Configuring ICMP Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can configure Windows Firewall so that ICMP version 4 (ICMPv4) and ICMP version 6 (ICMPv6) traffic is either blocked or allowed. The following table describes the ICMPv4 and ICMPv6 messages that you can control with Windows Firewall.
| ICMP message | Description |
|---|---|
Allow incoming echo request |
Corresponds to ICMPv4 Type 8 (Echo) and ICMPv6 Type 128 (Echo Request) messages. |
Allow incoming timestamp request |
Corresponds to ICMPv4 Type 13 (Timestamp) messages. |
Allow incoming mask request |
Corresponds to ICMP Type 17 (Address Mask Request) messages. |
Allow incoming router request |
Corresponds to ICMP Type 9 (Router Solicitation) messages. |
Allow outgoing destination unreachable |
Corresponds to ICMPv4 Type 3 (Destination Unreachable) and ICMPv6 Type 1 (Destination Unreachable) messages. |
Allow outgoing source quench |
Corresponds to ICMP Type 4 (Source Quench) messages. |
Allow outgoing parameter problem |
Corresponds to ICMP Type 12 (Parameter Problem) and ICMPv6 Type 4 (Parameter Problem) messages. |
Allow outgoing time exceeded |
Corresponds to ICMP Type 11 (Time Exceeded) and ICMPv6 Type 3 (Time Exceeded) messages. |
Allow redirect |
Corresponds to ICMP Type 5 (Redirect) and ICMPv6 Type 137 (Neight Discovery Redirect) messages. |
Allow outgoing packet too big |
Corresponds to ICMPv6 Type 2 (Packet Too Big) messages. |
If you do not enable the Allow incoming echo requests setting, commands that use the ICMP Echo message (also known as the ICMP Echo Request message), such as ping or tracert, will not work. If you are running network management software that uses ICMP Destination Unreachable messages, you need to enable the Allow outbound destination unreachable setting.
If you configure Windows Firewall so that traffic is allowed through TCP port 445, Windows Firewall will allow incoming ICMP Echo messages automatically. This is true even if you disable the Allow incoming echo requests setting, or you disable the Windows Firewall: Allow ICMP exceptions Group Policy setting, or you use the netsh firewall set icmpsetting 8 disable command. For example, there are two predefined service exceptions that allow traffic through TCP port 445: the File and Printer Sharing exception and the Remote Administration exception. If you enable either of these exceptions, and you allow unsolicited incoming traffic to pass through TCP port 445, other computers will be able to access your computer with the ping command.
When to perform this task
You should use these settings if your organization uses the ping or tracert commands for troubleshooting. Usually, you configure these settings only once or on an as-needed basis.
Task requirements
No special tools are required to perform this task.
Task procedures
To complete this task, perform the following procedure:
Block and Unblock ICMP Messages
Known Issues for Managing IPsec, Multicast, and ICMP Settings