diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 2a66a57d6..79f3ab10f 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -801,9 +801,10 @@ in
     # iptables.sandbox.capabilities = [ "net_admin" ];
 
     # iputils provides `ping` (and arping, clockdiff, tracepath)
-    iputils.sandbox.method = "landlock";
+    iputils.sandbox.method = "bunpen";
     iputils.sandbox.net = "all";
     iputils.sandbox.capabilities = [ "net_raw" ];
+    iputils.sandbox.tryKeepUsers = true;  # for `sudo arping 10.78.79.1`
 
     iw.sandbox.method = "landlock";
     iw.sandbox.net = "all";