Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,451 questions
Maybe this one helps?
Hyper-V Extended ACL - Can ICMP be stateful or not?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 71%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
A-Cloud
1
Reputation point
Can you add stateful ACL rules (on a Hyper-V Virtual Switch) on the ICMP protocol?
If not, this leaves you to either open ICMP to everyone or close ICMP to everyone including the VM itself.
Neither is secure or practical for such an important and basic functionality (ping).
Talking about this: https://learn.microsoft.com/en-us/powershell/module/hyper-v/add-vmnetworkadapterextendedacl?view=win10-ps
{count} votes
-
Vadims Podāns 8,866 Reputation points MVP2020-07-31T18:11:41.517+00:00 ICMP isn't a stateful protocol.
-
A-Cloud 1 Reputation point
2020-07-31T23:31:44.18+00:00 Neither is UDP, but you can do UDP stateful rules with the above command (Apart from the fact that every firewall I came across had ICMP stateful rules. ) ... why not ICMP as well?
Sign in to comment
4 answers
Sort by: Most helpful
-
Dave Patrick 426.1K Reputation points MVP2020-07-27T21:43:26.393+00:00 -
A-Cloud 1 Reputation point
2020-07-28T17:38:12.377+00:00 No, that's for the host/OS itself. I am talking about creating stateful ICMP ACL rules on Hyper-V that applies to a VM.
-
Dave Patrick 426.1K Reputation points MVP
2020-07-28T18:12:57.183+00:00 Assuming a windows virtual machine you can set the same firewall rules.
-
A-Cloud 1 Reputation point
2020-07-28T18:35:19.943+00:00 Maybe you didn't read or understand my reply, let me repeat it:
No, that's for the host/OS itself. I am talking about creating stateful ICMP ACL rules on Hyper-V that applies to a VM.
Sign in to comment -
-
TimCerling(ret) 1,156 Reputation points2020-08-02T12:45:14.643+00:00 "I am talking about creating stateful ICMP ACL rules on Hyper-V that applies to a VM."
That is asking for one operating system environment (the host Hyper-V) to impose restrictions on another operating system environment (a guest VM). They are two completely isolated environments. Host does not know what is going on within the guest; guest does not know what is going on within the host. Security boundaries are not bypassed.
-
A-Cloud 1 Reputation point
2020-08-02T17:58:08.12+00:00 Please read the OP.
Talking about this: https://learn.microsoft.com/en-us/powershell/module/hyper-v/add-vmnetworkadapterextendedacl?view=win10-ps
Sign in to comment -
-
Xiaowei He 9,871 Reputation points2020-08-04T07:07:25.437+00:00 Hi,
Please try if the following command could work:
Add-VMNetworkAdapterExtendedAcl -VMName "xxxxxxxx" -Action Allow -Direction Outbound -Protocol 1 -Weight 100
According to the following article, we need to use the Protocol number for ICMP.
If the command could work for the VM, please also check if it meets your requirements, I also find an article about the Extend ACL not work for ICMP, however, there's not enough information about it. Attach it for your reference, and also appreciate your feedback about the test result.
Thanks for your time!
Best Regards,
Anne-
A-Cloud 1 Reputation point
2020-08-04T18:09:39.14+00:00 Yes, that's exactly the problem (the linked uservoice post).
We can create ICMP rules but the -Stateful parameter does not work.
Can we get an answer or feedback from the Hyper-V/Windows Server team on this?
-
A-Cloud 1 Reputation point
2020-08-13T18:13:40.333+00:00 Any news if we can get an answer or feedback from the Hyper-V/Windows Server team on this?
-
Dave Patrick 426.1K Reputation points MVP
2020-08-13T18:58:20.297+00:00 answer or feedback from the Hyper-V/Windows Server team on this?
You may need to contact them here.
https://support.microsoft.com/en-us/hub/4343728/support-for-business
-
A-Cloud 1 Reputation point
2020-08-14T21:49:37.687+00:00 You need to purchase a support plan for that.
I don't think it's reasonable to buy a plan just to ask a question, especially one that may help Microsoft more than myself. -
A-Cloud 1 Reputation point
2020-08-24T18:56:39+00:00 Any updates?
-
TimCerling(ret) 1,156 Reputation points
2020-08-25T13:38:39.683+00:00 If you feel it is truly a bug, you can report it as such. If it is deemed to be a bug and not working as defined, there is no cost. Otherwise, if you wish to make a suggestion, then following Anne's suggestion for posting/voting via Uservoice is the recommended route.
-
A-Cloud 1 Reputation point
2020-08-26T17:17:41.273+00:00 Where can I report the bug at no cost?
-
TimCerling(ret) 1,156 Reputation points
2020-08-27T13:51:50.167+00:00 On the support page. Yes, there is a cost for filing the incident, but if it is deemed a bug, you are provided a refund. It is not enough for an end user to report an issue as a bug and expect to not pay for its initial investigation. It has to be determined by the product engineers that it is a bug. If such a control were not in place, Microsoft would be deluged with everything as a bug report, even if it is a bug report in a user's program.
-
TimCerling(ret) 1,156 Reputation points
2020-08-27T13:55:00.777+00:00 Open a support incident. Yes, you will be charged for the incident. The engineers need to determine that it is an actual bug. Until it is investigated, it is not known if it is a bug. If it is determined to be a bug, then you are refunded the cost of the incident.
Sign in to comment -
-
Dave Patrick 426.1K Reputation points MVP
2020-08-26T18:11:51.497+00:00 You can start a case here with product support. If its confirmed a bug then no charges will incur.
https://support.microsoft.com/en-us/hub/4343728/support-for-businessThe other completely free option is to report this as feedback over here on uservoice.,
https://windowsserver.uservoice.com/forums/295047-general-feedback--please don't forget to Accept as answer if the reply is helpful--
-
A-Cloud 1 Reputation point
2020-08-26T21:12:48.193+00:00 Nope, you need to pay first:
-
Dave Patrick 426.1K Reputation points MVP
2020-08-26T21:33:35.217+00:00 It's your decision whether to roll the dice. If its confirmed a bug then the incident is free.
-
A-Cloud 1 Reputation point
2020-08-26T21:42:06.397+00:00 Roll the dice?
Pathetic to say the least.
-
Dave Patrick 426.1K Reputation points MVP
2020-08-26T21:43:29.233+00:00 Yep totally your call.
-
TimCerling(ret) 1,156 Reputation points
2020-08-27T14:07:11.237+00:00 "Pathetic to say the least"
I am curious. How would you suggest that Microsoft handle something like this? Yes, it appears to be a bug. But it will cost Microsoft something to investigate it. Microsoft receives millions of support incidents every year. If you are a follower of technical forums, you will see time after time after time where users have insisted they have found a 'bug', but when the community digs into it, it turns out it was a misunderstanding of how the product worked. If you were the owner of a product that dealt with thousands of support calls every year, would you think it fair to have customers learn about your product by calling your support line at no charge when something doesn't work the way the customer thought it should work? How would you bill after the fact if you did not have a contract before starting the investigation. I'm sure Microsoft is open to ideas as to how to handle this customer satisfaction issue.
-
A-Cloud 1 Reputation point
2020-08-27T17:23:26.58+00:00 So I sell you a piece of software and you discover a bug.
You'll reach out to me to report the bug in hopes that it will be fixed.
Also you're probably expecting some gratitude for your time to report something that should have worked in the first place or perhaps an apology for the inconvenience.NOPE!
I'll tell you that you need to pay $500 for me just to read your request.
Oh, and you might not get the $500 just because.Pathetic.
Sign in to comment -