From ccb6462d54b557a482a65ecaa6cbe18da4eac2a9 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Wed, 22 Oct 2014 15:55:05 +0000
Subject: [PATCH] set a rate limit for incoming ICMP echo request packets

---
 firewall | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/firewall b/firewall
index 9ccf2f9..3ab2f80 100755
--- a/firewall
+++ b/firewall
@@ -179,8 +179,10 @@ generate_filter() {
     # Enable 6to4 protocols.
     add_rule -A base-input -p ipv6 -j ACCEPT
 
-    # Allow useful ICMPs.
-    for icmptype in 3 4 8 11 12 ; do
+    # Allow useful ICMPs (but rate-limit incoming echo requests).
+    add_rule4 -A base-input -p icmp -m icmp --icmp-type 8 -m limit \
+        --limit 3/s -j ACCEPT
+    for icmptype in 3 4 11 12 ; do
         add_rule4 -A base-input -p icmp -m icmp \
             --icmp-type ${icmptype} -j ACCEPT
     done
-- 
GitLab