4

This question is specifically related to the ICMPv4 Timestamp Request (Type 13) message.

When I have Windows Firewall disabled I can send a Timestamp Request from the host and the client will receive the request and respond with Timestamp Reply (Type 14).

When I have Windows Firewall enabled I can send a Timestamp Request from the host and the client will receive the request but never responds with Timestamp Reply. I'm assuming this is because the firewall is blocking the request. However, I don't see any particular rules setup which indicate to me that this is really the case. Neither could I find any documentation online to help me understand if this particular message is being blocked by default (like ICMP Echo).

Does anyone know if Windows Firewall blocks this message by default? Is there somewhere I can look to see/configure this default setting? Is there documentation available somewhere that I simply missed?

I am using Nping to send the message and Wireshark to watch the packets come and go.

VineAndBranches
  • 143

2 Answers2

2

Windows Firewall blocks everything by default. The full processing order is documented on TechNet, but for simplicity, you can think of it as "1) handle all 'deny' rules, 2) handle all 'allow' rules, 3) deny or allow everything else, depending on profile settings".

When you open the firewall configuration tool (either by running wf.msc, or opening the "Windows Firewall with Advanced Security" app, or clicking the "Advanced Settings" link in Control Panel), you see this screen:

(Screenshot of wf.msc indicating the profiles' global policy)

By default, this says "Inbound connections that do not match a rule are blocked", and this really applies to all packets not associated with an existing state, including ICMP requests. If you haven't found any specific rules related to Timestamp Requests, that means they will be denied as per the default configuration.

So in order to allow specific ICMP types, you should of course create rules under "Inbound Rules", or enable those which already exist. For example, the "File and Printer Sharing" group has built-in rules to allow incoming ICMP 'Echo Request':

(Screenshot of wf.msc rules allowing ICMP Echo)

The specific ICMP types for each rule are selected under "Protocols and Ports → ICMP settings: Customize". (In order to allow Timestamp Request, you must create a custom rule; the list is read-only for built-in rules).

(Screenshot of wf.msc rule creation wizard) (Screenshot of wf.msc rule parameters, listing ICMP types and subtypes)

Finally, however, note that even if the firewall allows the packets through, that doesn't mean the OS will actually support that specific ICMP request type. As ICMPv4 "Timestamp Request" is fairly rare (rare enough to not have a built-in rule in Windows Firewall, and outright has no equivalent in ICMPv6), there is no real guarantee that future Windows versions won't "deprecate" and remove code for responding to such requests...

grawity
  • 501,077
-1

UDP is inherently "dumb", as in; simple -- not sophisticated. There is more-often-than-not, no requirement that the requests return anything, or succeed at all. It's pretty dry reading, but you'd probably find RFC-792 a good read in your situation. As to a cure; if it were me, I'd probably open up echo req, and see if you don't get a better return value on your requests.

While not a Windows man(ual) page. The following FreeBSD man page should help in better understanding all the details of ICMP

Community
  • 1
somebody
  • 560