Todd Sabin writes: > Apparently, the way it works is that for UDP and TCP, you completely > disable them by changing their setting to "Permit Only", and don't > permit any ports, rather than with the IP protocols box. Since you > left UDP at permit all ports, your netcat test got through. > > The IP Protocols box is protocols other than UDP and TCP. Except for > ICMP. You can't disable that at all, as you noticed. Not being able > to disable ICMP was discussed on NTBugtraq a little while ago. > It seems that you are right. I used PPTP (GRE) to test it and the RAS server did send an ICMP message back: 14:49:19.769569 gre-proto-0x880B (gre encap) 14:49:19.769647 RASSERVER > CLIENT: icmp: RASSERVER protocol 47 unreachable However, I still consider it a bug. The GUI is misleading. If I configure the TCP/IP security using the GUI to "Permit *only* IP protocols: 6 (TCP)". Then EVERYTHING including ICMP and UDP (regardless of other settings) should be denied and NT should send an ICMP unreachable. /stefan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:09 PDT