Difference between revisions of "Configuring Windows XP firewall"

From WPKG | Open Source Software Deployment and Distribution
Jump to: navigation, search
m (Added optional values)
(Added information on and examples of check conditions for rules pertaining to particular ports, and adjusted a preposition)
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
==Using netsh for configuring the firewall==
 +
 
To disable Windows XP firewall, you have to execute the following:
 
To disable Windows XP firewall, you have to execute the following:
  
 
  netsh firewall set opmode disable
 
  netsh firewall set opmode disable
 
It is enough to execute it only once, as it will survive the reboot, so you may use execute="once".
 
  
  
Line 13: Line 13:
 
To add a program to the exception list:
 
To add a program to the exception list:
 
  add allowedprogram program = [path] name = [name] mode = [ENABLE|DISABLE] scope = [ALL|SUBNET|CUSTOM] addresses = [addresses] profile = [CURRENT|DOMAIN|STANDARD|ALL]
 
  add allowedprogram program = [path] name = [name] mode = [ENABLE|DISABLE] scope = [ALL|SUBNET|CUSTOM] addresses = [addresses] profile = [CURRENT|DOMAIN|STANDARD|ALL]
Everything besides 'program' and 'name' is optional. You might want to check the article in the [http://technet.microsoft.com/en-us/library/bb490617.aspx MS Windows XP TechCenter] for default values and a detailed explanation.
+
Everything besides [program] and [name] is optional. You might want to check the article in the [http://technet.microsoft.com/en-us/library/bb490617.aspx MS Windows XP TechCenter] for default values and a detailed explanation.
 +
 
 +
To allow remote administration to the exception list:
 +
netsh firewall set service remoteadmin enable
 +
 
 +
To allow file and printer sharing for Microsoft networks:
 +
netsh firewall set service fileandprint enable
 +
 
 +
It is enough to execute those commands only once, as the settings will survive the reboot, so you may use ''execute="once"''. If you want to use check conditions to notice if someone has changed a rule, look in <code>HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\</code> for rules that involve opening particular ports.
 +
 
 +
==Examples==
 +
 
 +
To open e.g. port 22 in the Windows XP firewall, you have to execute the following:
 +
 
 +
netsh firewall add portopening TCP 22 SSH enable subnet
 +
 
 +
In packages.xml you should add a line like below:
 +
<source lang="xml">
 +
<package
 +
        id="open-port-22"
 +
        name="Open port 22 on windows firewall"
 +
        revision="1"
 +
        reboot="false"
 +
        notify="false"
 +
        priority="2">     
 +
       
 +
        <install cmd='netsh firewall add portopening TCP 22 SSH enable subnet' />
 +
       
 +
</package>
 +
</source>
 +
 
 +
This is useful if you want to run a SSH server (i.e. [[freeSSHd]]), but still want to have your firewall enabled.
 +
 
 +
To add a rule to open 143/tcp to a particular network and to notice if someone changed your settings, the following can be used:
 +
 
 +
<source lang="xml">
 +
<!-- Rule present and turned on -->
 +
<package
 +
id="fw-143-example-on"
 +
name="Firewall: IMAP example on"
 +
revision="1"
 +
reboot="false"
 +
priority="0">
 +
 
 +
  <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />
 +
 
 +
  <install cmd='netsh firewall add portopening TCP 143 "IMAP example" ENABLE CUSTOM "192.0.2.0/255.255.255.0"'>
 +
    <exit code="0" />
 +
  </install>
 +
 
 +
  <remove cmd='netsh firewall remove portopening TCP 143'>
 +
    <exit code="0" />
 +
  </remove>
 +
</package>
 +
 
 +
<!-- Rule present but turned off -->
 +
<package
 +
id="fw-143-example-off"
 +
name="Firewall: IMAP example off"
 +
revision="1"
 +
reboot="false"
 +
priority="0">
 +
 
