From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH] drop excessive ICMP ping traffic to the firewall Date: Thu, 04 Jul 2019 17:31:00 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4934835924346074177==" List-Id: --===============4934835924346074177== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable pings are replied to for diagnostic reasons only. As unlimited response generation may open up a (D)DoS attack surface for both external and internal networks, dropping excessive traffic is reasonable. Signed-off-by: Peter M=C3=BCller --- src/initscripts/system/firewall | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b3483a744..622d7de4e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -214,10 +214,12 @@ iptables_init() { iptables -N IPTVFORWARD iptables -A FORWARD -j IPTVFORWARD =20 - # Allow to ping the firewall. + # Allow non-excessive pings to the firewall iptables -N ICMPINPUT iptables -A INPUT -j ICMPINPUT - iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT + iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j = ACCEPT + iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j L= OG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood" + iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP =20 # Accept everything on loopback iptables -N LOOPBACK --=20 2.16.4 --===============4934835924346074177==--