[CentOS] IPtables block user from outbound ICMP
Gordon Messmer
gordon.messmer at gmail.comWed Feb 24 17:20:42 UTC 2016
- Previous message: [CentOS] IPtables block user from outbound ICMP
- Next message: [CentOS] IPtables block user from outbound ICMP
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 02/24/2016 06:42 AM, John Cenile wrote: > Is it possible at all to block all users other than root from sending > outbound ICMP packets on an interface? That is, more or less, the default. In order to send ICMP packets, an application must be root, or must have the CAP_NET_RAW capability (as root does). /usr/bin/ping and ping6 have that capability set, stored in the filesystem. Use "getcap /usr/bin/ping" to view it, or use "setcap -r" to remove them. If you don't grant that capability to any binaries, and don't give users sudo or other "root" access, they won't be able to send ICMP packets.
- Previous message: [CentOS] IPtables block user from outbound ICMP
- Next message: [CentOS] IPtables block user from outbound ICMP
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list