Comments on: Windows Server 2008: Windows Firewall with Advanced Security

By: Sherwin Bidania

Sherwin Bidania — Sun, 25 Oct 2009 11:48:33 +0000

What was the resolution on the first comment? im having the same issue right now with my server 2008 DC – firewall wont start.

thanks,

By: Michael Pietroforte

Michael Pietroforte — Thu, 17 Sep 2009 20:19:53 +0000

Anushka, this doesn't sound like a firewall problem because there are no time related settings. You can use a packet sniffer to see if the packets come through for this port.

By: Anushka

Anushka — Wed, 16 Sep 2009 06:03:08 +0000

I have come across a problem where i have configured a rule in the DC to allow incoming traffic for third party program (port 45580) which is installed in the DC.

The problem is that the communication to this program clients stops after around 40 minutes of server uptime. Any clues form the firewalls’ point of view?Thanks in advance.

By: Michael

Michael — Tue, 01 Jul 2008 17:36:16 +0000

I understand what you mean now, but I have never tried this. However, I think it should work. It would be very strange if one could configure it, but this doesn’t show an effect. Maybe it has something to do with the programs you used in your test. Maybe they behave differently than you think.

By: Rotaluclac

Rotaluclac — Wed, 25 Jun 2008 21:48:48 +0000

Michael, thanks for your quick response. I understand what you mean, but you do not address the underlying problem (which is probably my fault of not expressing myself clearly enough).

Let’s say there are two programs that send out ICMP Echo Requests. One is ping.exe ; let’s call the other pong.exe . I do trust ping.exe but I don’t trust pong.exe . Can I allow ping.exe to send out ICMP packets, but forbid pong.exe to do the same?

The interface of Vista’s firewall rules suggests that this is possible. The firewall’s behaviour is different. It seems that you may specify a program (first page of the New Rule Wizard), but this program path+filename is only taken into account when the rest of the rule is about TCP or UDP traffic. The specified program seems to be ignored when the rest of the rule is about ICMP traffic.

By: Michael

Michael — Wed, 25 Jun 2008 18:00:37 +0000

Rotaluclac, yes I think it is possible. To allow ping and disallow traceroute you have to block the ICMP type 30. You can configure ICMP types if you click on “customize” when you specify the protocol type (ICMPv4). Check out Wikipedia for the other ICMP types.

By: Rotaluclac

Rotaluclac — Wed, 25 Jun 2008 06:35:04 +0000

Call it paranoia – I set up the firewall to block all outbound traffic by default, and to allow traffic only if it meets a rule.

I experimented with ping and tracert from the command prompt.

Normally, they both don’t work. When I create a rule to allow outbound ICMP traffic, they do work. That’s what I expect.

Now I change the rule. Instead of allowing ICMP for any program, I change the program to C:\Windows\System32\PING.EXE , and I leave the ICMP part as it was. I expect that ping still works, but tracert doesn’t.

However, neither ping nor tracert works. WHY? To state my question differently: is there a way to allow outbound ICMP for ping, but to disallow it for tracert (or the other way round)?

By: The things that are better left unspoken : Remotely managing your Server Core using Compmgmt.msc

Thu, 03 Apr 2008 09:39:30 +0000

[...] with the GUI-less Server Core A few commands to get started with Windows Server Core Windows Server 2008: Windows Firewall with Advanced Security Posted: Thursday, April 03, 2008 11:32 AM by Sander Berkouwer Filed under: System Administration, [...]

By: Nikola

Nikola — Tue, 25 Mar 2008 08:05:51 +0000

opk when i try that to do with my server it sends me sam message: An error occurred contacting the firewall. Make sure that the Windows Firewall s
ervice is running and try your request again.
I even cant start services for firewall. please help me!!!