diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 7614f5f21..f7f75caf0 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -773,7 +773,10 @@ in
 
     # inetutils: ping, ifconfig, hostname, traceroute, whois, ....
     # N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
-    inetutils.sandbox.method = "landlock";  # want to keep the same netns, at least.
+    inetutils.sandbox.method = "bunpen";  # want to keep the same netns, at least.
+    inetutils.sandbox.net = "all";
+    inetutils.sandbox.capabilities = [ "net_raw" ];  # for `sudo traceroute google.com`
+    inetutils.sandbox.tryKeepUsers = true;
 
     iotop.sandbox.method = "landlock";
     iotop.sandbox.extraPaths = [