Difference between revisions of "Configuring Windows XP firewall"

From WPKG | Open Source Software Deployment and Distribution
Jump to: navigation, search
m (added 'fileandprint')
(Added information on and examples of check conditions for rules pertaining to particular ports, and adjusted a preposition)
 
Line 21: Line 21:
 
  netsh firewall set service fileandprint enable
 
  netsh firewall set service fileandprint enable
  
It is enough to execute those commands only once, as the settings will survive the reboot, so you may use ''execute="once"''.
+
It is enough to execute those commands only once, as the settings will survive the reboot, so you may use ''execute="once"''. If you want to use check conditions to notice if someone has changed a rule, look in <code>HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\</code> for rules that involve opening particular ports.
  
==Example==
+
==Examples==
  
 
To open e.g. port 22 in the Windows XP firewall, you have to execute the following:
 
To open e.g. port 22 in the Windows XP firewall, you have to execute the following:
Line 29: Line 29:
 
  netsh firewall add portopening TCP 22 SSH enable subnet
 
  netsh firewall add portopening TCP 22 SSH enable subnet
  
On packages.xml you should add a line like below:
+
In packages.xml you should add a line like below:
 
<source lang="xml">
 
<source lang="xml">
 
<package
 
<package
Line 45: Line 45:
  
 
This is useful if you want to run a SSH server (i.e. [[freeSSHd]]), but still want to have your firewall enabled.
 
This is useful if you want to run a SSH server (i.e. [[freeSSHd]]), but still want to have your firewall enabled.
 +
 +
To add a rule to open 143/tcp to a particular network and to notice if someone changed your settings, the following can be used:
 +
 +
<source lang="xml">
 +
<!-- Rule present and turned on -->
 +
<package
 +
id="fw-143-example-on"
 +
name="Firewall: IMAP example on"
 +
revision="1"
 +
reboot="false"
 +
priority="0">
 +
 +
  <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />
 +
 +
  <install cmd='netsh firewall add portopening TCP 143 "IMAP example" ENABLE CUSTOM "192.0.2.0/255.255.255.0"'>
 +
    <exit code="0" />
 +
  </install>
 +
 +
  <remove cmd='netsh firewall remove portopening TCP 143'>
 +
    <exit code="0" />
 +
  </remove>
 +
</package>
 +
 +
<!-- Rule present but turned off -->
 +
<package
 +
id="fw-143-example-off"
 +
name="Firewall: IMAP example off"
 +
revision="1"
 +
reboot="false"
 +
priority="0">
 +
 +
  <check type="logical" condition="not" />
 +
    <!-- Depending on what you're trying to accomplish, you may want to check merely the existence of an entry for 143:TCP -->
 +
    <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />
 +
  </check>
 +
 +
  <install cmd='netsh firewall add portopening TCP 143 "IMAP example" DISABLE CUSTOM "192.0.2.0/255.255.255.0"'>
 +
    <exit code="0" />
 +
  </install>
 +
 +
  <remove cmd='netsh firewall remove portopening TCP 143'>
 +
    <exit code="0" />
 +
  </remove>
 +
</package>
 +
 +
</source>
 +
 
[[Category: Silent Installers]]
 
[[Category: Silent Installers]]
 
[[Category: Changing Windows settings]]
 
[[Category: Changing Windows settings]]

Latest revision as of 23:04, 24 November 2010

Using netsh for configuring the firewall

To disable Windows XP firewall, you have to execute the following:

netsh firewall set opmode disable


To add ports to the exception list:

netsh firewall add portopening [protocol] [port number] [rule name]

[protocol] can be TCP or UDP (remove the brackets when you insert your values).


To add a program to the exception list:

add allowedprogram program = [path] name = [name] mode = [ENABLE|DISABLE] scope = [ALL|SUBNET|CUSTOM] addresses = [addresses] profile = [CURRENT|DOMAIN|STANDARD|ALL]

Everything besides [program] and [name] is optional. You might want to check the article in the MS Windows XP TechCenter for default values and a detailed explanation.

To allow remote administration to the exception list:

netsh firewall set service remoteadmin enable

To allow file and printer sharing for Microsoft networks:

netsh firewall set service fileandprint enable

It is enough to execute those commands only once, as the settings will survive the reboot, so you may use execute="once". If you want to use check conditions to notice if someone has changed a rule, look in HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ for rules that involve opening particular ports.

Examples

To open e.g. port 22 in the Windows XP firewall, you have to execute the following:

netsh firewall add portopening TCP 22 SSH enable subnet

In packages.xml you should add a line like below:

<package
        id="open-port-22"
        name="Open port 22 on windows firewall"
        revision="1"
        reboot="false"
        notify="false"
        priority="2">      
        
        <install cmd='netsh firewall add portopening TCP 22 SSH enable subnet' />
        
</package>

This is useful if you want to run a SSH server (i.e. freeSSHd), but still want to have your firewall enabled.

To add a rule to open 143/tcp to a particular network and to notice if someone changed your settings, the following can be used:

<!-- Rule present and turned on -->
<package
 id="fw-143-example-on"
 name="Firewall: IMAP example on"
 revision="1"
 reboot="false"
 priority="0">

   <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />

   <install cmd='netsh firewall add portopening TCP 143 "IMAP example" ENABLE CUSTOM "192.0.2.0/255.255.255.0"'>
     <exit code="0" />
   </install>

   <remove cmd='netsh firewall remove portopening TCP 143'>
     <exit code="0" />
   </remove>
</package>

<!-- Rule present but turned off -->
<package
 id="fw-143-example-off"
 name="Firewall: IMAP example off"
 revision="1"
 reboot="false"
 priority="0">

   <check type="logical" condition="not" />
    <!-- Depending on what you're trying to accomplish, you may want to check merely the existence of an entry for 143:TCP -->
    <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />
   </check>

   <install cmd='netsh firewall add portopening TCP 143 "IMAP example" DISABLE CUSTOM "192.0.2.0/255.255.255.0"'>
     <exit code="0" />
   </install>

   <remove cmd='netsh firewall remove portopening TCP 143'>
     <exit code="0" />
   </remove>
</package>