I read this article that describes how traceroute works: http://archives.neohapsis.com/archives/firewalls/2001-q1/1721.html And then I did ran tracert a few times on my Windows 2000 computer with CHX installed. I was surprised to see tracert work flawlessly. Tracert basically sends a UDP packet and relies on routers to send back ICMP type 11 code 0 packets. I actually have a CHX rule to Allow incoming ICMP type 11 code 0 packets (note that it is an "Allow" rule, not a "Force Allow" rule), but I also have ICMP stateful inspection turned on, so shouldn't CHX consider those ICMP packets to be unsolicited and reject them? Those packets weren't logged (and I do have stateful inspection logging turned on), so CHX is letting them thru. Just wondering if CHX is working correctly or if it has a bug.