From 4dc24b22c79042e8f6959f5e59e21b8fb7249410 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 10 Oct 2023 10:51:59 -0400
Subject: [PATCH] accept icmp on input chain

---
 salt/firewall/iptables.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja
index c15a54e46..074663e15 100644
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -89,7 +89,6 @@ COMMIT
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -m conntrack --ctstate INVALID -j DROP
--A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -j LOGGING
 -A FORWARD -j DOCKER-USER
@@ -103,6 +102,7 @@ COMMIT
 -A FORWARD -m conntrack --ctstate INVALID -j DROP
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 -A OUTPUT -o lo -j ACCEPT
+# block icmp timestamp reply
 -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
 
 {%- for rule in D2 %}