Monday, 4 January 2010

Enable ICMP echo (ping) in Windows Server 2008 R2

Windows Server 2008 won’t respond to ping requests out of the box—they’re blocked by default in the Windows Firewall ruleset. In the pre-R2 days, I used a simple command to enable ping in my development environments but apparently netsh firewall has been deprecated:

netsh firewall set icmpsetting 8

The replacement is—wait for it—netsh advfirewall firewall, like so:

netsh advfirewall firewall add rule name=”ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow

Richard Siddaway has a PowerShell equivalent (presumably, I haven’t tried it myself but should have, I know… tsk, tsk).

Dirty Words (Michael Hanes) - blog.mediawhole.com mailto:info@mediawole.com
 
 
Labels: , , ,

9 comments:

  1. I tried this and got this message:

    An invalid value was specified.

    Usage: add rule name=
    dir=in|out
    action=allow|block|bypass
    [program=]
    [service=|any]
    [description=]
    [enable=yes|no (default=yes)]
    [profile=public|private|domain|any[,...]]
    [localip=any|||||]
    [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
    ||||]
    [localport=0-65535|RPC|RPC-EPMap|any[,...] (default=any)]
    [remoteport=0-65535|any[,...] (default=any)]
    [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
    tcp|udp|any (default=any)]
    [interfacetype=wireless|lan|ras|any]
    [rmtcomputergrp=]
    [rmtusrgrp=]
    [edge=yes|no (default=no)]
    [security=authenticate|authenc|notrequired (default=notrequired)]

    Remarks:

    - Add a new inbound or outbound rule to the firewall policy.
    - Rule name should be unique and cannot be "all".
    - If a remote computer or user group is specified, security must be
    authenticate or authenc.
    - If action=bypass, the remote computer group must be specified.
    - Action=bypass is only valid for rules with dir=in.
    - If service=any, the rule applies only to services.
    - ICMP type or code can be "any".
    - Edge can only be specified for inbound rules.


    Examples:

    Add an inbound rule for messenger.exe:
    netsh advfirewall firewall add rule name="allow messenger"
    dir=in program="c:\programfiles\messenger\msmsgs.exe"
    action=allow

    Add an outbound rule for port 80:
    netsh advfirewall firewall add rule name="allow80"
    protocol=TCP dir=out localport=80 action=block

    Add an inbound rule for messenger.exe and require security
    netsh advfirewall firewall add rule name="allow messenger"
    dir=in program="c:\program files\messenger\msmsgs.exe"
    security=authenticate action=allow

    Add an authenticated firewall bypass rule for group
    acmedomain\scanners identified by a SDDL string:
    netsh advfirewall firewall add rule name="allow scanners"
    dir=in rmtcomputergrp= action=bypass
    security=authenticate
    ReplyDelete
  2. Is it just me or has Windows become exceptionally verbose as of late?!?

    @Rich - are you definitely running R2? Recheck the syntax? Make sure the quotes are copied correctly and not stupid smart quotes?
    ReplyDelete
  3. I got the same problem until I re-typed the quotes myself and then it worked. Thanks
    ReplyDelete
  4. Thanks, just found this and it is helpful. I just copied to notepad and deleted/re-entered the quotes manually can pasted to cmd prompt. Works fine this way and rule shows up in Firewall with Advanced Secuity. After several other google links, I found this one and it is just what I needed.
    ReplyDelete
    Replies
    1. Yep... perfect and saved me a bunch of time. Those pesky quotes!
      Delete
  5. Hi,
    I liked your post about allow a icmp echo request...it is helpful to us like new commers..
    I want to achieve as much as i can in my life...need some guidance from you, how to memorize things and remember them when you need it....
    ReplyDelete
  6. @Anonymous: study lots and practice often ;-)

    Good luck and have fun!
    ReplyDelete
  7. This comment has been removed by the author.
    ReplyDelete
  8. Tried the netsh command above and it didn't work on 2008 R2 64bit. Had to modify it to:

    netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4 dir=in action=allow

    Basically changed the "icmpv4:8,any" to be just "icmpv4".
    ReplyDelete

Subscribe to: Post Comments (Atom)