From fc6ca8f6d0fa3fa8d00ca5577fb5314fc92a30be Mon Sep 17 00:00:00 2001
From: User User-User <user@localhost>
Date: Fri, 1 Sep 2023 16:13:31 +0300
Subject: [PATCH] limit icmp err generation almost to kernel defaults

---
 root/usr/share/firewall4/templates/ruleset.uc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 7bd9309..400e8ca 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -194,6 +194,7 @@ table inet fw4 {
 				? `icmpx type ${fw4.default_option("tcp_reject_code")}`
 				: "tcp reset"
 		}} comment "!fw4: Reject TCP traffic"
+		limit rate over 1000/second burst 50 packets counter drop
 		reject with {{
 			(fw4.default_option("any_reject_code") != "tcp-reset")
 				? `icmpx type ${fw4.default_option("any_reject_code")}`