Back in my Opening Ports in Windows Firewall from Batch files post I found the command-line power (for batch file building) of the netsh command.
In the end I wrote a few variants to a) install a needed application surreptitiously, and b) set the Windows Firewall to open up a needed port to inbound connections from a few specific remote IP address based servers.
Here they are a few examples (with my environmental specifics removed) as built specifically for deployment on our XP Pro systems. As the first post pointed out, Vista and Windows 7 now has some updated (advanced) items that should be used instead.
Note the setup.exe file is held in the same folder that contains the bat files
For my user-prompted batch-file:
@echo off
echo -
echo To Set up and configure Application and FW-rule, type 1
echo -
echo To cancel, type 2
echo -set /P selection= Type the number and then press Enter:
If "%selection%" == "1" goto APP_SETUP
If "%selection%" == "2" goto end:APP_SETUP
echo Installing Application appletSetup.exe
echo Adding Windows Firewall port exception
netsh firewall add portopening protocol=tcp port=portnumber name=app-name mode=ENABLE profile=All Scope=custom addresses = server-ip-address_#1/subnet,server-ip-address_#1/subnet
echo Windows Firewall port opened
:end
and for the “silent” no-prompt bat file:
Setup.exe
netsh firewall add portopening protocol=tcp port=portnumber name=app-name mode=ENABLE profile=All Scope=custom addresses = server-ip-address_#1/subnet,server-ip-address_#1/subnet
Easy Peasy.
Note: those netsh command lines are actually all on one line with no returns like it seems….
Show + “Verbose = enable”
While verifying that I had my netsh line format built correctly, I needed to validate it (specifically the subnet into) against a system I had manually configured and verified was working correctly.
Although I was running the following command, it wasn’t quite giving me the firewall port detail I wanted.
netsh firewall show portopening
It took me some more digging but I found that if I passed the CLI as follows with the verbose = enabled added, I got VERY detailed information on the port settings.
netsh firewall show portopening verbose = enable
This technique can easily generate great data from the command-line for system information audits and incident responses.
From this post: Netsh Commands for Windows Firewall – Microsoft TechNet
show commands
The following show commands are used to display the current configuration:
The show command cannot be used to see the list of exceptions for the public profile, even if the public profile is the current profile. To see the list of exceptions for the public profile, use the Windows Firewall with Advanced Security MMC snap-in, and use the Filter by Profile option in the Actions pane.
- show allowedprogram [ [ verbose = ] { enable | disable } ]
Displays the current list of program exceptions for the domain and standard profiles. Use the parameter verbose=enable to see additional details.- show config [ [ verbose = ] { enable | disable } ]
Displays the local configuration information for the domain and standard profiles, including the output of all other show commands. Use parameter verbose=enable to see additional details.- show currentprofile
Displays the current profile in use for the network location type.
If the current profile is the public profile, then this command shows the standard profile.- show icmpsetting [ [ verbose = ] { enable | disable } ]
Displays the ICMP settings. Use parameter verbose=enable to see additional details.- show logging
Displays the current logging settings.
If the current profile is the public profile, then this command shows the standard profile.- show multicastbroadcastresponse
Displays multicast/broadcast response settings for each profile.- show notifications
Displays whether the firewall displays pop-up notifications for each profile.- show opmode
Displays the operational mode for the firewall for each profile.- show portopening
Displays the current list of port exceptions for each profile. Use parameter verbose=enable to see additional details.- show service
Displays the service configuration for each profile. Use parameter verbose=enable to see additional details.- show state
Displays the current state information for the firewall. Use parameter verbose=enable to see additional details.
For more info see these additional sources:
- JSI Tip 8399. How can I report Windows Firewall settings? - WindowsITPro
- Download details: Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2 – Microsoft Download Center
Cheers!
--Claus V.
No comments:
Post a Comment