Solved

ICMP port

Posted on 2001-06-12
12
3,461 Views
Last Modified: 2013-12-28
How can I disable the icmp port in Windows NT4 server, so noone can ping the server?
thanx
0
Comment
Question by:gikam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
12 Comments
 
LVL 12

Expert Comment

by:Nenadic
ID: 6185224
You cannot do it on Windows NT itself. You have to use some form of firewall. If you cannot go for commercial (Proxy, Checkpoint), you can use Norton Personal Firewall, Zone Alarm or similar.

Finally, you don't want to disable ICMP, as it is needed by your computer for other TCP/IP communication. What you want to do is to prevent it from sending resonses on ICMP (Stealth mode).
0
 
LVL 4

Expert Comment

by:arminl
ID: 6185255
Open control-panel, protocols, TCP/IP, options and activate IP security. Click "configure" and then configure the protocols you want to permit in the rightmost list (IP protocols). AT least I guess that you can do it there. Need tro specify the protocols by their number. Guess that's somewhere in RFC 790-792. Never tried it myself. Love to PING.

...Armin
0
 
LVL 12

Expert Comment

by:Nenadic
ID: 6185288
ICMP is Protocol 1.

But, again, that will prevent seeing any TCP/IP error messages.
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 4

Expert Comment

by:arminl
ID: 6185338
The list is an "positive" list, so he will need to specify all protocols except 1.

...Armin
0
 
LVL 12

Expert Comment

by:Nenadic
ID: 6185348
Don't get me wrong - it will work, I agree. Just that ICMP is used for more than just PINGing and I believe disabling it is not the best solution. But, since the requester asked for that - it is correct! :-)
0
 
LVL 2

Author Comment

by:gikam
ID: 6185378
nenadic
As I know there is a port for PING and only for PING.
I want the server to be invisible to ping, so I guess there must be a port or service that must be disabled.
There is no subject of firewall or proxy since this is stand alone server (not routing traffic between networks)
arminl
I dont want to set protocols that I parmit, but disable the ones that I dont permit. and what about for the PING?
still waiting....
10x
gika
0
 
LVL 12

Expert Comment

by:Nenadic
ID: 6185392
PING relies on ICMP. Doesn't have its own port number.

The option armin is suggesting cannot be set to allow all protocols, except ones you specify.

I didn't think a full-blown firewall would be the best, but suggested Personal Firewall or Zone Alarm. Both are around $30 and are specifically designed for home (small office) computers.
0
 
LVL 4

Expert Comment

by:arminl
ID: 6185440
PING does not use a port number, but is an integral part of the IP protocol driver.

So your only choice is to set the filter list to allow all IP protocols except ICMP. Don't mistake them for the ports you know, the IP protocol header has a "protocol" field, and that's the field we are trying to filter on. So I guess that there are not more than probly a handfull of numbers you need to enter, allowing TCP and UDP at least.

Nenadic is right, keep in mind that ICMP does more than just supporting PING. What you would loose, just to mention the two most important ones, are:

ICMP redirect: a Router redirects the client to a different (better) Router. Some Routers use this to redirect clients if they sense a failure on the WAN side.

ICMP source quench: a device on the net, most likely a WAN router, tells your client to slow down a bit sending packets, since he cannot deliver them fast enough. If the client continues sending full speed, the router will start dropping packets.

ICMP is also described in one of the RFCs I mentioned. You can also check MS KB for keyword ICMP to see which ICMP options MS has implemented at all.

Armin

0
 
LVL 2

Author Comment

by:gikam
ID: 6185549
ok all
As I see, I cannot disable the "PING reply" only, from the server.
If this is right, I'd like to share the points to both of you if possible, else u choose
thanx
0
 
LVL 12

Expert Comment

by:Nenadic
ID: 6185664
I'm happy for arminl to take the points. He's was the solution, mine was just a warning. :-)
0
 
LVL 4

Accepted Solution

by:
arminl earned 20 total points
ID: 6187376
Thnx nenadic, but probably quikam changes his mind when reading this:

I was curious, and set up two new clients as follows:

Plain vanilla NT, only gimmick is the VNC remote control software. Applied SP6. No other drivers or any stuff.

* Set the IP filter to allow protocols 6 (TCP) and 17 (UDP)only. Rebooted. Result: no reaction. Could happily ping, mount drives, and connect to the VNC server. Oops.

* Set the IP filter to allow protocol 1 (ICMP) only. Rebooted. Result: no reaction. Could happily ping, mount drives, and connect to the VNC server. Oops again.

Then I left the useless IP filter alone, and played with UDP and TCP filters. Allowed for TCP port 139, and UDP 137 and 138. Result: like expected. Could mount drives and log in, but not use the VNC server. Then I swapped the setup: allowed for TCP port 5900 (the VNC server port), and deleted 137, 138 and 139. Result: like desired. Could not use any MS networking features any more, but could use the VNC server.

Behaviour persisted, no matter what I ever put into the IP filter. Just to make sure I also tried NT Workstation vs. NT server, 1 or two NICs, and Servicepack 1,5 and 6. All have the same problem.

Conclusion: Microsoft has not implemented the feature to filter at the IP level, or there is another bug that neither got fixed nor documented. So implementing my suggestion would have failed because a bug or an "implementation vs. documentation conflict". The TCP and UDP filters however work nicely.

(And just to make sure I haven't done anything wrong, I'll post this whole thing as a question titeled "NT 4.0 IP packet filtering bug !?")

Armin

0
 
LVL 2

Author Comment

by:gikam
ID: 6189569
thanx all
ok, let's PING on...
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Configuring Remote Assistance for use with SCCM
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question