Hello,

common TCP/IP implemetations return ICMP port unreachable error packet
when somobody send packet to port where no server is listening. This was
true even in Windows XP.

However Windows Vista Business SP2 behaves differently. It drops the
packet silently even if given port is allowed for incoming communication
in Advanced firewall settings. (And yes, I'm pretty sure it's really
allowed because in the pfirewall log is not message about dropping.)

I guess this is yet another Windows feature trying to smarter and more
secure than user.

Does anybody know how to get classic behaviour back?

-- Petr

Petr Pisar wrote:
> Hello,
>
> common TCP/IP implemetations return ICMP port unreachable error packet
> when somobody send packet to port where no server is listening. This was
> true even in Windows XP.
>
> However Windows Vista Business SP2 behaves differently. It drops the
> packet silently even if given port is allowed for incoming communication
> in Advanced firewall settings. (And yes, I'm pretty sure it's really
> allowed because in the pfirewall log is not message about dropping.)
>
> I guess this is yet another Windows feature trying to smarter and more
> secure than user.


Maybe, IPsec is enabled on the machine with a policy to block ICMP. A
drop message by the FW wouldn't be logged, as IPsec sits in front of the
FW and blocks.

Other than IPsec with an IPsec policy or something else like a 3rd
personal FW solution running on the machine that's doing the blocking,
then nothing else on Vista other than Vista's FW is going to be blocking.

On 2009-11-12, Mr. Arnold <Arnold@Arnold.com> wrote:
> Petr Pisar wrote:
>>
>> common TCP/IP implemetations return ICMP port unreachable error packet
>> when somobody send packet to port where no server is listening. This was
>> true even in Windows XP.
>>
>> However Windows Vista Business SP2 behaves differently. It drops the
>> packet silently
[...]
>
> Maybe, IPsec is enabled on the machine with a policy to block ICMP. A
> drop message by the FW wouldn't be logged, as IPsec sits in front of the
> FW and blocks.
>
> Other than IPsec with an IPsec policy or something else like a 3rd
> personal FW solution running on the machine that's doing the blocking,
> then nothing else on Vista other than Vista's FW is going to be blocking.
>
I have installed the machine and I'm the only administrator of the
system. No third party packet filters nor IPsec policies are installed
or active. FYI, ICMP echo request and replies flow normally.

I found the same complaint on web
(http://www.vistax64.com/vista-security/150480-rejecting-ident-port-113-requests.html), but without solution.

Can anybody at least confirm that it's a bug/feature of Windows Vista?
(I don't have any other system to compare it.)

-- Petr

> Can anybody at least confirm that it's a bug/feature of Windows Vista?
> (I don't have any other system to compare it.)

It is a "feature":
http://technet.microsoft.com/en-us/library/dd448557(WS.10).aspx

And I still have not found any way to disable it.

Ondrej