 +
  <check type="logical" condition="not" />
 +
    <!-- Depending on what you're trying to accomplish, you may want to check merely the existence of an entry for 143:TCP -->
 +
    <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />
 +
  </check>
 +
 
 +
  <install cmd='netsh firewall add portopening TCP 143 "IMAP example" DISABLE CUSTOM "192.0.2.0/255.255.255.0"'>
 +
    <exit code="0" />
 +
  </install>
 +
 
 +
  <remove cmd='netsh firewall remove portopening TCP 143'>
 +
    <exit code="0" />
 +
  </remove>
 +
</package>
 +
 
 +
</source>
  
 
[[Category: Silent Installers]]
 
[[Category: Silent Installers]]
 
[[Category: Changing Windows settings]]
 
[[Category: Changing Windows settings]]

Latest revision as of 23:04, 24 November 2010

Using netsh for configuring the firewall

To disable Windows XP firewall, you have to execute the following: 

netsh firewall set opmode disable


To add ports to the exception list: 

netsh firewall add portopening [protocol] [port number] [rule name]

[protocol] can be TCP or UDP (remove the brackets when you insert your values).


To add a program to the exception list: 

add allowedprogram program = [path] name = [name] mode = [ENABLE|DISABLE] scope = [ALL|SUBNET|CUSTOM] addresses = [addresses] profile = [CURRENT|DOMAIN|STANDARD|ALL]

Everything besides [program] and [name] is optional. You might want to check the article in the MS Windows XP TechCenter for default values and a detailed explanation.

To allow remote administration to the exception list: 

netsh firewall set service remoteadmin enable

To allow file and printer sharing for Microsoft networks: 

netsh firewall set service fileandprint enable

It is enough to execute those commands only once, as the settings will survive the reboot, so you may use execute="once". If you want to use check conditions to notice if someone has changed a rule, look in HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ for rules that involve opening particular ports.

Examples

To open e.g. port 22 in the Windows XP firewall, you have to execute the following: 

netsh firewall add portopening TCP 22 SSH enable subnet

In packages.xml you should add a line like below: 

<package
        id="open-port-22"
        name="Open port 22 on windows firewall"
        revision="1"
        reboot="false"
        notify="false"
        priority="2">      
        
        <install cmd='netsh firewall add portopening TCP 22 SSH enable subnet' />
        
</package>

This is useful if you want to run a SSH server (i.e. freeSSHd), but still want to have your firewall enabled.

To add a rule to open 143/tcp to a particular network and to notice if someone changed your settings, the following can be used: 

<!-- Rule present and turned on -->
<package
 id="fw-143-example-on"
 name="Firewall: IMAP example on"
 revision="1"
 reboot="false"
 priority="0">

   <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />

   <install cmd='netsh firewall add portopening TCP 143 "IMAP example" ENABLE CUSTOM "192.0.2.0/255.255.255.0"'>
     <exit code="0" />
   </install>

   <remove cmd='netsh firewall remove portopening TCP 143'>
     <exit code="0" />
   </remove>
</package>

<!-- Rule present but turned off -->
<package
 id="fw-143-example-off"
 name="Firewall: IMAP example off"
 revision="1"
 reboot="false"
 priority="0">

   <check type="logical" condition="not" />
    <!-- Depending on what you're trying to accomplish, you may want to check merely the existence of an entry for 143:TCP -->
    <check type="registry" condition="equals" path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\143:TCP" value="143:TCP:192.0.2.0/255.255.255.0:Enabled:IMAP example" />
   </check>

   <install cmd='netsh firewall add portopening TCP 143 "IMAP example" DISABLE CUSTOM "192.0.2.0/255.255.255.0"'>
     <exit code="0" />
   </install>

   <remove cmd='netsh firewall remove portopening TCP 143'>
     <exit code="0" />
   </remove>
</package>
Retrieved from "https://wpkg.org/index.php?title=Configuring_Windows_XP_firewall&oldid=8767"