Windows Defender Firewall Inbound Rule for ICMPv6
Hi!
I'm getting more into IPv6 these days and found that ICMP is very important for IPv6 connectivity.
Windows Defender Firewall with Advanced Security (on Windows 10 at least) comes with some inbound ICMPv6 allow rules, but unfortunately they don't allow for quite enough.
I went ahead to create a rule by hand, but found out that you cannot set a group for the rule through the GUI, so instead I opted for creating a little PowerShell command.
You have to run it from a UAC-elevated PowerShell instance.
This rule is based on the existing default ICMPv6 rules.
Create the rule:
New-NetFirewallRule -DisplayName "Core Networking - CUSTOM - Allow Incoming ICMPv6" -Group "Core Networking" -Direction Inbound -Action Allow -Protocol ICMPv6 -Program System
Remove the rule again:
Remove-NetFirewallRule -DisplayName "Core Networking - CUSTOM - Allow Incoming ICMPv6"
Some people may want to exclude echo request for privacy or "security (through obscurity)" reasons, but I don't think it's that big of a deal.
Of course feel free to customize the command in general. The official documentation page (docs.microsoft.com) is very informative.
If you have any other firewalls between you and the sender, you may have to check their rules as well.
I tested the rules with a website like ipv6-test.com.
Thanks for reading!
Making Traceroutes Work with a Firewall (Windows)
Hi!
Even though I've had software firewalls in action for years now, I haven't really come across too many instances where I'd need traceroutes. The few times I did, however, I noticed that I only got output like the following:
>tracert example.com Tracing route to example.com [123.123.123.123] over a maximum of 30 hops: 1 * * * Request timed out. 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out. 11 50 ms 50 ms 50 ms example.com [123.123.123.123] Trace complete.
The number of hops would of course vary for the specific host / IP address.
Today I had to use traceroute in order to analyze a couple of networking problems. That was the incentive I needed to look up why it didn't work.
The fact that not even my router was showing up was a big indicator that something was wrong with my local firewall settings.
After searching the web for a couple of minutes, I found out what I was looking for at this page: http://www.phildev.net/ipf/IPFques.html#ques34
Traceroute is using ICMP packets (plus UDP on Linux systems, but that's outside the scope of this blog entry. You can read more about it on the page I linked above). But even for an outgoing traceroute you need to accept incoming ICMP packets.
Which ones? These:
- ICMP TTL Expired (Type 11, Code 0)
- ICMP Port Unreachable (Type 3, Code 3)
Once you've enabled these types of packets for incoming traffic in your firewall(s), you'll see that your traceroute will now function as it should.
If your firewall does not allow you to configure accepting specific types of ICMP packets, try allowing incoming ICMP packets altogether (if that's not too much of a compromise for you).
Anyway, long-ish story short: It's working now 🙂
Thanks to the webmaster of the page I linked above! And thanks to you for reading.