From b9e51f9ab3a4f20728f58fdc77728c1f4c98fec7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Wed, 30 Dec 2015 02:09:23 +0100
Subject: [PATCH] network: use more strict policy about incoming traffic

Do not allow ICMP from uplink VM (or the outside world). Also do not
send ICMP icmp-host-prohibited to the uplink.

Fixes QubesOS/qubes-issues#1346
---
 network/iptables | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/network/iptables b/network/iptables
index a23bb82..51e652c 100644
--- a/network/iptables
+++ b/network/iptables
@@ -19,9 +19,10 @@ COMMIT
 :OUTPUT ACCEPT [128:12536]
 -A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A INPUT -p icmp -j ACCEPT
+-A INPUT -i vif+ -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
--A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -i vif+ -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -j DROP
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i vif+ -o vif+ -j DROP
 -A FORWARD -i vif+ -j ACCEPT