On 02/24/2016 06:42 AM, John Cenile wrote:
Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface?
That is, more or less, the default. In order to send ICMP packets, an application must be root, or must have the CAP_NET_RAW capability (as root does). /usr/bin/ping and ping6 have that capability set, stored in the filesystem. Use "getcap /usr/bin/ping" to view it, or use "setcap -r" to remove them.
If you don't grant that capability to any binaries, and don't give users sudo or other "root" access, they won't be able to send ICMP packets.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
