| Author | Messages | |
gturner
Posts:26
 | | 03/02/2010 5:10 PM |
| Dear all, having indicated this to be OT but will be looking to apply
(if possible) by GP.
Does the Windows XP firewall allow us to explicitly allow the INBOUND
icmp message type 3, code 4 (Fragmentation needed and DF set).
THE GUI does not seem to expose this particular ICMP message type and
then not for inbound packets.
Thanks. G
| | | |
| dmarelia
Posts:394
| | 03/02/2010 6:25 PM |
| Graham-
I haven't seen those options exposed by existing Admin Templates, nor through the Windows Firewall UI. If you can track them back to registry entries, then you could certainly use GP Preferences registry extension or a custom ADM(x) template.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Graham Turner
Sent: Tuesday, March 02, 2010 9:07 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] OT: windows xp firewall icmp settings
Dear all, having indicated this to be OT but will be looking to apply (if possible) by GP.
Does the Windows XP firewall allow us to explicitly allow the INBOUND icmp message type 3, code 4 (Fragmentation needed and DF set).
THE GUI does not seem to expose this particular ICMP message type and then not for inbound packets.
Thanks. G
| | | |
| gturner
Posts:26
| | 03/02/2010 6:49 PM |
| Darren, thanks for the post back, and always helpful advice.
I am sure you will be aware of the context of this as a strategy for
managing fragmentation in an IPSEC environment, one of the mechanisms of
which is MTU discovery.
Am trying to 'map' the GUI to the ICMP types and codes, which is not
obvious to say the least - seems to have been fixed in Vista where I
think this is exposed by the GUI, and I presume policy.
On another tack - is it possible to globally allow ICMP ? would you know
-
I appreciate I am OT here but this is a most informative list. G
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 02 March 2010 18:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: windows xp firewall icmp settings
Graham-
I haven't seen those options exposed by existing Admin Templates, nor
through the Windows Firewall UI. If you can track them back to registry
entries, then you could certainly use GP Preferences registry extension
or a custom ADM(x) template.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Graham Turner
Sent: Tuesday, March 02, 2010 9:07 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] OT: windows xp firewall icmp settings
Dear all, having indicated this to be OT but will be looking to apply
(if possible) by GP.
Does the Windows XP firewall allow us to explicitly allow the INBOUND
icmp message type 3, code 4 (Fragmentation needed and DF set).
THE GUI does not seem to expose this particular ICMP message type and
then not for inbound packets.
Thanks. G
| | | |
| gturner
Posts:26
| | 03/02/2010 7:08 PM |
| FWIW I have found I think some clues on the 'mapping' - from output of
NETSH
Disable 2 Allow outbound packet too big
Disable 3 Allow outbound destination unreachable
Disable 4 Allow outbound source quench
Disable 5 Allow redirect
Disable 8 Allow inbound echo request
Disable 9 Allow inbound router request
Disable 11 Allow outbound time exceeded
Disable 12 Allow outbound parameter problem
Disable 13 Allow inbound timestamp request
Disable 17 Allow inbound mask request
This would seem to me that the XP firewall is not then capable of
filtering on an 'inbound' destination unreachable ?
Would that be your spin on this ?
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Graham Turner
Sent: 02 March 2010 18:47
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: windows xp firewall icmp settings
Darren, thanks for the post back, and always helpful advice.
I am sure you will be aware of the context of this as a strategy for
managing fragmentation in an IPSEC environment, one of the mechanisms of
which is MTU discovery.
Am trying to 'map' the GUI to the ICMP types and codes, which is not
obvious to say the least - seems to have been fixed in Vista where I
think this is exposed by the GUI, and I presume policy.
On another tack - is it possible to globally allow ICMP ? would you know
-
I appreciate I am OT here but this is a most informative list. G
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 02 March 2010 18:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: windows xp firewall icmp settings
Graham-
I haven't seen those options exposed by existing Admin Templates, nor
through the Windows Firewall UI. If you can track them back to registry
entries, then you could certainly use GP Preferences registry extension
or a custom ADM(x) template.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Graham Turner
Sent: Tuesday, March 02, 2010 9:07 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] OT: windows xp firewall icmp settings
Dear all, having indicated this to be OT but will be looking to apply
(if possible) by GP.
Does the Windows XP firewall allow us to explicitly allow the INBOUND
icmp message type 3, code 4 (Fragmentation needed and DF set).
THE GUI does not seem to expose this particular ICMP message type and
then not for inbound packets.
Thanks. G
| | | |
| AndrewMcHale
Posts:0
| | 03/03/2010 8:53 AM |
| Hi Graham,
Just a thought but if the setting is available on the Vista FW GUI then
could you track down the reg key on Vista responsible and then search an
XP registry for a similar key?
Andrew
From: Graham Turner [mailto:xxxxxxxxxxxxxxxx]
Sent: 02 March 2010 19:06
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: windows xp firewall icmp settings
FWIW I have found I think some clues on the 'mapping' - from output of
NETSH
Disable 2 Allow outbound packet too big
Disable 3 Allow outbound destination unreachable
Disable 4 Allow outbound source quench
Disable 5 Allow redirect
Disable 8 Allow inbound echo request
Disable 9 Allow inbound router request
Disable 11 Allow outbound time exceeded
Disable 12 Allow outbound parameter problem
Disable 13 Allow inbound timestamp request
Disable 17 Allow inbound mask request
This would seem to me that the XP firewall is not then capable of
filtering on an 'inbound' destination unreachable ?
Would that be your spin on this ?
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Graham Turner
Sent: 02 March 2010 18:47
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: windows xp firewall icmp settings
Darren, thanks for the post back, and always helpful advice.
I am sure you will be aware of the context of this as a strategy for
managing fragmentation in an IPSEC environment, one of the mechanisms of
which is MTU discovery.
Am trying to 'map' the GUI to the ICMP types and codes, which is not
obvious to say the least - seems to have been fixed in Vista where I
think this is exposed by the GUI, and I presume policy.
On another tack - is it possible to globally allow ICMP ? would you know
-
I appreciate I am OT here but this is a most informative list. G
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 02 March 2010 18:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: windows xp firewall icmp settings
Graham-
I haven't seen those options exposed by existing Admin Templates, nor
through the Windows Firewall UI. If you can track them back to registry
entries, then you could certainly use GP Preferences registry extension
or a custom ADM(x) template.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Graham Turner
Sent: Tuesday, March 02, 2010 9:07 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] OT: windows xp firewall icmp settings
Dear all, having indicated this to be OT but will be looking to apply
(if possible) by GP.
Does the Windows XP firewall allow us to explicitly allow the INBOUND
icmp message type 3, code 4 (Fragmentation needed and DF set).
THE GUI does not seem to expose this particular ICMP message type and
then not for inbound packets.
Thanks. G
| | | |
|
|