From 1fbe904a137999535e14bbebf251e08882414509 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Wed, 11 Sep 2013 16:26:29 +0300
Subject: [PATCH] firewall: Modified iptables templates to allow blocking of
 incoming ICMP.

---
 firewall/templates/ip6tables.erb | 2 +-
 firewall/templates/iptables.erb  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/firewall/templates/ip6tables.erb b/firewall/templates/ip6tables.erb
index 3a47899..5163020 100644
--- a/firewall/templates/ip6tables.erb
+++ b/firewall/templates/ip6tables.erb
@@ -12,7 +12,6 @@
 -A INPUT -m tcp -p tcp ! --syn -j ACCEPT
 -A INPUT -m udp -p udp --dport 32768:61000 -j ACCEPT
 <% end -%>
--A INPUT -p ipv6-icmp -j ACCEPT
 <%
   @firewall_rules.each do |rule|
     rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
@@ -26,6 +25,7 @@
 -%>
 <%= rule %>
 <% end -%>
+-A INPUT -p ipv6-icmp -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
 -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT
diff --git a/firewall/templates/iptables.erb b/firewall/templates/iptables.erb
index 9f7a267..105b3ad 100644
--- a/firewall/templates/iptables.erb
+++ b/firewall/templates/iptables.erb
@@ -6,7 +6,6 @@
 -A INPUT -p ah -j ACCEPT
 -A INPUT -p esp -j ACCEPT
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p icmp --icmp-type any -j ACCEPT
 <%
   @firewall_rules.each do |rule|
     rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
@@ -20,6 +19,7 @@
 -%>
 <%= rule %>
 <% end -%>
+-A INPUT -p icmp --icmp-type any -j ACCEPT
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -j REJECT --reject-with icmp-port-unreachable
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited