On 02/24/2016 06:42 AM, John Cenile wrote: > Is it possible at all to block all users other than root from sending > outbound ICMP packets on an interface? That is, more or less, the default. In order to send ICMP packets, an application must be root, or must have the CAP_NET_RAW capability (as root does). /usr/bin/ping and ping6 have that capability set, stored in the filesystem. Use "getcap /usr/bin/ping" to view it, or use "setcap -r" to remove them. If you don't grant that capability to any binaries, and don't give users sudo or other "root" access, they won't be able to send ICMP packets.