. - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
- Original Message - From: Andy Farkas [EMAIL PROTECTED] To: Mark [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 1:01 PM Subject: Re: Restricting ICMP Mark wrote: I am just not very fond of the idea of local users starting ICMP wars over the net, using my server :) I have already had an instance where a web-user did an excessive ping attack on one of his buddies. And, naturally, I want to prevent that. The chmod u-s idea mentioned here, was a good idea. Except that, prefereably, I'd like all of wheel to have access, and the rest not. And that may be harder to implement. If your users play up, put your BOFH hat on and lart them. chmod'ing /sbin/ping is useless - users can compile their own version of ping. Is it? I thought it was setuid root for a reason :o) [EMAIL PROTECTED]:/home/mrboo$ ls -l /sbin/ping -r-sr-xr-x 1 toor wheel 469492 Aug 11 14:57 /sbin/ping No but really, copy ping to your user home, as a user, from /usr/src/sbin/ping and compile it yourself... [EMAIL PROTECTED]:/home/mrboo/ping$ make Warning: Object directory not changed from original /usr/home/mrboo/ping cc -O -pipe -march=pentium2 -DIPSEC-Wsystem-headers -Werror -Wall -Wno-f ormat-y2k -Wno-uninitialized -c ping.c ./ping cc -O -pipe -march=pentium2 -DIPSEC-Wsystem-headers -Werror -Wall -Wno-f ormat-y2k -Wno-uninitialized -o ping ping.o -lm -lipsec bonegzip -cn ping.8 ping.8.gz [EMAIL PROTECTED]:/home/mrboo/ping$ ./ping bone ping: socket: Operation not permitted [EMAIL PROTECTED]:/home/mrboo/ping$ I just woke up, so it may well be I am just being stupid :o) Make your users aware that abusing ping (and other net resources) will get them kicked and banned from your system. -- :{ [EMAIL PROTECTED] Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
On Wed, Aug 13, 2003 at 10:01:03PM +1000, Andy Farkas typed: Mark wrote: I am just not very fond of the idea of local users starting ICMP wars over the net, using my server :) I have already had an instance where a web-user did an excessive ping attack on one of his buddies. And, naturally, I want to prevent that. The chmod u-s idea mentioned here, was a good idea. Except that, prefereably, I'd like all of wheel to have access, and the rest not. And that may be harder to implement. If your users play up, put your BOFH hat on and lart them. chmod'ing /sbin/ping is useless - users can compile their own version of ping. They can compile all they want, but they can't make the command suid root, which is required for ping to work. [EMAIL PROTECTED]:/home/ruben cp /sbin/ping . [EMAIL PROTECTED]:/home/ruben ./ping localhost ping: socket: Operation not permitted So I would say taking away the s bit (or the execute bit for others) can be very usefull. -Ruben Make your users aware that abusing ping (and other net resources) will get them kicked and banned from your system. -- :{ [EMAIL PROTECTED] Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
Mark wrote: I am just not very fond of the idea of local users starting ICMP wars over the net, using my server :) I have already had an instance where a web-user did an excessive ping attack on one of his buddies. And, naturally, I want to prevent that. The chmod u-s idea mentioned here, was a good idea. Except that, prefereably, I'd like all of wheel to have access, and the rest not. And that may be harder to implement. If your users play up, put your BOFH hat on and lart them. chmod'ing /sbin/ping is useless - users can compile their own version of ping. Make your users aware that abusing ping (and other net resources) will get them kicked and banned from your system. -- :{ [EMAIL PROTECTED] Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restricting ICMP
Is there a way I can use ipfw to disallow ICMP from anyone, but root? (FreeBSD 4.7R) I tried this: ${fwcmd} -q add 4 allow icmp from any to any icmptype 0,3,8,11 in via ${outside} ${fwcmd} -q add 4 allow icmp from any to any uid root ${fwcmd} -q add 4 deny log icmp from any to any man ipfw says: uid user Match all TCP or UDP packets sent by or received for a user. A user may be matched by name or identification number. ..which sort of implies it wont work for icmp. Why would you want this policy? -- :{ [EMAIL PROTECTED] Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]