Making the ICMP rules more restrict and consistent

wilderrodrigues · wilderrodrigues · commit 0de25ac33dad · 2015-09-26T11:35:29.000+02:00
- Previous default configuration of routers and vpc routers had ICMP accept on all interfaces
     We now restrict the ICMP rule to eth0 (routers) eth1 (vpc routers) only
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr b/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr
@@ -31,7 +31,7 @@ COMMIT
 -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A INPUT -p icmp -j ACCEPT
+-A INPUT -i eth1 -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-router b/systemvm/patches/debian/config/etc/iptables/iptables-router
@@ -31,7 +31,7 @@ COMMIT
 -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A INPUT -p icmp -j ACCEPT
+-A INPUT -i eth1 -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter b/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
@@ -26,7 +26,7 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 -A INPUT -d 224.0.0.18/32 -j ACCEPT
 -A INPUT -d 225.0.0.50/32 -j ACCEPT
--A INPUT -p icmp -j ACCEPT
+-A INPUT -i eth0 -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i eth0 -p tcp -m tcp -m state --state NEW,ESTABLISHED --dport 3922 -j ACCEPT
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
