firewalld block icmp timestamp responses

roles/easyredmine/files/timestamp-reply.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<icmptype>
+  <short>Timestamp Reply</short>
+  <description>This message is used to reply to a timestamp message.</description>
+  <destination ipv4="yes"/>
+  <destination ipv6="no"/>
+</icmptype>

roles/easyredmine/files/timestamp-request.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<icmptype>
+  <short>Timestamp Request</short>
+  <description>This message is used for time synchronization.</description>
+  <destination ipv4="yes"/>
+  <destination ipv6="no"/>
+</icmptype>

roles/easyredmine/tasks/firewall.yml

@@ -35,6 +35,26 @@
   notify: restart firewalld
   when: is_production_vm == True
 
+- name: define new icmp types for timestamp responses
+  copy: dest='/etc/firewalld/icmptypes/{{ item }}.xml'
+        src='{{ item }}.xml'
+  sudo: yes
+  with_items:
+    - timestamp-reply
+    - timestamp-request
+
+- name: load new icmp types for timestamp responses
+  command: firewall-cmd --reload
+  sudo: yes
+
+- name: disable icmp timestamp responses
+  command: firewall-cmd --permanent --zone=public --add-icmp-block={{ item }}
+  sudo: yes
+  with_items:
+    - timestamp-reply
+    - timestamp-request
+  notify: restart firewalld
+
 - name: restart firewalld
   service: name=firewalld
            state=restarted