System fails Shields Up ping test.

  • Thread starter Thread starter Jack Gillis
  • Start date Start date
J

Jack Gillis

I normally connect to my DSL line through a router but it decided it
didn't want to work anymore. So while waiting to get a replacement, I
connected my XP SP2 system directly to my DSL modem and established a
connection to my ISP.

I decided to run Shields Up and found all ports 'stealthed' but got a
'Failed' report because Shields Up received a reply to its ping of my
system. I have the DSL connection firewalled by XP's firewall.

What do else might I do to prevent my system from replying to ping
requests? Or, should I worry?

Thank you very much.
 
If you're running XP SP2, go to Control Panel, Windows Firewall. Go to the Advanced tab and click the Settings button under ICMP.
 
Thanks, Doug.

I looked at Control Pane/Windows Firewall/Advanced and the ICMP
settings. None were checked so I assume that all were not permitted
exceptions. Or do I have it backwards -- all were permitted exceptions?

BTW, The Do Not Allow Exceptions button is not set in the General Tab.

I hate to go playing around with settings I know little about.

Thanks again.

If you're running XP SP2, go to Control Panel, Windows Firewall. Go to
the Advanced tab and click the Settings button under ICMP.
 
If the ICMP options are unchecked, they should not be enabled. Odd thing is on my system the top option is checked and greyed out. It can't be disabled.
 
Jack,

You can try this. Click Start, Run and enter REGEDIT Go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings

Right click in a blank area of the right pane, select New, DWord value and name the new value AllowInboundEchoRequest. Leave the value set at 0 (zero). Now, open a Command Prompt window and enter NETSH FIREWALL RESET Then run the Shields Up test again.
 
OK Doug.

I drilled down to \FirewallPolicy\StandardProfile but did not have
IcmpSettings, only AuthorizedApplications\List and GloballyOpenPorts. I
found only one reference in the registry for Icmp and it had to do with
EnableIcmpRedirect or something like that.

Do I have a bad registry?

Yes, I did create a restore point before entering regedit but made no
changes to it.

Jack,

You can try this. Click Start, Run and enter REGEDIT Go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings

Right click in a blank area of the right pane, select New, DWord value
and name the new value AllowInboundEchoRequest. Leave the value set at
0 (zero). Now, open a Command Prompt window and enter NETSH FIREWALL
RESET Then run the Shields Up test again.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
 
OK, Doug. I will give that a try.

Thanks.


Jack,

You can try this. Click Start, Run and enter REGEDIT Go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings

Right click in a blank area of the right pane, select New, DWord value
and name the new value AllowInboundEchoRequest. Leave the value set at
0 (zero). Now, open a Command Prompt window and enter NETSH FIREWALL
RESET Then run the Shields Up test again.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
 
You'll need to add the IcmpSettings sub-key. Highlight the StandardProfile sub-key, right click it and select New, Key. Name it IcmpSettings. The follow the instructions for adding the AllowInboundEchoRequest value.
 
The firewall will disable the echo request option when it is being enabled
through the enabling of TCP445 (usually through the file/print sharing
option).

Also remember that there are multiple places one can enable icmp. One is
through the global icmp settings discussed so far, the other is through the
per-interface settings. It's also possible that an ISP is providing a NAT'd
connection and is itself responding to icmp requests on the connection's
behalf.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


If the ICMP options are unchecked, they should not be enabled. Odd thing is
on my system the top option is checked and greyed out. It can't be
disabled.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
 
David Beder said:
The firewall will disable the echo request option when it is being
enabled through the enabling of TCP445 (usually through the file/print
sharing option).
Click to expand...
Thank you, David.

But doesn't that mean if a second machine is connected to the first
machine, the one which makes the DSL connection, file and printer
sharing will not work if the echo request option is disabled? If that
is the case, the lack of printer sharing would not be too bad but I
really need to share files.

With the router gone South right now, the only way I have to network my
two machines is to use a crossover ethernet cable between the ethernet
connections on each machine.
 
Ping (one of the ICMP commands) is not used for file/print sharing. Its basically a diagnostic tool. Other things use port 445, like file and print sharing, but they don't depend on ICMP commands to do their job.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

Jack Gillis said:
David Beder said:
The firewall will disable the echo request option when it is being
enabled through the enabling of TCP445 (usually through the file/print
sharing option).
Click to expand...
Thank you, David.

But doesn't that mean if a second machine is connected to the first
machine, the one which makes the DSL connection, file and printer
sharing will not work if the echo request option is disabled? If that
is the case, the lack of printer sharing would not be too bad but I
really need to share files.

With the router gone South right now, the only way I have to network my
two machines is to use a crossover ethernet cable between the ethernet
connections on each machine.
Click to expand...
 
Back
Top