Comments on: How to make the Windows firewall play nice with tracert?

Question: How to make the Windows firewall play nice with tracert?

stopgap — Wed, 14 Sep 2005 09:12:32 -0800

WinXP question: tracert only works when the Windows firewall is turned off. I've added \windows\system32\tracert.exe to the approved programs list, but no luck. Any ideas?

By: bachelor#3

bachelor#3 — Wed, 14 Sep 2005 09:16:55 -0800

Are you letting ICMP packets through? I believe that's what is used by WinXP's trace route program.

By: moz

moz — Wed, 14 Sep 2005 09:19:03 -0800

the traceroute program on unix (as on windows) relies on two protocols; ICMP and UDP. make sure that you're allowing packets for both protocols.

By: benzo8

benzo8 — Wed, 14 Sep 2005 09:19:42 -0800

The blocking of ICMP packets is one of the things most "Personal Firewalls" get wrong. They sell the concept of "security through obscurity" - if you can't see the machine, you can't try and hack it. But blocking ICMP breaks PING and (as you've discovered) traceroute, amongst other things, and there are other, non-ICMP-based scans that a hacker can use to see you machine, so it's pointless anyhow... Let ICMP in and out of your firewall.

By: zsazsa

zsazsa — Wed, 14 Sep 2005 09:26:09 -0800

Weird. tracert has always worked for me with the stock XP firewall turned on.

By: bachelor#3

bachelor#3 — Wed, 14 Sep 2005 09:27:47 -0800

moz, I think Windows XP uses ICMP packets exclusively for tracert. Most other trace route programs send out UDP packets.

By: mendel

mendel — Wed, 14 Sep 2005 09:38:46 -0800

the traceroute program on unix (as on windows) relies on two protocols; ICMP and UDP.

Correct for Unix; not so for Windows, which uses only ICMP.

But blocking ICMP breaks PING and (as you've discovered) traceroute, amongst other things

Remember that traceroute is looking for ICMP ttl-expired (which are critical to being able to use the network without your sent packets quietly disappearing) and not ICMP echo-reply (which is only useful for ping itself).

That said, include me in the "it works for me" department. Crank up your XP firewall logging to log dropped packets and see exactly what it's blocking, for a start.

By: stopgap

stopgap — Wed, 14 Sep 2005 10:13:35 -0800

ICMP packets were turned off. I allowed them and now everything works as expected. Thanks AskMe!

By: RustyBrooks

RustyBrooks — Wed, 14 Sep 2005 10:20:29 -0800

There is good reason to block ICMP packets, and it's not security-through-obscurity. They are (were?) a populare method of denial-of-service attacks. The attacker would flood you with pings and this would increase network latency and bandwidth to near unusability. Happened to me several times until I disabled ICMP.

Also, if I'm not mistaken, in the earlier days of routers, ICMP could be used to configure routers to a certain extent. You could basically send a command to a router that the next hop for this address should be X.X.X.X instead of Y.Y.Y.Y. This would allow an attacker to route his targets traffic through a machine he controlled, with no one the wiser. From there he could sniff away at it. This is sort of urban-legendish, I've never seen credible accounts of it being done and I suspect not too many routers ever had such features enabled.

That said, let ICMP through. If you get DOSed, turn it off.

By: RustyBrooks

RustyBrooks — Wed, 14 Sep 2005 10:21:48 -0800

Here's an example of my second point