Re: Stupid Question #1

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Bill Castner (bcastner_at_[spam)
Date: 06/09/04 

Date: Tue, 08 Jun 2004 20:56:54 -0400

Steve,

I do not know if you have tested it, but if you disable all possible
ICMP traffic exception choices under SP2 firewall, a ping still
succeeds on your local LAN subnet.

I like your explanation quite a bit. But I was under the impression
that a ping was essentially "port independent." A ping was a type of
TCP traffic to the remote IP address, it would not either from the
source or remote site scan ports until it found an open port to
respond with.

The explanation given "Sooner Al" was that SP2 firewall would always
except subnet traffic because the File and Printer Sharing services
APIs would not work otherwise.

I think you could deny ICMP traffic on port 445 (or the other TCP and
UDP ports used by F&S) without compromising existing XP F&P Services;
I just viewed the response upon relfecltion for SP2 as being
unsatisfactory.

The notion that their are about 5 ports one needs to have open for
file and printer I do not doubt, but what that has to do with ping I
remain baffled.

Thank yoiu very much for the response,
Bill

On Tue, 08 Jun 2004 16:10:08 -0600, "Steve Winograd [MVP]"
<winograd@pobox.com> wrote:

>In article <325cc09frunqgeg8kmoegu55805ama6v13@4ax.com>, Bill Castner
><bcastner@[spam]verizon.net> wrote:
>>Related thought: Al Jarvis had had a query abought the inability to
>>stop pings (ICMP traffic) under WinXP Service Pack 2. The MSFT answer
>>was that File and Printer Sharing would not work without free ICMP
>>traffic under a subnet. The more I think about it, the less credible
>>these seems as a claim. The relation between my MS KB article above,
>>and the ping blocking should be clear. I think there is a seriously
>>murky area in Workgroup networking.
>
>Hi, Bill. In SP2, ICMP Echo is automatically enabled through the
>Windows Firewall if you enable TCP 445, which is used by direct-hosted
>"NetBIOS-less" SMB traffic. File and Printer Sharing using NetBIOS
>doesn't enable, and doesn't depend on, ICMP Echo. Does that help
>resolve the issue?

Relevant Pages

  • Re: Sites not opening
    ... This is normal if the remote site is configured to not return ICMP ... responses, aka ping, traceroute and the like requests... ... security issue so most people "in the know" disable ICMP responses at the firewall. ... or using telnet, to a specific port: ...
    (microsoft.public.internet.explorer.ieak)
  • Re: allow specific IP full access, bypassing the ISA server
    ... Their ICMP comments make no sense. ... Ping always reports as port "0". ... Then a server publishing rule, listening on port 2001, publishing the ...
    (microsoft.public.isa)
  • Re: allow specific IP full access, bypassing the ISA server
    ... My best guess is that the panel sends a UDP packet on port 2001 to the ... monitoring station, ... They may use 'ping' as a generic, we don't really want to tell you what's ... Their ICMP comments make no sense. ...
    (microsoft.public.isa)
  • Re: ssh on ping port?
    ... Ping absolutely *does* use a port. ... Ping is a program which sends ICMP ECHO ...
    (alt.linux)
  • Re: Removing ping/icmp from a network
    ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
    (Security-Basics)