Advanced Firewall Exceptions in batch (any direction) - windows

I am using this code to add the software "example.exe" to the exception list:
netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name=example_in program = "C:\\Program Files\\example.exe" > NUL
netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=out name=example_out program = "C:\\Program Files\\example.exe" > NUL
How can I do the "in|out" part in one only line?
I mean something like:
netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=any name=example_in program = "C:\\Program Files\\example.exe" > NUL

You could do this with a quicky batch file like:
for %%x in (in out) do (
netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=%%x name=example_%%x program = "C:\\Program Files\\example.exe" > NUL
)

Related

How to store a command's multi-line output to a batch variable?

I am not a bro in batch scripts, but i can adapt.
I am trying to make a batch file that will check the firewall state, and toggle it(ON/OFF).
Note: [the output of the command contain ON or OFF in it's output alongside with other strings].
set "result=" netsh advfirewall show allprofiles state
IF not x%result:ON=%==x%result% (
::Disable Firewall
NetSh Advfirewall set allprofiles state off
) ELSE (
::Enable Firewall
NetSh Advfirewall set allprofiles state on
)
the problem as you see the result variable only contain the last line of the command output, so how to store the multi-line output of the command in a variable without having to store the command's output in a file as it seems redundant.
You should be able to do it with a single command line without the need for variables or the use of a for-loop:
#NetSh AdvFirewall Show CurrentProfile State|Find "ON">NUL&&(NetSh AdvFirewall Set CurrentProfile State OFF)||NetSh AdvFirewall Set CurrentProfile State ON
For an extended batch-file version, also ensures that inbound and outbound rules are set. (Please note that these are examples only, not recommendations and have been provided to better show the layout of the original suggestion when split over multiple lines):
#Echo Off
NetSh AdvFirewall Show CurrentProfile State | Find "ON" >NUL && (
NetSh Advfirewall Set CurrentProfile FirewallPolicy BlockInboundAlways,AllowOutbound
NetSh AdvFirewall Set CurrentProfile State OFF
) || (
NetSh AdvFirewall Set CurrentProfile State ON
NetSh Advfirewall Set CurrentProfile FirewallPolicy AllowInbound,AllowOutbound
)
Please note that these are language dependent, so may need adjustment if your system language is not English.
If you are not a member of the Administrators group, and UAC is enabled on your PC, run the script as administrator.

Netsh set rule depends on OS language

I was creating a batch script to run several commands to enable winrm, changing network category and such and I got across a problem with the netsh command, specifically netsh advfirewall firewall set rule group=”Network Discovery” new enable=yes
After digging around and messing with UAC and registry I understood my problem: Windows language.
So the command is setting the rule to the Network Discovery, however in my language (portuguese btw) the group is called Deteção de Rede and thus making the script unable to run across several Windows machines with different languages, making the user enable network sharing manually.
My question is: Is there global way of calling the Network Discovery group? or creating a new group linking to it?
This is my script btw:
#ECHO ON
REM Run as admin
powershell.exe /c Get-NetConnectionProfile;
powershell.exe /c Set-NetConnectionProfile -NetworkCategory Private;
powershell.exe /c netsh advfirewall firewall set rule group=”Deteção de Rede” new enable=yes
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set winrm/config/service #{AllowUnencrypted="true"}
cmd.exe /c winrm set winrm/config/service/auth #{Basic="true"}
#ECHO Done.
Thankfully to #lit I found a way to set the rules to the group.
Used the command powershell.exe /c netsh advfirewall firewall set rule group="#FirewallAPI.dll,-32752" new enable=Yes to enable Network Sharing and powershell.exe /c netsh advfirewall firewall set rule group="#FirewallAPI.dll,-28502" new enable=Yesto enable files and print sharing
(if you want to use this to target a windows machine you may want to activate them both) and now i'm able to run my ansible playbook to windows

Custom Batch File from Scratch

I am tasked with creating a batch file that will do the following:
1) Start Windows Firewall Service
2) Add Entries into Windows Firewall to block network access to some Network Locations
3) Delete the mapped Network Drive
I have got the following command line scripts which do these tasks individually. However, I am not sure how I can put all of them into a single batch file which will do the steps one after the other.
net stop <Service-Name>
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=<IP_Address>/32
net use x: /delete
Can someone please guide on how do I put these commands into a batch file which will simply execute when I run it.
Thanks.
Just place the commands into a text file with the file extention of .bat.
Each command gets its own line.
Below is an example of your file with command line arguments. %1, %2, %n each indicate the position of the command line argument.
E.G. %1 is the first argument, %2 is the second and so on.
net stop %1
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=%2/32
net use x: /delete
You can execute the batch file with the command line arguments:
ScriptName.bat ServiceName 123.123.123.123
And it will execute as follows:
net stop ServiceName
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=123.123.123.123/32
net use x: /delete
Hard coded example:
ScriptName.bat:
net stop wuauserv
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=192.168.0.1/32
net use x: /delete
To execute it, just call the file name:
ScriptName.bat
Cheers!

How to open ports on Windows firewall through batch file

Is there any way within a batch file to open up specific ports on Windows through a batch file? It would be nice to have the installer do this for our server application rather than having the user manually do it.
Use netsh.exe. A very simple batch file that takes a port argument:
#echo off
rem -- open port (first argument passed to batch script)
netsh advfirewall firewall add rule name="Open Port %1" dir=in action=allow protocol=TCP localport=%1 remoteip=10.15.97.0/24,10.17.0.0/16
This is an extension of solution provided by #Kevin Richardson.
Note that "netsh advfirewall add rule" command will create a new rule with the same name every time you run the same command. The script below helps to prevent it
ECHO OFF
set PORT=8081
set RULE_NAME="Open Port %PORT%"
netsh advfirewall firewall show rule name=%RULE_NAME% >nul
if not ERRORLEVEL 1 (
rem Rule %RULE_NAME% already exists.
echo Hey, you already got a out rule by that name, you cannot put another one in!
) else (
echo Rule %RULE_NAME% does not exist. Creating...
netsh advfirewall firewall add rule name=%RULE_NAME% dir=in action=allow protocol=TCP localport=%PORT%
)

Firewall not turning on after executing the program

Dim command
Dim status
command = "psexec \\ 172.16.11.63 netsh advfirewall firewall set opmode "
status = "enable"
Set oShell = CreateObject("WScript.shell")
oShell.CurrentDirectory = "C:\PSexec\"
oShell.Run "command.com /k " & command & status
Set oShell = Nothing
Hi, I have a sample script here that suppose to enable my firewall if it is disabled, but it doesn't work, however if I change my status to disable and my firewall was turned on, after executing the program, the enabled firewall will be disabled. Any ideas? Thanks.
You seem to be mixing commands for different versions of Windows. According to this article you should use
netsh firewall set opmode ENABLE
in older versions, but in 2008 and Vista (and I assume Win7 too) you should be using
netsh advfirewall set currentprofile state on
So either remove the advfirewall from your command if it's XP or 2003, or change it completely to the new command if it's a newer Windows version.

Resources