Monday, July 9, 2012

Enabling PING echo in Server 2012 with PowerShell

Once again, lets use the new PowerShell cmdlets that ship in the box with Server 2012.

The Server 2008 way of enabling PING to echo involved netsh.

netsh advfirewall firewall add rule name=”Allow Ping” protocol=icmpv4 dir=in action=allow 

Mind you, netsh is still in Server 2012 and this command works, but it is the old way of doing things, lets look forward.

Actually, lets run that netsh command on Server 2012 and see what we get – explore the assumptions of this netsh command.

Get-NetFirewallRule –Name “Allow Ping”


Hmm.  No Firewall rules found that match.  But in my netsh command I set name=”Allow Ping”, what gives?

Well, if you list all the rules out, you discover that netsh sets the DisplayName property, not the name property of the rule.  It creates a random GUID for the Name.  And, if you try New-NetFirewallRule you discover that –DisplayName is required but –Name is not.  (the things you learn).


Okay, enough discovery.

Let’s create the same rule using PowerShell in Server 2012

New-NetFirewallRule –DisplayName “Allow Ping” –Direction Inbound –Action Allow –Protocol icmpv4 –Enabled True

Now, the really nifty thing is that I can really quickly disable the same rule and turn PING echoes back off.

Set-NetFirewallRule –DisplayName “Allow Ping” –Enabled False

The rule remains, but it is simply disabled so I don’t need to create it again.  And I can turn it back on when I need.

And, to remove the rule entirely:

Remove-NetFirewallRule –DisplayName “Allow Ping”


BrianEh said...

I just ran across the existing Firewall rules (someone posted them in the TechNet Forums) - a bit cryptic in the name, so not totally obvious.

Set-NetFirewallRule –Name “FPS-ICMP4-ERQ-In” –Enabled True
Set-NetFirewallRule –Name “FPS-ICMP4-ERQ-Out” –Enabled True

Anonymous said...

You can also use sconfig - option 4 to allow ping on your server core.

BrianEh said...

Yes, but that isn't PowerShell is it ;-)

Tyler Gohl said...

I'm curious what "Set-NetFirewallRule –Name “FPS-ICMP4-ERQ-Out” –Enabled True" actually does - as the "ERQ-In" is the only thing you really need to allow inbound ICMP requests, and outbound pings seem to work without enabling "ERQ-Out"

BrianEh said...

I take it as a literal firewall setting.
In most cases the reply is allowed by default, but not always.
In a past life I had to set very tight firewall and IPsec rules.
So I understand that there are cases where you could have the incoming on and the reply denied, unless the outgoing is set.

Unknown said...

Is there an option to set a scope of allowed addresses to prevent DoS attacks when you open the ICMP rule in PowerShell?

BrianEh said...

Not as far as I have ever seen anyone mention.

That said, you can usually scope a firewall rule to an IP or range of IPs that it will respond to.

I have always been in the practice of having it disabled myself.

Using Set-NetFirewallRule should have options that allow you to define constraints.

Looking here:
It appears that -RemoteAddress might handle it.