dpcreconsiler: Restrict ICMP rule to echo-request only.

Previously, the iptables rule allowed all ICMP traffic to enter the device. This change restricts it to only allow ICMP echo-request packets, reducing exposure to unnecessary ICMP message types. Return ICMP traffic remains unaffected as it is already covered by the RELATED,ESTABLISHED rule in the INPUT chain. This improves security by limiting external ICMP access to only what is necessary. Signed-off-by: Alexandros Kaouris <[email protected]>
lf-edge · Feb 24, 2025 · f219092 · f219092
1 parent 7be8b1e
commit f219092
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/pkg/pillar/dpcreconciler/linux.go b/pkg/pillar/dpcreconciler/linux.go
@@ -1783,7 +1783,7 @@ func (r *LinuxDpcReconciler) getIntendedFilterRules(gcp types.ConfigItemValueMap
 	// Allow all ICMP traffic to enter the device from outside.
 	icmpRule := iptables.Rule{
 		RuleLabel:   "Allow ICMP",
-		MatchOpts:   []string{"-p", "icmp"},
+		MatchOpts:   []string{"-p", "icmp", "--icmp-type", "echo-request"},
 		Target:      "ACCEPT",
 		Description: "Allow ICMP traffic to enter the device from outside",
 	}