Configuring ICMP Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can configure Windows Firewall so that ICMP version 4 (ICMPv4) and ICMP version 6 (ICMPv6) traffic is either blocked or allowed. The following table describes the ICMPv4 and ICMPv6 messages that you can control with Windows Firewall.

ICMP message Description

Allow incoming echo request

Corresponds to ICMPv4 Type 8 (Echo) and ICMPv6 Type 128 (Echo Request) messages.

Allow incoming timestamp request

Corresponds to ICMPv4 Type 13 (Timestamp) messages.

Allow incoming mask request

Corresponds to ICMP Type 17 (Address Mask Request) messages.

Allow incoming router request

Corresponds to ICMP Type 9 (Router Solicitation) messages.

Allow outgoing destination unreachable

Corresponds to ICMPv4 Type 3 (Destination Unreachable) and ICMPv6 Type 1 (Destination Unreachable) messages.

Allow outgoing source quench

Corresponds to ICMP Type 4 (Source Quench) messages.

Allow outgoing parameter problem

Corresponds to ICMP Type 12 (Parameter Problem) and ICMPv6 Type 4 (Parameter Problem) messages.

Allow outgoing time exceeded

Corresponds to ICMP Type 11 (Time Exceeded) and ICMPv6 Type 3 (Time Exceeded) messages.

Allow redirect

Corresponds to ICMP Type 5 (Redirect) and ICMPv6 Type 137 (Neight Discovery Redirect) messages.

Allow outgoing packet too big

Corresponds to ICMPv6 Type 2 (Packet Too Big) messages.

If you do not enable the Allow incoming echo requests setting, commands that use the ICMP Echo message (also known as the ICMP Echo Request message), such as ping or tracert, will not work. If you are running network management software that uses ICMP Destination Unreachable messages, you need to enable the Allow outbound destination unreachable setting.

If you configure Windows Firewall so that traffic is allowed through TCP port 445, Windows Firewall will allow incoming ICMP Echo messages automatically. This is true even if you disable the Allow incoming echo requests setting, or you disable the Windows Firewall: Allow ICMP exceptions Group Policy setting, or you use the netsh firewall set icmpsetting 8 disable command. For example, there are two predefined service exceptions that allow traffic through TCP port 445: the File and Printer Sharing exception and the Remote Administration exception. If you enable either of these exceptions, and you allow unsolicited incoming traffic to pass through TCP port 445, other computers will be able to access your computer with the ping command.

When to perform this task

You should use these settings if your organization uses the ping or tracert commands for troubleshooting. Usually, you configure these settings only once or on an as-needed basis.

Task requirements

No special tools are required to perform this task.

Task procedures

To complete this task, perform the following procedure:

Block and Unblock ICMP Messages

See Also


Known Issues for Managing IPsec, Multicast, and ICMP Settings