update icmp rules

kubernetes/router/apps/default/ufw/app/helm-values.yaml

@@ -20,7 +20,8 @@ configMaps:
         ufw allow out 53
         ufw allow out 80/tcp
         ufw allow out 443/tcp
-        ufw allow out proto icmp
+        #allow icmp out, currently could only do it with iptables-nft
+        iptables-nft -I ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
         #allow outgoing to all home vlan subnets
         #this rule is also mandatory to access kubeapiservvice from hostnetwork pods
         ufw allow out to 192.168.0.0/16 comment "allow out to all vlan subnets"
@@ -49,9 +50,9 @@ configMaps:
         ufw route deny to 2620:119:53::53 comment "block opendns"
         ufw route deny to 2620:119:35::35 comment "block opendns"
 
-        #allow tunnel broker echo from internet vlan999
-        ufw route allow in on vlan999 from 66.220.2.74 proto icmp type echo-request comment "allow tunnel broker echo-request from 66.220.2.74"
-        ufw route allow in on vlan999 from 216.218.221.42 proto icmp type echo-request comment "allow tunnel broker echo-request from 216.218.221.42"
+        #allow tunnel broker echo from internet vlan999, todo maybe block on WAN, currently icmp is allowed by default
+        #ufw route allow in on vlan999 from 66.220.2.74 proto icmp type echo-request comment "allow tunnel broker echo-request from 66.220.2.74"
+        #ufw route allow in on vlan999 from 216.218.221.42 proto icmp type echo-request comment "allow tunnel broker echo-request from 216.218.221.42"
 
         #allow internal networks to internet
         ufw route allow in on br0 out on vlan999  comment "allow br0 to internet"