diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index 0d9f88df..1a596021 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1294,17 +1294,15 @@ class QubesProxyVm(QubesNetVm):
             iptables += "# '{0}' VM:\n".format(vm.name)
             iptables += "-A FORWARD ! -s {0}/32 -i vif{1}.0 -j DROP\n".format(vm.ip, xid)
 
-
             accept_action = "ACCEPT"
             reject_action = "REJECT --reject-with icmp-host-prohibited"
 
             if conf["allow"]:
-                rules_action = accept_action
-                default_action = reject_action
-                iptables += "-A FORWARD -i vif{0}.0 -p icmp -j ACCEPT\n".format(xid)
-            else:
-                rules_action = reject_action
                 default_action = accept_action
+                rules_action = reject_action
+            else:
+                default_action = reject_action
+                rules_action = accept_action
 
             for rule in conf["rules"]:
                 iptables += "-A FORWARD -i vif{0}.0 -d {1}".format(xid, rule["address"])
@@ -1322,6 +1320,8 @@ class QubesProxyVm(QubesNetVm):
                 # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm_vm. properties
                 iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.gateway)
                 iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.secondary_dns)
+            if conf["allowIcmp"]:
+                iptables += "-A FORWARD -i vif{0}.0 -p icmp -j ACCEPT\n".format(xid)
 
             iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action)
 
@@ -1491,7 +1491,8 @@ class QubesAppVm(QubesCowVm):
         root = xml.etree.ElementTree.Element(
                 "QubesFirwallRules",
                 policy = "allow" if conf["allow"] else "deny",
-                dns = "allow" if conf["allowDns"] else "deny"
+                dns = "allow" if conf["allowDns"] else "deny",
+                icmp = "allow" if conf["allowIcmp"] else "deny"
         )
 
         for rule in conf["rules"]:
@@ -1525,7 +1526,7 @@ class QubesAppVm(QubesCowVm):
         return True
 
     def get_firewall_conf(self):
-        conf = { "rules": list(), "allow": True, "allowDns": True }
+        conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True }
 
         try:
             tree = xml.etree.ElementTree.parse(self.firewall_conf)
@@ -1533,6 +1534,7 @@ class QubesAppVm(QubesCowVm):
 
             conf["allow"] = (root.get("policy") == "allow")
             conf["allowDns"] = (root.get("dns") == "allow")
+            conf["allowIcmp"] = (root.get("icmp") == "allow")
 
             for element in root:
                 rule = {}