Jump to content

Quick Firewall Add Function

landetls

By landetls
in AutoIt Example Scripts

 Share

Recommended Posts

landetls Seeker

landetls

Posted
Posted (edited)

i thought i would share a script i wrote based on the firewall udf by jlogan3o13, the major difference is that this uses the "HNetCfg.FwPolicy2" native to vista, win 7 and win 8, this means it can set the firewall policy as both private and public profile. i wrote this for an udp streaming deployement script.

its a simple function, hopefully its self explanatory enough, based off both jlogan3o13's work and documentation from msdn.

#cs
----------------------------------------------------------------------------

AutoIt Version: 3.3.9.2 (beta)
Author:      LandeTLS

Script Function:
_AddFirewallProfile

Related:
Firewall UDF By jlogan3o13
----------------------------------------------------------------------------

example usage
#ce
$programfilesdir = @HomeDrive & "Program Files (x86)"

_AddFirewallProfile(1, "VLC media player", $programfilesdir & "VideoLANVLCvlc.exe")

Func _AddFirewallProfile($_intEnableDisable, $_appName, $_applicationFullPath, $_protocol = 17, $_port = 1234, $_direction = 1) ;Add/Enable/Disable Firewall Exception
If @OSVersion = "WIN_7" Or "WIN_8" Or "WIN_2008" Or "WIN_2008R2" Or "WIN_VISTA" Then
$Policy = ObjCreate("HNetCfg.FwPolicy2")
If Not @error Then
$RulesObject = $Policy.Rules
For $Rule In $RulesObject
If $Rule.name = $_appName Then $RulesObject.Remove($_appName)
Next
$newApplication = ObjCreate("HNetCfg.FWRule")
If Not @error Then
$newApplication.Name = $_appName
$newApplication.Description = $_appName
$newApplication.Applicationname = $_applicationFullPath
$newApplication.Protocol = $_protocol ; 17 = udp, 6 = tcp ; all = 0
If Not $_protocol = 0 Then $newApplication.LocalPorts = $_port
$newApplication.Direction = $_direction ; 1 = in; 2 = out
$newApplication.InterfaceTypes = "All"
$newApplication.Enabled = $_intEnableDisable
$newApplication.Profiles = 2147483647 ; 2147483647 = all
$newApplication.Action = 1 ; 1 = allow
$RulesObject.Add($newApplication)
Return 1
Else
Return SetError(2, 0, 0)
EndIf
Else
Return SetError(1, 0, 0)
EndIf
Else ; legacy
$Firewall = ObjCreate("HNetCfg.FwMgr")
If Not @error Then
$Policy = $Firewall.LocalPolicy
$Profile = $Policy.GetProfileByType(1)
$colApplications = $Profile.AuthorizedApplications
$newApplication = ObjCreate("HNetCfg.FwAuthorizedApplication")
If Not @error Then
$newApplication.Name = $_appName
$newApplication.IpVersion = 2
$newApplication.ProcessImageFileName = $_applicationFullPath
$newApplication.RemoteAddresses = "*"
$newApplication.Scope = 0
$newApplication.Enabled = $_intEnableDisable
$colApplications.Add($newApplication)
Return 1
Else
Return SetError(2, 0, 0)
EndIf
Else
Return SetError(1, 0, 0)
EndIf
EndIf
EndFunc ;==>_AddFirewallProfile
Edited by landetls
  • 11 years later...
LWC Adventurer

LWC

Posted
Posted (edited)

Nice approach. But you got some parts wrong, so here's a fixed version:

  1. Fixed the OR part in @OSVersion from always being TRUE
  2. Fixed the OR part in @OSVersion from not supporting newer systems
  3. Fixed completely crashing when not running as admin
  4. Fixed default protocol to actually be All
  5. Fixed the NOT logic in protocol to actually work instead of always returning TRUE
  6. Fixed to support parallel rules for both directions (by giving a unique name since the API relies on naming)
  7. Fixed legacy code not to add a rule with the same name without deleting the existing one first
  8. Moved $_direction to an earlier occurrence since it's the most likely optional parameter to be used
  9. Added actual return values
  10. Added support for general usage without a specific port
  11. Added support for blockage and not just approvals (changed function name accordingly)
  12. Added support for specifying profiles
  13. Added formatting

