From 0ed68b6c303ef337c07abd98b7956e1b6c5da6e7 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <gunph1ld@users.noreply.github.com>
Date: Thu, 27 Apr 2017 18:47:05 +0200
Subject: [PATCH] Properly configure ICMP restrictions (#492)

---
 roles/vpn/templates/rules.v4.j2 | 3 +--
 roles/vpn/templates/rules.v6.j2 | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/roles/vpn/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2
index 5ced4ee..e040b18 100644
--- a/roles/vpn/templates/rules.v4.j2
+++ b/roles/vpn/templates/rules.v4.j2
@@ -22,7 +22,7 @@ COMMIT
 -A INPUT -p esp -j ACCEPT
 -A INPUT -p ah -j ACCEPT
 # rate limit ICMP traffic per source
--A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j DROP
+-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
 -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
 -A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT
@@ -41,4 +41,3 @@ COMMIT
 -A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
 -A FORWARD -m conntrack --ctstate NEW -s {{ vpn_network }} -m policy --pol ipsec --dir in -j ACCEPT
 COMMIT
-
diff --git a/roles/vpn/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2
index f8d9593..640f6d2 100644
--- a/roles/vpn/templates/rules.v6.j2
+++ b/roles/vpn/templates/rules.v6.j2
@@ -24,7 +24,7 @@ COMMIT
 -A INPUT -p esp -j ACCEPT
 -A INPUT -m ah -j ACCEPT
 # rate limit ICMP traffic per source
--A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j DROP
+-A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
 -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
 -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
@@ -57,4 +57,3 @@ COMMIT
 -A ICMPV6-CHECK-LOG -j LOG --log-prefix "ICMPV6-CHECK-LOG DROP "
 -A ICMPV6-CHECK-LOG -j DROP
 COMMIT
-