Windows firewall udp traceroute blocking

F

Flip_

Guest
There is a problem with Windows firewall. If you try to make traceroute from

unix box to windows box it fails because it uses UDP protocol (Windows use

ICMP protocol). Only solution so far is to disable Windows firewall. If I put

rule to allow any to any and protocol any for both inside and outside it

fails too.

Is there any solution for this problem because disabling Windows firewall is

not an option?

 
S

S. Pidgorny

Guest
traceroute -I <host> will use UDP (on a Linux system here, at least).

Or enable 33434/UDP, which is the default. And you can change the port. man

traceroute!

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"Flip_" <Flip_@discussions.microsoft.com> wrote in message

news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...<span style="color:blue">

> There is a problem with Windows firewall. If you try to make traceroute

> from

> unix box to windows box it fails because it uses UDP protocol (Windows use

> ICMP protocol). Only solution so far is to disable Windows firewall. If I

> put

> rule to allow any to any and protocol any for both inside and outside it

> fails too.

>

> Is there any solution for this problem because disabling Windows firewall

> is

> not an option? </span>

 
T

Thor Kottelin

Guest
"Flip_" <Flip_@discussions.microsoft.com> wrote in message

news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...<span style="color:blue">

> There is a problem with Windows firewall. If you try to make traceroute

> from

> unix box to windows box it fails because it uses UDP protocol (Windows

> use

> ICMP protocol).</span>

Hi,

If UDP is the specific problem, can you set your traceroute client to use

ICMP echo instead?

As an example, the "-I" switch sets the Fedora Core Linux traceroute

application into ICMP mode, although in this case, it needs to be run as

the superuser.

--

Thor Kottelin

http://www.anta.net/

Antivirus, firewall, parental control: http://www.anta.net/sw/norman/

 
F

Flip_

Guest
No it is unix based appliance and it needs traceroute for communicating with

active directory.

"Thor Kottelin" wrote:

<span style="color:blue">

> "Flip_" <Flip_@discussions.microsoft.com> wrote in message

> news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...<span style="color:green">

> > There is a problem with Windows firewall. If you try to make traceroute

> > from

> > unix box to windows box it fails because it uses UDP protocol (Windows

> > use

> > ICMP protocol).</span>

>

> Hi,

>

> If UDP is the specific problem, can you set your traceroute client to use

> ICMP echo instead?

>

> As an example, the "-I" switch sets the Fedora Core Linux traceroute

> application into ICMP mode, although in this case, it needs to be run as

> the superuser.

>

> --

> Thor Kottelin

> http://www.anta.net/

>

> Antivirus, firewall, parental control: http://www.anta.net/sw/norman/

>

> </span>

 
F

Flip_

Guest
As i said before, I made a rule to allow any source to any destination using

any protocol and i didn't work. Only solution was to disable the firewall.

"S. Pidgorny <MVP>" wrote:

<span style="color:blue">

> traceroute -I <host> will use UDP (on a Linux system here, at least).

> Or enable 33434/UDP, which is the default. And you can change the port. man

> traceroute!

>

> --

> Svyatoslav Pidgorny, MS MVP - Security, MCSE

> -= F1 is the key =-

>

> http://sl.mvps.org http://msmvps.com/blogs/sp

>

> "Flip_" <Flip_@discussions.microsoft.com> wrote in message

> news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...<span style="color:green">

> > There is a problem with Windows firewall. If you try to make traceroute

> > from

> > unix box to windows box it fails because it uses UDP protocol (Windows use

> > ICMP protocol). Only solution so far is to disable Windows firewall. If I

> > put

> > rule to allow any to any and protocol any for both inside and outside it

> > fails too.

> >

> > Is there any solution for this problem because disabling Windows firewall

> > is

> > not an option? </span>

>

>

> </span>

 
S

S. Pidgorny

Guest
You don't give much details about your problem, which makes it hard to help

you. The questions:

What is involved in routing between the Linux system and your AD? Is there

NAT?

Why the Linux appliance needs traceroute to communicate with Active

Directory?

What is that appliance?

Where Windows Firewall is running, on the domain controller or

intermediary point?

Is ICMP-based traceroute working with the Windows firewall? If it does,

you'll be able to create an alias and make traceroute use ICMP (ot even

TCP);

Why can you not disable the firewall?

