diff --git a/root/etc/config/firewall b/root/etc/config/firewall
index d78a00c..877ff8b 100644
--- a/root/etc/config/firewall
+++ b/root/etc/config/firewall
@@ -81,7 +81,6 @@ config rule
 	option src		wan
 	option proto	icmp
 	list icmp_type		echo-request
-	list icmp_type		echo-reply
 	list icmp_type		destination-unreachable
 	list icmp_type		packet-too-big
 	list icmp_type		time-exceeded
@@ -95,6 +94,13 @@ config rule
 	option family		ipv6
 	option target		ACCEPT
 
+config rule
+	option name		Drop-ICMPv6-Excess
+	option src		wan
+	option proto		icmp
+	option family		ipv6
+	option target		DROP
+
 # Allow essential forwarded IPv6 ICMP traffic
 config rule
 	option name		Allow-ICMPv6-Forward
@@ -102,7 +108,6 @@ config rule
 	option dest		*
 	option proto		icmp
 	list icmp_type		echo-request
-	list icmp_type		echo-reply
 	list icmp_type		destination-unreachable
 	list icmp_type		packet-too-big
 	list icmp_type		time-exceeded
@@ -112,6 +117,14 @@ config rule
 	option family		ipv6
 	option target		ACCEPT
 
+config rule
+	option name		Drop-ICMPv6-Forward-Excess
+	option src		wan
+	option dest		*
+	option proto		icmp
+	option family		ipv6
+	option target		DROP
+
 config rule
 	option name		Allow-IPSec-ESP
 	option src		wan