Create Firewall Rule

Tagged: 

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Michael Craig Michael Craig 3 years, 9 months ago.

  • Author
    Posts
  • #9901
    Profile photo of Michael Craig
    Michael Craig
    Participant

    Hello,

    I'm attempting to use Powershell v3 (on Windows 2008R2) to create a new firewall rule.
    I've found that the helpful new cmdlets only work on Win2k12 or Win8. So I'm trying to find a way using Powershell v2.

    Does anyone have a quick script they can share? Othewise here is what I'm working with so far, with little success.
    Import-Module ServerManager

    PUSHD HKLM:
    $FWPath = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules'
    New-ItemProperty -Path $FWPath -Name TEST_Allow_Secure_HTTPS_Ports -Type String -Value 'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=1443,2443,3443,4443,5443,6443,7443,8443,9443|App=System|Name=@%windir%\system32\inetsrv\iisres.dll,-30502|Desc=@%windir%\system32\inetsrv\iisres.dll,-30512|EmbedCtxt=@%windir%\system32\inetsrv\iisres.dll,-30503|'
    POPD

  • #9902
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Yeah, so, you've figured this out, but for the benefit of anyone running across this...

    The version of PowerShell you use doesn't necessarily confer specific capabilities. Capability is part of the OS version. So on Win2012/Win8, you get more commands – therefore, more capability – than you do on older versions of Windows, regardless of which PowerShell version you're using. So whether you're using PowerShell v3 or v2 doesn't matter. Neither of them come with firewall commands. Win2012 comes with firewall commands.

    Have you considered looking at the "netsh advfirewall" command? http://technet.microsoft.com/en-us/library/cc771920(v=WS.10).aspx – intended to offer command-line management of the firewall, and completely usable from Cmd.exe or from PowerShell. I don't think it's strictly recommended that you hack the registry directly – my impression has always been that's there mainly for use by GPO-based firewall management.

  • #9903
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    You can also use the HNetCfg.FwMgr COM object

  • #9904
    Profile photo of Michael Craig
    Michael Craig
    Participant

    Thanks Richard, I had tried going down that path but it seemed far more difficult than necessary.
    Thanks, Don, I went with the NetSH approach as suggested. I initially looked at this, but was hoping to find a more powershell-ish way of doing this.
    Just in case someone else needs an example in the future, here is what I ended up doing:


    #Set Firewall to allow secure ports 1443,2443,3443,4443
    1443, 2443, 3443 | %{
    write-verbose "Firewall: Checking if secure port is allowed: $_"
    $ruleExist=(netsh advfirewall firewall show rule name="VCI: Allow HTTPS $_")
    if ($ruleExist -cmatch "HTTPS $_"){
    write-verbose "Port $_ rule already exists"
    }else{
    write-verbose "Port $_ missing, creating firewall rule"
    netsh advfirewall firewall add rule name="VCI: Allow HTTPS $_" dir=in action=allow enable=yes Localip=Any LocalPort=$_ protocol=TCP
    }

    }

You must be logged in to reply to this topic.