Information Technology Reference
In-Depth Information
■
Note
When the Windows Firewall is enabled, all ICMP exceptions are turned off by default.
Using VBScript
This code enables all ICMP traffic to pass through the Windows Firewall.
Set Firewall = CreateObject("HNetCfg.FwMgr")
Set Policy = Firewall.LocalPolicy.CurrentProfile
Set ICMPSettings = Policy.ICMPSettings
ICMPSettings.AllowInboundEchoRequest = TRUE
ICMPSettings.AllowInboundMaskRequest = TRUE
ICMPSettings.AllowInboundRouterRequest = TRUE
ICMPSettings.AllowInboundTimestampRequest = TRUE
ICMPSettings.AllowOutboundDestinationUnreachable = TRUE
ICMPSettings.AllowOutboundPacketTooBig = TRUE
ICMPSettings.AllowOutboundParameterProblem = TRUE
ICMPSettings.AllowOutboundSourceQuench = TRUE
ICMPSettings.AllowOutboundTimeExceeded = TRUE
ICMPSettings.AllowRedirect = TRUE
WScript.Echo "Settings enabled"
How It Works
The Internet Control Message Protocol (ICMP) is used by TCP/IP utilities such as ping and
tracert to assist in network troubleshooting and diagnostics. By default, the Windows Firewall
will block any incoming ICMP traffic destined for the local computer, since ICMP can be misused
as part of a number of network attacks. If you do not enable ICMP exceptions, you will not be
able to use any network utilities that rely on ICMP to contact your Windows Server 2003 computer.
However, if you open TCP port 445, the Windows Firewall will automatically allow incoming
ICMP echo messages, even if the Allow ICMP Exceptions setting is disabled through Group
Policy. This will occur if you specifically create a port exception for TCP port 445, or if you
enable the file and printer sharing or remote administration exceptions.
Using a Command-Line Interface
If you want to enable only specific ICMP message types using netsh, you'll need to specify a
number associated with the message type in the
type =
parameter. The numeric values associated
with the ICMP message types are as follows:
2
: Allow outbound packet too big
3
: Allow outbound destination unreachable
4
: Allow outbound source quench
5
: Allow redirect
