Windows Firewall Advanced Security

Welcome Forums General PowerShell Q&A Windows Firewall Advanced Security

This topic contains 2 replies, has 3 voices, and was last updated by

 
Participant
1 month, 2 weeks ago.

  • Author
    Posts
  • #119281

    Participant
    Points: 14
    Rank: Member

    I have more that 1k sever to block RPC and SMB ports for all inbound connection but allow it for specific IP addresses. Below is my basic commands to implement 4 different rules. Two block and 2 to allow. It doesn't work. It still allows non specified IP address. Any help I can get to resires this will be highly welcome.

     

    New-NetFirewallRule `-DisplayName "BLOCK ln(RPC/SMB TCP Port 137,139,445) inbound" `

    -Name "RPC/SMB (TCP Port 137,139,445) inbound" `

            -Description 'This rule blocks all (RPC/SMB TCP port 135,137,139) from inbound access' `
    -Direction Inbound `
    -Enabled False `
    -Action Block `
    -Profile Any `
    -Protocol TCP `
    -LocalPort 137,139,445 `
    -RemotePort 137,139,445

            New-NetFirewallRule `
    -DisplayName "RPC/SMB (UDP Port 135,137,139) inbound" `
    -Name "RPC/SMB (UDP Port 135,137,139) inbound" `
    -Description 'This rule blocks all (RPC/SMB UDP port 135,137,139) from inbound access' `
    -Direction Inbound `
    -Enabled False `
    -Action Block `
    -Profile Any `
    -Protocol UDP `
    -LocalPort 135,137,139

    New-NetFirewallRule `
    -DisplayName "ALLOW (RPC/SMB TCP Port 137,139,445) inbound" `
    -Name "ALLOW (RPC/SMB TCP Port 135,139) inbound ALLOWED" `
    -Description 'This rule allow Inbound traffic to specific IP Adresses' `
    -Direction Inbound `
    -Enabled False `
    -Action Allow `
    -Profile Any `
    -Protocol TCP `
    -LocalPort 137,139,445 `
    -RemotePort 137,139,445 `
    -RemoteAddress '192.168.0.110'

    New-NetFirewallRule `
    -DisplayName ".TAP-10_ALLOW (RPC/SMB UDP Port 135,137,139) inbound" `
    -Name ".TAP-10_ALLOW (RPC/SMB UDP Port 135,137,139) inbound ALLOWED" `
    -Description 'This rule allow Inbound traffic to specific IP Adresses' `
    -Direction Inbound `
    -Enabled False `
    -Action Allow `
    -Profile Any `
    -Protocol UDP `
    -LocalPort 135,137,139 `
    -RemotePort 135,137,139 `
    -RemoteAddress '192.168.0.110'

  • #120111

    Moderator
    Points: 174
    Team MemberHelping Hand
    Rank: Participant

    Looks like you have the firewall rules set to Enable = False.
    Also, consider splatting (like below):

    $params = @{
        DisplayName = 'BLOCK ln(RPC/SMB TCP Port 137,139,445) inbound'
        Name        = 'RPC/SMB (TCP Port 137,139,445) inbound'
        Description = 'This rule blocks all (RPC/SMB TCP port 135,137,139) from inbound access'
        Direction   = 'Inbound'
        Enabled     = 'True'
        Action      = 'Block'
        Profile     = 'Any'
        Protocol    = 'TCP'
        LocalPort   = @(137,139,445)
        RemotePort  = @(137,139,445)
    }
    
    New-NetFirewallRule @params 
    

    Hope this helps!

  • #120135

    Participant
    Points: 870
    Helping Hand
    Rank: Major Contributor

    @ustyne – I think you had some dilemma between Enabled and Action.

    Action – Is the actual duty of the rule.
    Enabled – Set to true, Will make the rule live to do the specified Action

You must be logged in to reply to this topic.