Monday, 4 January 2010

Enable ICMP echo (ping) in Windows Server 2008 R2

Windows Server 2008 won’t respond to ping requests out of the box—they’re blocked by default in the Windows Firewall ruleset. In the pre-R2 days, I used a simple command to enable ping in my development environments but apparently netsh firewall has been deprecated:

netsh firewall set icmpsetting 8

The replacement is—wait for it—netsh advfirewall firewall, like so:

netsh advfirewall firewall add rule name=”ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow

Richard Siddaway has a PowerShell equivalent (presumably, I haven’t tried it myself but should have, I know… tsk, tsk).

Dirty Words (Michael Hanes) - blog.mediawhole.com mailto:info@mediawole.com
 
 
Labels: , , ,

13 comments:

  1. Rich BaileyFriday, January 29, 2010

    I tried this and got this message:

    An invalid value was specified.

    Usage: add rule name=
    dir=in|out
    action=allow|block|bypass
    [program=]
    [service=|any]
    [description=]
    [enable=yes|no (default=yes)]
    [profile=public|private|domain|any[,...]]
    [localip=any|||||]
    [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
    ||||]
    [localport=0-65535|RPC|RPC-EPMap|any[,...] (default=any)]
    [remoteport=0-65535|any[,...] (default=any)]
    [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
    tcp|udp|any (default=any)]
    [interfacetype=wireless|lan|ras|any]
    [rmtcomputergrp=]
    [rmtusrgrp=]
    [edge=yes|no (default=no)]
    [security=authenticate|authenc|notrequired (default=notrequired)]

    Remarks:

    - Add a new inbound or outbound rule to the firewall policy.
    - Rule name should be unique and cannot be "all".
    - If a remote computer or user group is specified, security must be
    authenticate or authenc.
    - If action=bypass, the remote computer group must be specified.
    - Action=bypass is only valid for rules with dir=in.
    - If service=any, the rule applies only to services.
    - ICMP type or code can be "any".
    - Edge can only be specified for inbound rules.


    Examples:

    Add an inbound rule for messenger.exe:
    netsh advfirewall firewall add rule name="allow messenger"
    dir=in program="c:\programfiles\messenger\msmsgs.exe"
    action=allow

    Add an outbound rule for port 80:
    netsh advfirewall firewall add rule name="allow80"
    protocol=TCP dir=out localport=80 action=block

    Add an inbound rule for messenger.exe and require security
    netsh advfirewall firewall add rule name="allow messenger"
    dir=in program="c:\program files\messenger\msmsgs.exe"
    security=authenticate action=allow

    Add an authenticated firewall bypass rule for group
    acmedomain\scanners identified by a SDDL string:
    netsh advfirewall firewall add rule name="allow scanners"
    dir=in rmtcomputergrp= action=bypass
    security=authenticate

    ReplyDelete
  2. Michael HanesFriday, January 29, 2010

    Is it just me or has Windows become exceptionally verbose as of late?!?

    @Rich - are you definitely running R2? Recheck the syntax? Make sure the quotes are copied correctly and not stupid smart quotes?

    ReplyDelete
  3. AnonymousWednesday, February 03, 2010

    I got the same problem until I re-typed the quotes myself and then it worked. Thanks

    ReplyDelete
  4. HoltFriday, October 29, 2010

    Thanks, just found this and it is helpful. I just copied to notepad and deleted/re-entered the quotes manually can pasted to cmd prompt. Works fine this way and rule shows up in Firewall with Advanced Secuity. After several other google links, I found this one and it is just what I needed.

    ReplyDelete
    Replies
    1. AnonymousSaturday, February 11, 2012

      Yep... perfect and saved me a bunch of time. Those pesky quotes!

      Delete
  5. AnonymousFriday, October 21, 2011

    Hi,
    I liked your post about allow a icmp echo request...it is helpful to us like new commers..
    I want to achieve as much as i can in my life...need some guidance from you, how to memorize things and remember them when you need it....

    ReplyDelete
  6. Michael HanesFriday, October 21, 2011

    @Anonymous: study lots and practice often ;-)

    Good luck and have fun!

    ReplyDelete
  7. EthanThursday, November 10, 2011

    This comment has been removed by the author.

    ReplyDelete
  8. EthanThursday, November 10, 2011

    Tried the netsh command above and it didn't work on 2008 R2 64bit. Had to modify it to:

    netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4 dir=in action=allow

    Basically changed the "icmpv4:8,any" to be just "icmpv4".

    ReplyDelete
  9. UnknownThursday, September 20, 2012

    Thanks to Ethan for that last comment, that modification worked for me on 2008 R2 64-bit where the original command had not.

    ReplyDelete
  10. JugramFriday, January 04, 2013

    Thanks Ethan, worked like a charm

    ReplyDelete
  11. UnknownThursday, March 06, 2014

    Superb blog , it’s a really informative blog for all user who can facing windows 7 problem, Our services provide complete solution of your windows 7 realted problem.please go through this link .
    windows firewall error 1068 windows 7
    Thank you
    Aalia lyon

    ReplyDelete
  12. ElwoodMonday, March 24, 2014

    Doing the above commands allows ping from anyone on Internet. This may not be what you want because you are visible to anyone (to hackers).
    So you may want to do the following command instead, that allows ping only from your network. Note this command *updates* an existing rule:
    netsh advfirewall firewall set rule name="ICMP Allow incoming V4 echo request" new dir=in remoteip=my.net.work.ip protocol=icmpv4 action=allow

    Elwood
    http://www.amigaos.net

    ReplyDelete

Spam comments will be deleted

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)