diff --git a/firewall b/firewall
index 9ccf2f9348d47bd9db45a8d4a1d8292bea05aac6..3ab2f80828c2190bc68cee02b48f067a4b1b8b7e 100755
--- a/firewall
+++ b/firewall
@@ -179,8 +179,10 @@ generate_filter() {
     # Enable 6to4 protocols.
     add_rule -A base-input -p ipv6 -j ACCEPT
 
-    # Allow useful ICMPs.
-    for icmptype in 3 4 8 11 12 ; do
+    # Allow useful ICMPs (but rate-limit incoming echo requests).
+    add_rule4 -A base-input -p icmp -m icmp --icmp-type 8 -m limit \
+        --limit 3/s -j ACCEPT
+    for icmptype in 3 4 11 12 ; do
         add_rule4 -A base-input -p icmp -m icmp \
             --icmp-type ${icmptype} -j ACCEPT
     done