Jump to content

Windows Firewall UDF


JLogan3o13
 Share

Recommended Posts

  • Moderators

Hi, ricky03. I will look into writing out to a log. I'm leaning toward writing to the Event Viewer at the moment, unless there is a compelling reason to do it another way. Thanks for the suggestion.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

  • 3 weeks later...

Hi,

Thaks for the UDF, it looks like it could be very useful.

Could the same principles be used to specify which connections are protected by the firewall?

Example, a two PCs. PC1 has two LAN connections - Public, Private. PC2 has one connection - Private, only connected to PC1.

For PC1, Public network connection should have the firewall enabled, Private should have it disabled.

For PC2, Private network connection needs no firewall.

So it would be useful to call a function and tell it the name of the connection (e.g., "Local Area Connection 2") and have the function uncheck the box for each firewall profile so the NIC is not firewalled.

Conversely, a function to make sure the NIC is protected by the firewall would also be useful.

E.g., leave the firewall enabled but toggle the state only for a specific network connection.

Is there a Microsoft technote that describes how this could be done? I don't find one, if we find a way maybe we can add to this UDF.

Always carry a towel.

Link to comment
Share on other sites

  • Moderators

It sounds like you're describing some of the rules that can be done at the LAN, Interface, Service, etc. level when using the Advanced Security API (link below). This is something I am looking to add into the UDF at present, as I have the time.

http://msdn.microsoft.com/en-us/library/windows/desktop/aa366418(v=vs.85).aspx

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

  • 3 months later...

Hello,

thanks for this UDF, but I want to list the authorized apps and ports from all profiles, how can I do that?

I try to find over internet, but nothing, strange.

Thanks in advance for your help

Link to comment
Share on other sites

  • 1 year later...

Powerful script you have here, thanks for putting this together.

 

In the AddPort function you have one of the Scope options being "2 - Custom List" but where do you define the Custom list and what would the format be?

 

Thanks for your help, Hopefully you are still watching this thread.

Link to comment
Share on other sites

  • Moderators

Hi, @NANorman. That script is definitely in need of some updating. I am traveling at the moment, so haven't had a chance to look closely. But at first glance you should be able to modify the function like so to include your addresses:

Func _AddPort($Name, $PortNumber, $Scope = 0, $Protocol = 6, $Enabled = "False", $sRemoteList = "")
    _createFWMgrObject()

    Local $aPorts = $profile.GloballyOpenPorts
    Local $PortNum = $aPorts.Item($PortNumber,$Protocol)
        If IsObj($PortNum) Then
            If $PortNum.Enabled = True Then
                Return SetError(1, 3, "")
            ElseIf $PortNum.Enabled = False Then
                Return SetError(1, 4, "")
            EndIf
        Else
            $port = ObjCreate("HNetCfg.FWOpenPort")
                If Not IsObj($port) Then Return SetError(1, 5, "")
            $port.Name = $Name
            $port.Port = $PortNumber
            $port.Protocol = $Protocol
            $port.Enabled = $Enabled
            
            If $Scope = 2 Then
                $port.RemoteAddresses = $sRemoteList
            Else
                $port.Scope = $Scope
            EndIf

            $profile.GloballyOpenPorts.Add($port)
                If @error <> 0 Then Return SetError(1, 6, "")
        EndIf
EndFunc

Calling the function like this seems to work for me. Again, brief test on WIN10, haven't checked it thoroughly on all OS's yet.

_AddPort("MyTestPort", 9999, 2, Default, "True", "10.1.1.1/255.255.255.255,12.5.0.0/255.255.0.0")

 

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

  • 2 weeks later...

Hello,

Sorry for my bad English.
Somebody have such a problem?
If my App is  "D:\test.exe"

_AddAuthorizedApp ("Test_FireWall","D:\test.exe",2,1,1)
In  Win7 , the path add to firewall correct.
In  Win8.1 , the path add to firewall and show always "C:5\test.exe"

Edited by acer351
Link to comment
Share on other sites

Ok, another question on the same script, I need to open a massive range of ports to just a single IP address.  1024-65535 TCP is the range in question.

Obviously calling out the function to open a single port 64000 times isn't feasible, there must be a way to specify a range?

Thank you for any assistance,

 

-NAN

Link to comment
Share on other sites

  • Moderators

@NANorman a quick glance at the MSDN pages for the firewall do not show a parameter to allow you to add thousands of ports in a single pass. You are more than welcome to look on MSDN for yourself. Most of what I find uses a loop; I have never needed to myself, and can find no examples of anyone else needing to, add 64000 ports at a time.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

you dont need to open 64000 ports, you just need to close 1000.  and that is a more than reasonable loop.

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

  • 1 year later...
  • Moderators

@Nareshm that depends on a whole lot. What OS are you running? What is your current firewall config, is the application listed as an Exception or an Authorized App?

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

36 minutes ago, JLogan3o13 said:

@Nareshm that depends on a whole lot. What OS are you running? What is your current firewall config, is the application listed as an Exception or an Authorized App?

@JLogan3o13
I am Running windows 7 pro 64 bit, and My application is added to inbond outbond rules. i want to only alllow or block it using autoit.

Link to comment
Share on other sites

  • 11 months later...

Hi,

 

i know this topic is very old but i have a question. for our company i have to create an installation guide for a few programms. during this i have to open incoming and outging ports / apps...

 

so i am able to create incomeing firewall rules (ports and apps) but not for outgoing ones...is there a possibility to realize it?

 

 

thanks a lot

 

tommii

Link to comment
Share on other sites

@tommii

Much easier to use the cmd line NETSH

Example :

netsh advfirewall firewall add rule name="NetBIOS UDP Port 137" dir=in action=allow protocol=UDP localport=137
netsh advfirewall firewall add rule name="NetBIOS UDP Port 137" dir=out action=allow protocol=UDP localport=137

You can define IN or OUT going...