What is in the firewall log if the "anything allowed" rule is in place?

Under same condition, what is in the packet trace on the system where

firewall is running, and how is that different from that when firewall is

off?

After answering all of this you'll probably will figure out the solution

yourself....

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"Flip_" <Flip@discussions.microsoft.com> wrote in message

news:DD99C595-60B8-4D93-A116-09D3FDCA6E17@microsoft.com...<span style="color:blue">

> As i said before, I made a rule to allow any source to any destination

> using

> any protocol and i didn't work. Only solution was to disable the firewall.

>

> "S. Pidgorny <MVP>" wrote:

><span style="color:green">

>> traceroute -I <host> will use UDP (on a Linux system here, at least).

>> Or enable 33434/UDP, which is the default. And you can change the port.

>> man

>> traceroute!

>>

>> --

>> Svyatoslav Pidgorny, MS MVP - Security, MCSE

>> -= F1 is the key =-

>>

>> http://sl.mvps.org http://msmvps.com/blogs/sp

>>

>> "Flip_" <Flip_@discussions.microsoft.com> wrote in message

>> news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...<span style="color:darkred">

>> > There is a problem with Windows firewall. If you try to make traceroute

>> > from

>> > unix box to windows box it fails because it uses UDP protocol (Windows

>> > use

>> > ICMP protocol). Only solution so far is to disable Windows firewall. If

>> > I

>> > put

>> > rule to allow any to any and protocol any for both inside and outside

>> > it

>> > fails too.

>> >

>> > Is there any solution for this problem because disabling Windows

>> > firewall

>> > is

>> > not an option?</span>

>>

>>

>> </span></span>

 
S

S. Pidgorny

Guest
Sorry, should read "Why can't you disable firewall?".

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message

news:ej4z9ae0IHA.2292@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> You don't give much details about your problem, which makes it hard to

> help you. The questions:

>

> What is involved in routing between the Linux system and your AD? Is

> there NAT?

> Why the Linux appliance needs traceroute to communicate with Active

> Directory?

> What is that appliance?

> Where Windows Firewall is running, on the domain controller or

> intermediary point?

> Is ICMP-based traceroute working with the Windows firewall? If it does,

> you'll be able to create an alias and make traceroute use ICMP (ot even

> TCP);

> Why can you not disable the firewall?

> What is in the firewall log if the "anything allowed" rule is in place?

> Under same condition, what is in the packet trace on the system where

> firewall is running, and how is that different from that when firewall is

> off?

>

> After answering all of this you'll probably will figure out the solution

> yourself....

>

>

> --

> Svyatoslav Pidgorny, MS MVP - Security, MCSE

> -= F1 is the key =-

>

> http://sl.mvps.org http://msmvps.com/blogs/sp

>

>

> "Flip_" <Flip@discussions.microsoft.com> wrote in message

> news:DD99C595-60B8-4D93-A116-09D3FDCA6E17@microsoft.com...<span style="color:green">

>> As i said before, I made a rule to allow any source to any destination

>> using

>> any protocol and i didn't work. Only solution was to disable the

>> firewall.

>>

>> "S. Pidgorny <MVP>" wrote:

>><span style="color:darkred">

>>> traceroute -I <host> will use UDP (on a Linux system here, at least).

>>> Or enable 33434/UDP, which is the default. And you can change the port.

>>> man

>>> traceroute!

>>>

>>> --

>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE

>>> -= F1 is the key =-

>>>

>>> http://sl.mvps.org http://msmvps.com/blogs/sp

>>>

>>> "Flip_" <Flip_@discussions.microsoft.com> wrote in message

>>> news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...

>>> > There is a problem with Windows firewall. If you try to make

>>> > traceroute

>>> > from

>>> > unix box to windows box it fails because it uses UDP protocol (Windows

>>> > use

>>> > ICMP protocol). Only solution so far is to disable Windows firewall.

>>> > If I

>>> > put

>>> > rule to allow any to any and protocol any for both inside and outside

>>> > it

>>> > fails too.

>>> >

>>> > Is there any solution for this problem because disabling Windows

>>> > firewall

>>> > is

>>> > not an option?

>>>

>>>

>>></span></span>

>

> </span>

 
You must log in or register to reply here.
Top Bottom