Windows firewall udp traceroute blocking

Flip_ · Jun 18, 2008

There is a problem with Windows firewall. If you try to make traceroute from
unix box to windows box it fails because it uses UDP protocol (Windows use
ICMP protocol). Only solution so far is to disable Windows firewall. If I put
rule to allow any to any and protocol any for both inside and outside it
fails too.

Is there any solution for this problem because disabling Windows firewall is
not an option?

S. Pidgorny · Jun 18, 2008

traceroute -I <host> will use UDP (on a Linux system here, at least).
Or enable 33434/UDP, which is the default. And you can change the port. man
traceroute!

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Flip_" <Flip_@discussions.microsoft.com> wrote in message
news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...
> There is a problem with Windows firewall. If you try to make traceroute
> from
> unix box to windows box it fails because it uses UDP protocol (Windows use
> ICMP protocol). Only solution so far is to disable Windows firewall. If I
> put
> rule to allow any to any and protocol any for both inside and outside it
> fails too.
>
> Is there any solution for this problem because disabling Windows firewall
> is
> not an option?

Thor Kottelin · Jun 18, 2008

"Flip_" <Flip_@discussions.microsoft.com> wrote in message
news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...
> There is a problem with Windows firewall. If you try to make traceroute
> from
> unix box to windows box it fails because it uses UDP protocol (Windows
> use
> ICMP protocol).

Hi,

If UDP is the specific problem, can you set your traceroute client to use
ICMP echo instead?

As an example, the "-I" switch sets the Fedora Core Linux traceroute
application into ICMP mode, although in this case, it needs to be run as
the superuser.

--
Thor Kottelin
http://www.anta.net/

Antivirus, firewall, parental control: http://www.anta.net/sw/norman/

Flip_ · Jun 18, 2008

No it is unix based appliance and it needs traceroute for communicating with
active directory.

"Thor Kottelin" wrote:

> "Flip_" <Flip_@discussions.microsoft.com> wrote in message
> news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...
> > There is a problem with Windows firewall. If you try to make traceroute
> > from
> > unix box to windows box it fails because it uses UDP protocol (Windows
> > use
> > ICMP protocol).
>
> Hi,
>
> If UDP is the specific problem, can you set your traceroute client to use
> ICMP echo instead?
>
> As an example, the "-I" switch sets the Fedora Core Linux traceroute
> application into ICMP mode, although in this case, it needs to be run as
> the superuser.
>
> --
> Thor Kottelin
> http://www.anta.net/
>
> Antivirus, firewall, parental control: http://www.anta.net/sw/norman/
>
>

Flip_ · Jun 18, 2008

As i said before, I made a rule to allow any source to any destination using
any protocol and i didn't work. Only solution was to disable the firewall.

"S. Pidgorny <MVP>" wrote:

> traceroute -I <host> will use UDP (on a Linux system here, at least).
> Or enable 33434/UDP, which is the default. And you can change the port. man
> traceroute!
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Flip_" <Flip_@discussions.microsoft.com> wrote in message
> news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...
> > There is a problem with Windows firewall. If you try to make traceroute
> > from
> > unix box to windows box it fails because it uses UDP protocol (Windows use
> > ICMP protocol). Only solution so far is to disable Windows firewall. If I
> > put
> > rule to allow any to any and protocol any for both inside and outside it
> > fails too.
> >
> > Is there any solution for this problem because disabling Windows firewall
> > is
> > not an option?
>
>
>

S. Pidgorny · Jun 19, 2008

You don't give much details about your problem, which makes it hard to help
you. The questions:

* What is involved in routing between the Linux system and your AD? Is there
NAT?
* Why the Linux appliance needs traceroute to communicate with Active
Directory?
* What is that appliance?
* Where Windows Firewall is running, on the domain controller or
intermediary point?
* Is ICMP-based traceroute working with the Windows firewall? If it does,
you'll be able to create an alias and make traceroute use ICMP (ot even
TCP)
* Why can you not disable the firewall?
* What is in the firewall log if the "anything allowed" rule is in place?
* Under same condition, what is in the packet trace on the system where
firewall is running, and how is that different from that when firewall is
off?

After answering all of this you'll probably will figure out the solution
yourself....

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Flip_" <Flip@discussions.microsoft.com> wrote in message
news

D99C595-60B8-4D93-A116-09D3FDCA6E17@microsoft.com...
> As i said before, I made a rule to allow any source to any destination
> using
> any protocol and i didn't work. Only solution was to disable the firewall.
>
> "S. Pidgorny <MVP>" wrote:
>
>> traceroute -I <host> will use UDP (on a Linux system here, at least).
>> Or enable 33434/UDP, which is the default. And you can change the port.
>> man
>> traceroute!
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "Flip_" <Flip_@discussions.microsoft.com> wrote in message
>> news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...
>> > There is a problem with Windows firewall. If you try to make traceroute
>> > from
>> > unix box to windows box it fails because it uses UDP protocol (Windows
>> > use
>> > ICMP protocol). Only solution so far is to disable Windows firewall. If
>> > I
>> > put
>> > rule to allow any to any and protocol any for both inside and outside
>> > it
>> > fails too.
>> >
>> > Is there any solution for this problem because disabling Windows
>> > firewall
>> > is
>> > not an option?
>>
>>
>>

S. Pidgorny · Jun 19, 2008

Sorry, should read "Why can't you disable firewall?".

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:ej4z9ae0IHA.2292@TK2MSFTNGP03.phx.gbl...
> You don't give much details about your problem, which makes it hard to
> help you. The questions:
>
> * What is involved in routing between the Linux system and your AD? Is
> there NAT?
> * Why the Linux appliance needs traceroute to communicate with Active
> Directory?
> * What is that appliance?
> * Where Windows Firewall is running, on the domain controller or
> intermediary point?
> * Is ICMP-based traceroute working with the Windows firewall? If it does,
> you'll be able to create an alias and make traceroute use ICMP (ot even
> TCP)
> * Why can you not disable the firewall?
> * What is in the firewall log if the "anything allowed" rule is in place?
> * Under same condition, what is in the packet trace on the system where
> firewall is running, and how is that different from that when firewall is
> off?
>
> After answering all of this you'll probably will figure out the solution
> yourself....
>
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>
> "Flip_" <Flip@discussions.microsoft.com> wrote in message
> news

D99C595-60B8-4D93-A116-09D3FDCA6E17@microsoft.com...
>> As i said before, I made a rule to allow any source to any destination
>> using
>> any protocol and i didn't work. Only solution was to disable the
>> firewall.
>>
>> "S. Pidgorny <MVP>" wrote:
>>
>>> traceroute -I <host> will use UDP (on a Linux system here, at least).
>>> Or enable 33434/UDP, which is the default. And you can change the port.
>>> man
>>> traceroute!
>>>
>>> --
>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>>> -= F1 is the key =-
>>>
>>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>>
>>> "Flip_" <Flip_@discussions.microsoft.com> wrote in message
>>> news:0A31B25E-C4E6-4DC9-828A-9DB12AE8E810@microsoft.com...
>>> > There is a problem with Windows firewall. If you try to make
>>> > traceroute
>>> > from
>>> > unix box to windows box it fails because it uses UDP protocol (Windows
>>> > use
>>> > ICMP protocol). Only solution so far is to disable Windows firewall.
>>> > If I
>>> > put
>>> > rule to allow any to any and protocol any for both inside and outside
>>> > it
>>> > fails too.
>>> >
>>> > Is there any solution for this problem because disabling Windows
>>> > firewall
>>> > is
>>> > not an option?
>>>
>>>
>>>
>
>