Hi, > On 4 Jul 2019, at 18:31, Peter Müller wrote: > > pings are replied to for diagnostic reasons only. As unlimited > response generation may open up a (D)DoS attack surface for > both external and internal networks, dropping excessive traffic > is reasonable. IPFire won’t do this. We have this configuration in place to avoid this which also works for any other kind of ICMP message (or at least what is selected by the mask): net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ratelimit = 1000 net.ipv4.icmp_ratemask = 6168 This is from /etc/sysctl.conf. So do you still want the patch? -Michael > > Signed-off-by: Peter Müller > --- > src/initscripts/system/firewall | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > index b3483a744..622d7de4e 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -214,10 +214,12 @@ iptables_init() { > iptables -N IPTVFORWARD > iptables -A FORWARD -j IPTVFORWARD > > - # Allow to ping the firewall. > + # Allow non-excessive pings to the firewall > iptables -N ICMPINPUT > iptables -A INPUT -j ICMPINPUT > - iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT > + iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT > + iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood" > + iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP > > # Accept everything on loopback > iptables -N LOOPBACK > -- > 2.16.4 >