Re: [CentOS] IPtables block user from outbound ICMP

2016-02-25 Thread Always Learning
On Thu, 2016-02-25 at 07:19 +, James Hogarth wrote: > Well if you really want to call it a problem... Blocking ICMP via a host > based firewall remains pretty silly. On all servers I used IPtables to block (DROP) all incoming ICMPs except:- type 0 state RELATED,ESTABLISHED type 3 state REL

Re: [CentOS] IPtables block user from outbound ICMP

2016-02-24 Thread James Hogarth
On 25 Feb 2016 00:30, "John Cenile" wrote: > > Thanks all, that seemed to be the problem (the suid bit). :) Well if you really want to call it a problem... Blocking ICMP via a host based firewall remains pretty silly. Bear in mind that since it's a file permission this will be 'fixed' on any upd

Re: [CentOS] IPtables block user from outbound ICMP

2016-02-24 Thread John Cenile
> >>> De: "John Cenile" > >>> À: "centos" > >>> Envoyé: Mercredi 24 Février 2016 15:42:36 > >>> Objet: [CentOS] IPtables block user from outbound ICMP > >>> Is it possible at all to block all users other than roo

Re: [CentOS] IPtables block user from outbound ICMP

2016-02-24 Thread Valeri Galtsev
On Wed, February 24, 2016 12:25 pm, Alexander Dalloz wrote: > Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE: >> Hello, >> - Mail original - >>> De: "John Cenile" >>> À: "centos" >>> Envoyé: Mercredi 24 Février 2016 15:42

Re: [CentOS] IPtables block user from outbound ICMP

2016-02-24 Thread Alexander Dalloz
Am 24.02.2016 um 15:42 schrieb John Cenile: Hello, Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface? At the moment we have the following two rules in our IPtables config: iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT ipta

Re: [CentOS] IPtables block user from outbound ICMP

2016-02-24 Thread Alexander Dalloz
Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE: Hello, - Mail original - De: "John Cenile" À: "centos" Envoyé: Mercredi 24 Février 2016 15:42:36 Objet: [CentOS] IPtables block user from outbound ICMP Is it possible at all to block all users other than root f

Re: [CentOS] IPtables block user from outbound ICMP

2016-02-24 Thread Gordon Messmer
On 02/24/2016 06:42 AM, John Cenile wrote: Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface? That is, more or less, the default. In order to send ICMP packets, an application must be root, or must have the CAP_NET_RAW capability (as

Re: [CentOS] IPtables block user from outbound ICMP

2016-02-24 Thread Sylvain CANOINE
Hello, - Mail original - > De: "John Cenile" > À: "centos" > Envoyé: Mercredi 24 Février 2016 15:42:36 > Objet: [CentOS] IPtables block user from outbound ICMP > Is it possible at all to block all users other than root from sending > outbound ICM

[CentOS] IPtables block user from outbound ICMP

2016-02-24 Thread John Cenile
Hello, Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface? At the moment we have the following two rules in our IPtables config: iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP But this still