Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3490
  • Last Modified:

ICMP port

How can I disable the icmp port in Windows NT4 server, so noone can ping the server?
thanx
0
gikam
Asked:
gikam
  • 5
  • 4
  • 3
1 Solution
 
NenadicCommented:
You cannot do it on Windows NT itself. You have to use some form of firewall. If you cannot go for commercial (Proxy, Checkpoint), you can use Norton Personal Firewall, Zone Alarm or similar.

Finally, you don't want to disable ICMP, as it is needed by your computer for other TCP/IP communication. What you want to do is to prevent it from sending resonses on ICMP (Stealth mode).
0
 
arminlCommented:
Open control-panel, protocols, TCP/IP, options and activate IP security. Click "configure" and then configure the protocols you want to permit in the rightmost list (IP protocols). AT least I guess that you can do it there. Need tro specify the protocols by their number. Guess that's somewhere in RFC 790-792. Never tried it myself. Love to PING.

...Armin
0
 
NenadicCommented:
ICMP is Protocol 1.

But, again, that will prevent seeing any TCP/IP error messages.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
arminlCommented:
The list is an "positive" list, so he will need to specify all protocols except 1.

...Armin
0
 
NenadicCommented:
Don't get me wrong - it will work, I agree. Just that ICMP is used for more than just PINGing and I believe disabling it is not the best solution. But, since the requester asked for that - it is correct! :-)
0
 
gikamAuthor Commented:
nenadic
As I know there is a port for PING and only for PING.
I want the server to be invisible to ping, so I guess there must be a port or service that must be disabled.
There is no subject of firewall or proxy since this is stand alone server (not routing traffic between networks)
arminl
I dont want to set protocols that I parmit, but disable the ones that I dont permit. and what about for the PING?
still waiting....
10x
gika
0
 
NenadicCommented:
PING relies on ICMP. Doesn't have its own port number.

The option armin is suggesting cannot be set to allow all protocols, except ones you specify.

I didn't think a full-blown firewall would be the best, but suggested Personal Firewall or Zone Alarm. Both are around $30 and are specifically designed for home (small office) computers.
0
 
arminlCommented:
PING does not use a port number, but is an integral part of the IP protocol driver.

So your only choice is to set the filter list to allow all IP protocols except ICMP. Don't mistake them for the ports you know, the IP protocol header has a "protocol" field, and that's the field we are trying to filter on. So I guess that there are not more than probly a handfull of numbers you need to enter, allowing TCP and UDP at least.

Nenadic is right, keep in mind that ICMP does more than just supporting PING. What you would loose, just to mention the two most important ones, are:

ICMP redirect: a Router redirects the client to a different (better) Router. Some Routers use this to redirect clients if they sense a failure on the WAN side.

ICMP source quench: a device on the net, most likely a WAN router, tells your client to slow down a bit sending packets, since he cannot deliver them fast enough. If the client continues sending full speed, the router will start dropping packets.

ICMP is also described in one of the RFCs I mentioned. You can also check MS KB for keyword ICMP to see which ICMP options MS has implemented at all.

Armin

0
 
gikamAuthor Commented:
ok all
As I see, I cannot disable the "PING reply" only, from the server.
If this is right, I'd like to share the points to both of you if possible, else u choose
thanx
0
 
NenadicCommented:
I'm happy for arminl to take the points. He's was the solution, mine was just a warning. :-)
0
 
arminlCommented:
Thnx nenadic, but probably quikam changes his mind when reading this:

I was curious, and set up two new clients as follows:

Plain vanilla NT, only gimmick is the VNC remote control software. Applied SP6. No other drivers or any stuff.

* Set the IP filter to allow protocols 6 (TCP) and 17 (UDP)only. Rebooted. Result: no reaction. Could happily ping, mount drives, and connect to the VNC server. Oops.

* Set the IP filter to allow protocol 1 (ICMP) only. Rebooted. Result: no reaction. Could happily ping, mount drives, and connect to the VNC server. Oops again.

Then I left the useless IP filter alone, and played with UDP and TCP filters. Allowed for TCP port 139, and UDP 137 and 138. Result: like expected. Could mount drives and log in, but not use the VNC server. Then I swapped the setup: allowed for TCP port 5900 (the VNC server port), and deleted 137, 138 and 139. Result: like desired. Could not use any MS networking features any more, but could use the VNC server.

Behaviour persisted, no matter what I ever put into the IP filter. Just to make sure I also tried NT Workstation vs. NT server, 1 or two NICs, and Servicepack 1,5 and 6. All have the same problem.

Conclusion: Microsoft has not implemented the feature to filter at the IP level, or there is another bug that neither got fixed nor documented. So implementing my suggestion would have failed because a bug or an "implementation vs. documentation conflict". The TCP and UDP filters however work nicely.

(And just to make sure I haven't done anything wrong, I'll post this whole thing as a question titeled "NT 4.0 IP packet filtering bug !?")

Armin

0
 
gikamAuthor Commented:
thanx all
ok, let's PING on...
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now