Changes
initial revision, loosely derived from the XP firewall documentation
==Using netsh for configuring the firewall==
The Windows XP <code>netsh firewall</code> command is still present on Windows 7, but it is deprecated in favor of <code>netsh advfirewall</code> and may go away in a future release. Rules written with <code>netsh firewall</code> still work with Windows 7, but old check conditions which rely on <code>HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\</code> need to be modified.
For documentation on the Vista / Server 2008 / 7 firewall, see [http://support.microsoft.com/kb/947709 KB947709] for an overview with examples (including explaination of how to accomplish the tasks described in the [[Configuring Windows XP firewall]] article) or the Microsoft TechNet article [http://technet.microsoft.com/en-us/library/cc771920%28WS.10%29.aspx Netsh Commands for Windows Firewall with Advanced Security] for details. You can also run <code>netsh advfirewall /?</code> for help.
Note that there are differences between the Vista / 2008 firewall and the 7 / 2008R2 firewall. The above TechNet article contains details.
These settings are persistent, so it's possible to use ''execute="once"''; however, it may (depending on your purposes) be a good idea to add check conditions so that settings can be restored if someone or something changes them.
Rules can be bundled together and activated or deactivated as a group. The Windows Firewall with Advanced Security control panel is the easiest way to find out what rules and groups are pre-defined.
==Profiles==
The Windows 7 / Server 2008 R2 firewall supports domain, public and private profiles, asome or all of which can be active at a time. If you want to alter a particular profile instead of altering all current profiles, it should be specified on the command line.
The following profiles can be specified when writing and modifying rules:
<ul>
<li><code>allprofiles</code> affects all profiles</li>
<li><code>currentprofile</code> affects the currently-active profile (on Vista and 2008) or all currently-active profiles (on 7 and 2008 R2)</li>
<li><code>domainprofile</code></li>
<li><code>privateprofile</code></li>
<li><code>publicprofile</code></li>
</ul>
==Unresolved issues==
The following require additional research:
<ul>
<li>How to write check conditions? Rules appear in <code>HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules</code>, but it is not clear how stable names and content are across systems. An external script might be useful, or it might be advisable to always set rules if it's desired that differences from the desired profile be detected and corrected.</li>
<li>How to select the active profile(s)?</li>
</ul>
==Examples==
The following package should enable all the individual rules in the "Remote Desktop" group for the domain profile. (Due to operational constraints, it is presently untested - use at your own risk.)
<source lang="xml">
<package id="fw-rdp-domain-on"
name="Enable RDP rule group, domain profile"
revision="1"
reboot="false"
execute="once">
install cmd='netsh advfirewall firewall set rule profile=domain group="Remote Desktop" new enable=Yes' />
remove cmd='netsh advfirewall firewall set rule profile=domain group="Remote Desktop" new enable=No' />
</package>
</source>
[[Category: Silent Installers]]
[[Category: Changing Windows settings]]
The Windows XP <code>netsh firewall</code> command is still present on Windows 7, but it is deprecated in favor of <code>netsh advfirewall</code> and may go away in a future release. Rules written with <code>netsh firewall</code> still work with Windows 7, but old check conditions which rely on <code>HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\</code> need to be modified.
For documentation on the Vista / Server 2008 / 7 firewall, see [http://support.microsoft.com/kb/947709 KB947709] for an overview with examples (including explaination of how to accomplish the tasks described in the [[Configuring Windows XP firewall]] article) or the Microsoft TechNet article [http://technet.microsoft.com/en-us/library/cc771920%28WS.10%29.aspx Netsh Commands for Windows Firewall with Advanced Security] for details. You can also run <code>netsh advfirewall /?</code> for help.
Note that there are differences between the Vista / 2008 firewall and the 7 / 2008R2 firewall. The above TechNet article contains details.
These settings are persistent, so it's possible to use ''execute="once"''; however, it may (depending on your purposes) be a good idea to add check conditions so that settings can be restored if someone or something changes them.
Rules can be bundled together and activated or deactivated as a group. The Windows Firewall with Advanced Security control panel is the easiest way to find out what rules and groups are pre-defined.
==Profiles==
The Windows 7 / Server 2008 R2 firewall supports domain, public and private profiles, asome or all of which can be active at a time. If you want to alter a particular profile instead of altering all current profiles, it should be specified on the command line.
The following profiles can be specified when writing and modifying rules:
<ul>
<li><code>allprofiles</code> affects all profiles</li>
<li><code>currentprofile</code> affects the currently-active profile (on Vista and 2008) or all currently-active profiles (on 7 and 2008 R2)</li>
<li><code>domainprofile</code></li>
<li><code>privateprofile</code></li>
<li><code>publicprofile</code></li>
</ul>
==Unresolved issues==
The following require additional research:
<ul>
<li>How to write check conditions? Rules appear in <code>HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules</code>, but it is not clear how stable names and content are across systems. An external script might be useful, or it might be advisable to always set rules if it's desired that differences from the desired profile be detected and corrected.</li>
<li>How to select the active profile(s)?</li>
</ul>
==Examples==
The following package should enable all the individual rules in the "Remote Desktop" group for the domain profile. (Due to operational constraints, it is presently untested - use at your own risk.)
<source lang="xml">
<package id="fw-rdp-domain-on"
name="Enable RDP rule group, domain profile"
revision="1"
reboot="false"
execute="once">
install cmd='netsh advfirewall firewall set rule profile=domain group="Remote Desktop" new enable=Yes' />
remove cmd='netsh advfirewall firewall set rule profile=domain group="Remote Desktop" new enable=No' />
</package>
</source>
[[Category: Silent Installers]]
[[Category: Changing Windows settings]]