Difference between revisions of "Configuring Windows XP firewall"
m (added 'fileandprint') |
(Added information on and examples of check conditions for rules pertaining to particular ports, and adjusted a preposition) |
||
Line 21: | Line 21: | ||
netsh firewall set service fileandprint enable | netsh firewall set service fileandprint enable | ||
− | It is enough to execute those commands only once, as the settings will survive the reboot, so you may use ''execute="once"''. | + | It is enough to execute those commands only once, as the settings will survive the reboot, so you may use ''execute="once"''. If you want to use check conditions to notice if someone has changed a rule, look in <code>HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\</code> for rules that involve opening particular ports. |
− | == | + | ==Examples== |
To open e.g. port 22 in the Windows XP firewall, you have to execute the following: | To open e.g. port 22 in the Windows XP firewall, you have to execute the following: | ||
Line 29: | Line 29: | ||
netsh firewall add portopening TCP 22 SSH enable subnet | netsh firewall add portopening TCP 22 SSH enable subnet | ||
− | + | In packages.xml you should add a line like below: | |
<source lang="xml"> | <source lang="xml"> | ||
<package | <package | ||
Line 45: | Line 45: | ||
This is useful if you want to run a SSH server (i.e. [[freeSSHd]]), but still want to have your firewall enabled. | This is useful if you want to run a SSH server (i.e. [[freeSSHd]]), but still want to have your firewall enabled. | ||
+ | |||
+ | To add a rule to open 143/tcp to a particular network and to notice if someone changed your settings, the following can be used: | ||
+ | |||
+ | <source lang="xml"> | ||
+ | <!-- Rule present and turned on --> | ||
+ | <package | ||
+ | id="fw-143-example-on" | ||
+ | name="Firewall: IMAP example on" | ||
+ | revision="1" | ||
+ | reboot="false" | ||
+ | priority="0"> | ||
+ | |||
+ | <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" /> | ||
+ | |||
+ | <install cmd='netsh firewall add portopening TCP 143 "IMAP example" ENABLE CUSTOM "192.0.2.0/255.255.255.0"'> | ||
+ | <exit code="0" /> | ||
+ | </install> | ||
+ | |||
+ | <remove cmd='netsh firewall remove portopening TCP 143'> | ||
+ | <exit code="0" /> | ||
+ | </remove> | ||
+ | </package> | ||
+ | |||
+ | <!-- Rule present but turned off --> | ||
+ | <package | ||
+ | id="fw-143-example-off" | ||
+ | name="Firewall: IMAP example off" | ||
+ | revision="1" | ||
+ | reboot="false" | ||
+ | priority="0"> | ||
+ | |||
+ | <check type="logical" condition="not" /> | ||
+ | <!-- Depending on what you're trying to accomplish, you may want to check merely the existence of an entry for 143:TCP --> | ||
+ | <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" /> | ||
+ | </check> | ||
+ | |||
+ | <install cmd='netsh firewall add portopening TCP 143 "IMAP example" DISABLE CUSTOM "192.0.2.0/255.255.255.0"'> | ||
+ | <exit code="0" /> | ||
+ | </install> | ||
+ | |||
+ | <remove cmd='netsh firewall remove portopening TCP 143'> | ||
+ | <exit code="0" /> | ||
+ | </remove> | ||
+ | </package> | ||
+ | |||
+ | </source> | ||
+ | |||
[[Category: Silent Installers]] | [[Category: Silent Installers]] | ||
[[Category: Changing Windows settings]] | [[Category: Changing Windows settings]] |
Latest revision as of 23:04, 24 November 2010
Using netsh for configuring the firewall
To disable Windows XP firewall, you have to execute the following:
netsh firewall set opmode disable
To add ports to the exception list:
netsh firewall add portopening [protocol] [port number] [rule name]
[protocol] can be TCP or UDP (remove the brackets when you insert your values).
To add a program to the exception list:
add allowedprogram program = [path] name = [name] mode = [ENABLE|DISABLE] scope = [ALL|SUBNET|CUSTOM] addresses = [addresses] profile = [CURRENT|DOMAIN|STANDARD|ALL]
Everything besides [program] and [name] is optional. You might want to check the article in the MS Windows XP TechCenter for default values and a detailed explanation.
To allow remote administration to the exception list:
netsh firewall set service remoteadmin enable
To allow file and printer sharing for Microsoft networks:
netsh firewall set service fileandprint enable
It is enough to execute those commands only once, as the settings will survive the reboot, so you may use execute="once". If you want to use check conditions to notice if someone has changed a rule, look in HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\
for rules that involve opening particular ports.
Examples
To open e.g. port 22 in the Windows XP firewall, you have to execute the following:
netsh firewall add portopening TCP 22 SSH enable subnet
In packages.xml you should add a line like below:
<package
id="open-port-22"
name="Open port 22 on windows firewall"
revision="1"
reboot="false"
notify="false"
priority="2">
<install cmd='netsh firewall add portopening TCP 22 SSH enable subnet' />
</package>
This is useful if you want to run a SSH server (i.e. freeSSHd), but still want to have your firewall enabled.
To add a rule to open 143/tcp to a particular network and to notice if someone changed your settings, the following can be used:
<!-- Rule present and turned on -->
<package
id="fw-143-example-on"
name="Firewall: IMAP example on"
revision="1"
reboot="false"
priority="0">
<check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />
<install cmd='netsh firewall add portopening TCP 143 "IMAP example" ENABLE CUSTOM "192.0.2.0/255.255.255.0"'>
<exit code="0" />
</install>
<remove cmd='netsh firewall remove portopening TCP 143'>
<exit code="0" />
</remove>
</package>
<!-- Rule present but turned off -->
<package
id="fw-143-example-off"
name="Firewall: IMAP example off"
revision="1"
reboot="false"
priority="0">
<check type="logical" condition="not" />
<!-- Depending on what you're trying to accomplish, you may want to check merely the existence of an entry for 143:TCP -->
<check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />
</check>
<install cmd='netsh firewall add portopening TCP 143 "IMAP example" DISABLE CUSTOM "192.0.2.0/255.255.255.0"'>
<exit code="0" />
</install>
<remove cmd='netsh firewall remove portopening TCP 143'>
<exit code="0" />
</remove>
</package>