 

Link to comment
Share on other sites

  • 1 year later...

Hi @JLogan3o13, i have a problem with your UDF when i run in Windows Server 2012 R2 for add a new listening port, here is my script:
 

#include <RegSearch.au3>
#include <Windows Firewall.au3>

Global Const $TCP = 6
Global Const $UDP = 17

ConsoleWrite(_RemotePort_Add(3380, $TCP) & @CRLF)

Func _RemotePort_Add($iPort, $iType = 6)
    If StringRegExp($iPort, '^(6553[0-5]|655[0-2]\d|65[0-4]\d\d|6[0-4]\d{3}|[1-5]\d{4}|[1-9]\d{0,3})$') And StringRegExp($iType, '^[6]{1}|[17]{2}$') Then
        Local Const $sRegMainPath = "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations"
        Local Const $asRegValueType[12] = ["REG_NONE", "REG_SZ", "REG_EXPAND_SZ", "REG_BINARY", "REG_DWORD", "REG_DWORD_BIG_ENDIAN", "REG_LINK", "REG_MULTI_SZ", "REG_RESOURCE_LIST", "REG_FULL_RESOURCE_DESCRIPTOR", "REG_RESOURCE_REQUIREMENTS_LIST", "REG_QWORD"]

        If Not StringInStr(_RegSearch("HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations", $iPort, 4), "PortNumber = " & $iPort) Then
            For $i = 1 To 1000
                Local $sRegMainPathValue = RegEnumVal($sRegMainPath & "\RDP-Tcp", $i)

                If @error <> 0 Then
                    ContinueLoop
                EndIf
                If $sRegMainPathValue <> "PortNumber" Then
                    Local $sRegRead = RegRead($sRegMainPath & "\RDP-Tcp", $sRegMainPathValue)
                    Local $sRegType = $asRegValueType[@extended]

                    If RegWrite("HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-" & $iPort, $sRegMainPathValue, $sRegType, $sRegRead) = @error Then
                        Return SetError(-3, 0, -3)
                    EndIf
                EndIf
            Next

            If RegWrite("HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-" & $iPort, "PortNumber", "REG_DWORD", $iPort) = @error Then
                Return SetError(-3, 0, -3)
            EndIf

            If $iType = $TCP Then
                If _AddPort("RDP Listening Port to Terminal Server", $iPort, 0, $TCP, "True") = @error Then
                    Return SetError(-4, 0, -4)
                Else
                    Return SetExtended(0, "SUCCESS: <" & $iPort & "> TCP port has been successfully opened!")
                EndIf
            Else
                If _AddPort("RDP Listening Port to Terminal Server", $iPort, 0, $UDP, "True") = @error Then
                    Return SetError(-4, 0, -4)
                Else
                    Return SetExtended(0, "SUCCESS: <" & $iPort & "> UDP port has been successfully opened!")
                EndIf
            EndIf
        Else
            Return SetExtended(0, 0)
        EndIf
    Else
        Return SetError(-1, 0, -1)
    EndIf
EndFunc   ;==>_RemotePort_Add

_RemotePort_Add.au3

And my output in server is:

>"C:\Program Files (x86)\AutoIt3\SciTE\..\AutoIt3.exe" "C:\Program Files (x86)\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.au3" /run /prod /ErrorStdOut /in "C:\Users\.NetFramework\Desktop\22.au3" /UserParams    
+>11:16:22 Starting AutoIt3Wrapper (19.1127.1402.0} from:SciTE.exe (4.2.0.0)  Keyboard:00000409  OS:WIN_2012R2/  CPU:X64 OS:X64  Environment(Language:0409)  CodePage:0  utf8.auto.check:4
+>         SciTEDir => C:\Program Files (x86)\AutoIt3\SciTE   UserDir => C:\Users\.NetFramework\AppData\Local\AutoIt v3\SciTE\AutoIt3Wrapper   SCITE_USERHOME => C:\Users\.NetFramework\AppData\Local\AutoIt v3\SciTE 
>Running AU3Check (3.3.14.5)  from:C:\Program Files (x86)\AutoIt3  input:C:\Users\.NetFramework\Desktop\22.au3
+>11:16:22 AU3Check ended.rc:0
>Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\autoit3.exe "C:\Users\.NetFramework\Desktop\22.au3"    
+>Setting Hotkeys...--> Press Ctrl+Alt+Break to Restart or Ctrl+BREAK to Stop.
0
"C:\Program Files (x86)\AutoIt3\Include\Windows Firewall.au3" (112) : ==> The requested action with this object has failed.:
Local $PortNum = $aPorts.Item($PortNumber, $Protocol)
Local $PortNum = $aPorts^ ERROR
->11:16:22 AutoIt3.exe ended.rc:1
+>11:16:22 AutoIt3Wrapper Finished.
>Exit code: 1    Time: 1.327

 

Link to comment
Share on other sites

  • Moderators

@Colduction I will take a look if I get some time this weekend, but this UDF has not been touched since 2014, as there are much easier ways to deal with the local firewall now so it doesn't surprise me some things no longer work. 

At a high level, from the error it is clear that $aPorts is not being populated during your call to _AddPort(). That function first creates the FW object, then opens the object's .LocalPolicy.CurrentProfile to see what profiles are in use. This seems to work fine, as you are receiving no errors creating the $profile. $aPorts is the GloballyOpenPorts on that profile, and that is where you seem to be failing. If you want to do some quick error checking, you can modify the opening line in the _AddPort function of the UDF to gather all the $profile properties so you can see what is there and what is not.

 

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...