Sunday, January 10, 2010

Windows Firewall, the netsh command, and verbose = enable

Back in my Opening Ports in Windows Firewall from Batch files post I found the command-line power (for batch file building) of the netsh command.

In the end I wrote a few variants to a) install a needed application surreptitiously, and b) set the Windows Firewall to open up a needed port to inbound connections from a few specific remote IP address based servers.

Here they are a few examples (with my environmental specifics removed) as built specifically for deployment on our XP Pro systems.  As the first post pointed out, Vista and Windows 7 now has some updated (advanced) items that should be used instead.

Note the setup.exe file is held in the same folder that contains the bat files

For my user-prompted batch-file:

@echo off
echo -
echo To Set up and configure Application and FW-rule, type 1
echo -
echo To cancel, type 2
echo -

set /P  selection=    Type the number and then press Enter:  

If "%selection%" == "1"  goto APP_SETUP
If "%selection%" == "2"  goto end

:APP_SETUP
echo Installing Application applet

Setup.exe

echo Adding Windows Firewall port exception

netsh firewall add portopening protocol=tcp port=portnumber name=app-name mode=ENABLE profile=All Scope=custom addresses = server-ip-address_#1/subnet,server-ip-address_#1/subnet

echo Windows Firewall port opened

:end

and for the “silent” no-prompt bat file:

Setup.exe

netsh firewall add portopening protocol=tcp port=portnumber name=app-name mode=ENABLE profile=All Scope=custom addresses = server-ip-address_#1/subnet,server-ip-address_#1/subnet

Easy Peasy.

Note: those netsh command lines are actually all on one line with no returns like it seems….

Show + “Verbose = enable”

While verifying that I had my netsh line format built correctly, I needed to validate it (specifically the subnet into) against a system I had manually configured and verified was working correctly.

Although I was running the following command, it wasn’t quite giving me the firewall port detail I wanted.

netsh firewall show portopening

It took me some more digging but I found that if I passed the CLI as follows with the verbose = enabled added, I got VERY detailed information on the port settings.

netsh firewall show portopening verbose = enable

This technique can easily generate great data from the command-line for system information audits and incident responses.

From this post: Netsh Commands for Windows Firewall – Microsoft TechNet

show commands

The following show commands are used to display the current configuration:

The show command cannot be used to see the list of exceptions for the public profile, even if the public profile is the current profile. To see the list of exceptions for the public profile, use the Windows Firewall with Advanced Security MMC snap-in, and use the Filter by Profile option in the Actions pane.

  • show allowedprogram [ [ verbose = ] { enable | disable } ]
    Displays the current list of program exceptions for the domain and standard profiles. Use the parameter verbose=enable to see additional details.
  • show config [ [ verbose = ] { enable | disable } ]
    Displays the local configuration information for the domain and standard profiles, including the output of all other show commands. Use parameter verbose=enable to see additional details.
  • show currentprofile
    Displays the current profile in use for the network location type.
    If the current profile is the public profile, then this command shows the standard profile.
  • show icmpsetting [ [ verbose = ] { enable | disable } ]
    Displays the ICMP settings. Use parameter verbose=enable to see additional details.
  • show logging
    Displays the current logging settings.
    If the current profile is the public profile, then this command shows the standard profile.
  • show multicastbroadcastresponse
    Displays multicast/broadcast response settings for each profile.
  • show notifications
    Displays whether the firewall displays pop-up notifications for each profile.
  • show opmode
    Displays the operational mode for the firewall for each profile.
  • show portopening
    Displays the current list of port exceptions for each profile. Use parameter verbose=enable to see additional details.
  • show service
    Displays the service configuration for each profile. Use parameter verbose=enable to see additional details.
  • show state
    Displays the current state information for the firewall. Use parameter verbose=enable to see additional details.

For more info see these additional sources:

Cheers!

--Claus V.

No comments: