Difference between revisions of "Configuring Windows XP firewall"
From WPKG | Open Source Software Deployment and Distribution
m |
(Added information on and examples of check conditions for rules pertaining to particular ports, and adjusted a preposition) |
||
| (7 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| + | ==Using netsh for configuring the firewall== | ||
| + | |||
To disable Windows XP firewall, you have to execute the following: | To disable Windows XP firewall, you have to execute the following: | ||
netsh firewall set opmode disable | netsh firewall set opmode disable | ||
| − | It is enough to execute | + | |
| + | To add ports to the exception list: | ||
| + | netsh firewall add portopening [protocol] [port number] [rule name] | ||
| + | [protocol] can be TCP or UDP (remove the brackets when you insert your values). | ||
| + | |||
| + | |||
| + | To add a program to the exception list: | ||
| + | add allowedprogram program = [path] name = [name] mode = [ENABLE|DISABLE] scope = [ALL|SUBNET|CUSTOM] addresses = [addresses] profile = [CURRENT|DOMAIN|STANDARD|ALL] | ||
| + | Everything besides [program] and [name] is optional. You might want to check the article in the [http://technet.microsoft.com/en-us/library/bb490617.aspx MS Windows XP TechCenter] for default values and a detailed explanation. | ||
| + | |||
| + | To allow remote administration to the exception list: | ||
| + | netsh firewall set service remoteadmin enable | ||
| + | |||
| + | To allow file and printer sharing for Microsoft networks: | ||
| + | netsh firewall set service fileandprint enable | ||
| + | |||
| + | It is enough to execute those commands only once, as the settings will survive the reboot, so you may use ''execute="once"''. If you want to use check conditions to notice if someone has changed a rule, look in <code>HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\</code> for rules that involve opening particular ports. | ||
| + | |||
| + | ==Examples== | ||
| + | |||
| + | To open e.g. port 22 in the Windows XP firewall, you have to execute the following: | ||
| + | |||
| + | netsh firewall add portopening TCP 22 SSH enable subnet | ||
| + | |||
| + | In packages.xml you should add a line like below: | ||
| + | <source lang="xml"> | ||
| + | <package | ||
| + | id="open-port-22" | ||
| + | name="Open port 22 on windows firewall" | ||
| + | revision="1" | ||
| + | reboot="false" | ||
| + | notify="false" | ||
| + | priority="2"> | ||
| + | |||
| + | <install cmd='netsh firewall add portopening TCP 22 SSH enable subnet' /> | ||
| + | |||
| + | </package> | ||
| + | </source> | ||
| + | |||
| + | This is useful if you want to run a SSH server (i.e. [[freeSSHd]]), but still want to have your firewall enabled. | ||
| + | |||
| + | To add a rule to open 143/tcp to a particular network and to notice if someone changed your settings, the following can be used: | ||
| + | |||
| + | <source lang="xml"> | ||
| + | <!-- Rule present and turned on --> | ||
| + | <package | ||
| + | id="fw-143-example-on" | ||
| + | name="Firewall: IMAP example on" | ||
| + | revision="1" | ||
| + | reboot="false" | ||
| + | priority="0"> | ||
| + | |||
| + | <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" /> | ||
| + | |||
| + | <install cmd='netsh firewall add portopening TCP 143 "IMAP example" ENABLE CUSTOM "192.0.2.0/255.255.255.0"'> | ||
| + | <exit code="0" /> | ||
| + | </install> | ||
| + | |||
| + | <remove cmd='netsh firewall remove portopening TCP 143'> | ||
| + | <exit code="0" /> | ||
| + | </remove> | ||
| + | </package> | ||
| + | |||
| + | <!-- Rule present but turned off --> | ||
| + | <package | ||
| + | id="fw-143-example-off" | ||
| + | name="Firewall: IMAP example off" | ||
| + | revision="1" | ||
| + | reboot="false" | ||
| + | priority="0"> | ||
| + | |||
| + | <check type="logical" condition="not" /> | ||
| + | <!-- Depending on what you're trying to accomplish, you may want to check merely the existence of an entry for 143:TCP --> | ||
| + | <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" /> | ||
| + | </check> | ||
| + | |||
| + | <install cmd='netsh firewall add portopening TCP 143 "IMAP example" DISABLE CUSTOM "192.0.2.0/255.255.255.0"'> | ||
| + | <exit code="0" /> | ||
| + | </install> | ||
| + | |||
| + | <remove cmd='netsh firewall remove portopening TCP 143'> | ||
| + | <exit code="0" /> | ||
| + | </remove> | ||
| + | </package> | ||
| + | |||
| + | </source> | ||
[[Category: Silent Installers]] | [[Category: Silent Installers]] | ||
| + | [[Category: Changing Windows settings]] | ||
Latest revision as of 23:04, 24 November 2010
Using netsh for configuring the firewall
To disable Windows XP firewall, you have to execute the following:
netsh firewall set opmode disable
To add ports to the exception list:
netsh firewall add portopening [protocol] [port number] [rule name]
[protocol] can be TCP or UDP (remove the brackets when you insert your values).
To add a program to the exception list:
add allowedprogram program = [path] name = [name] mode = [ENABLE|DISABLE] scope = [ALL|SUBNET|CUSTOM] addresses = [addresses] profile = [CURRENT|DOMAIN|STANDARD|ALL]
Everything besides [program] and [name] is optional. You might want to check the article in the MS Windows XP TechCenter for default values and a detailed explanation.
To allow remote administration to the exception list:
netsh firewall set service remoteadmin enable
To allow file and printer sharing for Microsoft networks:
netsh firewall set service fileandprint enable
It is enough to execute those commands only once, as the settings will survive the reboot, so you may use execute="once". If you want to use check conditions to notice if someone has changed a rule, look in HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ for rules that involve opening particular ports.
Examples
To open e.g. port 22 in the Windows XP firewall, you have to execute the following:
netsh firewall add portopening TCP 22 SSH enable subnet
In packages.xml you should add a line like below:
<package
id="open-port-22"
name="Open port 22 on windows firewall"
revision="1"
reboot="false"
notify="false"
priority="2">
<install cmd='netsh firewall add portopening TCP 22 SSH enable subnet' />
</package>
This is useful if you want to run a SSH server (i.e. freeSSHd), but still want to have your firewall enabled.
To add a rule to open 143/tcp to a particular network and to notice if someone changed your settings, the following can be used:
<!-- Rule present and turned on -->
<package
id="fw-143-example-on"
name="Firewall: IMAP example on"
revision="1"
reboot="false"
priority="0">
<check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />
<install cmd='netsh firewall add portopening TCP 143 "IMAP example" ENABLE CUSTOM "192.0.2.0/255.255.255.0"'>
<exit code="0" />
</install>
<remove cmd='netsh firewall remove portopening TCP 143'>
<exit code="0" />
</remove>
</package>
<!-- Rule present but turned off -->
<package
id="fw-143-example-off"
name="Firewall: IMAP example off"
revision="1"
reboot="false"
priority="0">
<check type="logical" condition="not" />
<!-- Depending on what you're trying to accomplish, you may want to check merely the existence of an entry for 143:TCP -->
<check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />
</check>
<install cmd='netsh firewall add portopening TCP 143 "IMAP example" DISABLE CUSTOM "192.0.2.0/255.255.255.0"'>
<exit code="0" />
</install>
<remove cmd='netsh firewall remove portopening TCP 143'>
<exit code="0" />
</remove>
</package>