Note I only checked the modern "HNetCfg.FwPolicy2" part and not the legacy "HNetCfg.FwMgr".
But the bottom line is since it requires admin privileges then you have to run the entire script as admin which is a security risk.
I therefore have to accept that it's probably better to use the external approach of calling the command line netsh. 

Func _AddRemoveFirewallProfile($_intEnableDisable, $_appName, $_applicationFullPath, $_direction = 1, $_action = 0, $_protocol = -1, $_port = 0, $_profile = 0) ;Add/Remove/Enable/Disable Firewall Exception
    If not IsAdmin() Then
        Return SetError(0, 0, "Must be run as admin")
    EndIf
    If Not StringInStr("WIN_XPe", @OSVersion) Then
        $Policy = ObjCreate("HNetCfg.FwPolicy2")
        If Not @error Then
            $RulesObject = $Policy.Rules
            Local $appNameAndDirection = $_appName & " - " & (($_direction == 2) ? "Out" : "In")
            For $Rule In $RulesObject
                If $Rule.name = $appNameAndDirection Then $RulesObject.Remove($Rule.name)
            Next
            If Not $_intEnableDisable Then
                Return 1
            EndIf
            $newApplication = ObjCreate("HNetCfg.FWRule")
            If Not @error Then
                $newApplication.Name = $appNameAndDirection
                $newApplication.Description = $_appName
                $newApplication.Applicationname = $_applicationFullPath
                If $_protocol > -1 Then $newApplication.Protocol = $_protocol ; 17 = UDP, 6 = TCP, 0 = HOPOPT
                If $_port > 0 Then $newApplication.LocalPorts = $_port
                $newApplication.Direction = $_direction ; 1 = in; 2 = out
                $newApplication.InterfaceTypes = "All"
                $newApplication.Enabled = $_intEnableDisable
                $newApplication.Profiles = ($_profile > 0) ? $_profile : 2147483647 ; 1 = Domain, 2 = Private, Domain/Profile = 3, Public=4; 2147483647 = all
                $newApplication.Action = $_action ; 1 = allow
                $RulesObject.Add($newApplication)
                Return 1
            Else
                Return SetError(2, 0, "Couldn't create HNetCfg.FWRule")
            EndIf
        Else
            Return SetError(1, 0, "Couldn't create HNetCfg.FwPolicy2")
        EndIf
    Else ; legacy
        $Firewall = ObjCreate("HNetCfg.FwMgr")
        If Not @error Then
            $Policy = $Firewall.LocalPolicy
            $Profile = $Policy.GetProfileByType(1)
            $colApplications = $Profile.AuthorizedApplications
            For $App In $colApplications
                If $App.ProcessImageFileName = $_applicationFullPath Then
                    $colApplications.Remove($App)
                EndIf
            Next
            If Not $_intEnableDisable Then
                Return 1
            EndIf
            $newApplication = ObjCreate("HNetCfg.FwAuthorizedApplication")
            If Not @error Then
                $newApplication.Name = $_appName
                $newApplication.IpVersion = 2
                $newApplication.ProcessImageFileName = $_applicationFullPath
                $newApplication.RemoteAddresses = "*"
                $newApplication.Scope = 0
                $newApplication.Enabled = $_intEnableDisable
                $colApplications.Add($newApplication)
                Return 1
            Else
                Return SetError(2, 0, "Couldn't create HNetCfg.FwAuthorizedApplication")
            EndIf
        Else
            Return SetError(1, 0, "Couldn't create HNetCfg.FwMgr")
        EndIf
    EndIf
EndFunc ;==>_AddFirewallProfile

 

Edited by LWC
Added more features

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...