From 10f34762ed9dcddd9df4f78449dcc66ebabb168f Mon Sep 17 00:00:00 2001
From: mivirl <>
Date: Wed, 22 May 2024 09:39:40 -0500
Subject: [PATCH] Remove icmp echo rate limits; Copy nftables config

For at least some distributions, /etc/sysconfig/nftables.conf is
persistent while /etc/nftables.conf is not.
---
 firewall.sh | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/firewall.sh b/firewall.sh
index 91f4bcc..3fa3c83 100755
--- a/firewall.sh
+++ b/firewall.sh
@@ -146,6 +146,9 @@ persist_rules() {
         printf "#!/usr/sbin/nft -f\n" > /etc/nftables.conf
         printf "flush ruleset\n" >> /etc/nftables.conf
         nft list ruleset >> /etc/nftables.conf
+        if [ -d /etc/sysconfig ]; then
+            cp /etc/nftables.conf /etc/sysconfig/nftables.conf
+        fi
     fi
 
 }
@@ -305,11 +308,11 @@ allow_dns() {
 allow_ping() {
     printf "Allowing icmp pings\n"
     if [ "$FIREWALL" = "iptables" ]; then
-        iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/sec -j ACCEPT
-        iptables -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 10/sec -j ACCEPT
+        iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+        iptables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
     elif [ "$FIREWALL" = "nftables" ]; then
-        nft add rule inet filter input icmp type \{ echo-request \} limit rate 10/second accept
-        nft add rule inet filter input icmpv6 type \{ echo-request \} limit rate 10/second accept
+        nft add rule inet filter input icmp type echo-request accept
+        nft add rule inet filter input icmpv6 type echo-request accept
     fi
 }
 
-- 
2.39.5