pings are replied to for diagnostic reasons only. As unlimited response generation may open up a (D)DoS attack surface for both external and internal networks, dropping excessive traffic is reasonable.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b3483a744..622d7de4e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -214,10 +214,12 @@ iptables_init() { iptables -N IPTVFORWARD iptables -A FORWARD -j IPTVFORWARD
- # Allow to ping the firewall. + # Allow non-excessive pings to the firewall iptables -N ICMPINPUT iptables -A INPUT -j ICMPINPUT - iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT + iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT + iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood" + iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
# Accept everything on loopback iptables -N LOOPBACK