Adding a rule to the Windows firewall

From ISXKB

(Difference between revisions)
Jump to: navigation, search
Current revision (07:16, 8 April 2015) (view source)
 
(6 intermediate revisions not shown.)
Line 1: Line 1:
-
If you want to add your application to the white list of the Windows firewall (Windows XP SP2, Vista, etc.), you can use the Net.exe application which is shipped with Windows:
+
If you want to add your application to the white list of the Windows firewall, do the following:
-
This goes all into one line in Inno Setup:
+
<pre>
 +
// Utility functions for Inno Setup
 +
//  used to add/remove programs from the windows firewall rules
 +
// Code originally from http://news.jrsoftware.org/news/innosetup/msg43799.html
-
    Filename: "{sys}\netsh.exe"; Parameters: "firewall add allowedprogram ""{app}\app.exe"" ""My App desc"" ENABLE ALL";
+
const
-
    StatusMsg: "My status msg..."; Flags: runhidden; MinVersion: 0,5.01.2600sp2;
+
  NET_FW_SCOPE_ALL = 0;
 +
  NET_FW_IP_VERSION_ANY = 2;
-
MinVersion will make sure that it only runs on Windows XP with SP2 or higher.
+
procedure SetFirewallException(AppName,FileName:string);
 +
var
 +
  FirewallObject: Variant;
 +
  FirewallManager: Variant;
 +
  FirewallProfile: Variant;
 +
begin
 +
  try
 +
    FirewallObject := CreateOleObject('HNetCfg.FwAuthorizedApplication');
 +
    FirewallObject.ProcessImageFileName := FileName;
 +
    FirewallObject.Name := AppName;
 +
    FirewallObject.Scope := NET_FW_SCOPE_ALL;
 +
    FirewallObject.IpVersion := NET_FW_IP_VERSION_ANY;
 +
    FirewallObject.Enabled := True;
 +
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
 +
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
 +
    FirewallProfile.AuthorizedApplications.Add(FirewallObject);
 +
  except
 +
  end;
 +
end;
-
Ideally you should let the user decide whether he/she wants to add your application to the white list of the firewall with a [Tasks} entry:
+
procedure RemoveFirewallException( FileName:string );
 +
var
 +
  FirewallManager: Variant;
 +
  FirewallProfile: Variant;
 +
begin
 +
  try
 +
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
 +
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
 +
    FireWallProfile.AuthorizedApplications.Remove(FileName);
 +
  except
 +
  end;
 +
end;
-
    [Tasks]
+
procedure CurStepChanged(CurStep: TSetupStep);
-
    ; Firewall starting from Windows XP SP2 (5.01.2600sp2)
+
begin
-
    Name: Firewall; Description: "Add an exception to Windows firewall"; MinVersion: 0,5.01.2600sp2;  
+
  if CurStep=ssPostInstall then
-
    ...
+
    SetFirewallException('My Server', ExpandConstant('{app}\')+'TCPServer.exe');
-
    ...
+
end;
-
    ...
+
-
    [Run]
+
-
    Filename: "{sys}\netsh.exe"; .........; Tasks: Firewall;
+
-
Finally don't forget to remove your programs firewall entry when you uninstall it with something like
+
procedure CurUninstallStepChanged(CurUninstallStep: TUninstallStep);
 +
begin
 +
  if CurUninstallStep=usPostUninstall then
 +
    RemoveFirewallException(ExpandConstant('{app}\')+'TCPServer.exe');
 +
end;
 +
</pre>
-
     [UninstallRun]
+
The above code adds an exception for a particular executable file, which is usually sufficient to allow access to all ports opened by that executable.  In some rare cases however you may need to open ports globally or for an unknown executable -- one common example is when using HTTP.SYS either directly or through the .NET HttpListener, where it is not your application that actually ends up listening on the port.  The code snippets below will open a port exception instead (it's not a complete example):
-
     Filename: {sys}\netsh.exe; Parameters: "firewall delete allowedprogram program=""{app}\app.exe"""; Flags: runhidden;  
+
 
-
     MinVersion: 0,5.01.2600sp2;
+
<pre>
 +
const
 +
  NET_FW_PROTOCOL_TCP = 6;
 +
  NET_FW_PROTOCOL_UDP = 17;
 +
 
 +
procedure SetFirewallPortException(AppName: string; Protocol, Port: integer);
 +
var
 +
  FirewallObject: Variant;
 +
  FirewallManager: Variant;
 +
  FirewallProfile: Variant;
 +
begin
 +
  try
 +
     FirewallObject := CreateOleObject('HNetCfg.FwOpenPort');
 +
     FirewallObject.Name := AppName;
 +
    FirewallObject.Scope := NET_FW_SCOPE_ALL;
 +
    FirewallObject.IpVersion := NET_FW_IP_VERSION_ANY;
 +
    FirewallObject.Protocol := Protocol;
 +
    FirewallObject.Port := Port;
 +
     FirewallObject.Enabled := True;
 +
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
 +
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
 +
    FirewallProfile.GloballyOpenPorts.Add(FirewallObject);
 +
  except
 +
  end;
 +
end;   
 +
 
 +
procedure RemoveFirewallPortException(Protocol, Port: integer);
 +
var
 +
  FirewallManager: Variant;
 +
  FirewallProfile: Variant;
 +
begin
 +
  try
 +
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
 +
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
 +
    FireWallProfile.GloballyOpenPorts.Remove(Port, Protocol);
 +
  except
 +
  end;
 +
end;
 +
</pre>
 +
 
 +
Another way of adding a rule to the Windows firewall is the command line utility NETSH.EXE, which comes with Windows. However, the NETSH.EXE method does not work for some Windows Editions like e.g. Vista Basic. See [http://support.microsoft.com/kb/949543 The "netsh firewall add portopening," "netsh firewall set portopening," and "netsh firewall set service" commands do not work on a computer that is running certain editions of Windows Vista] on the Microsoft support pages.
 +
 
 +
== External links ==
 +
*[http://support.microsoft.com/kb/949543 The "netsh firewall add portopening," "netsh firewall set portopening," and "netsh firewall set service" commands do not work on a computer that is running certain editions of Windows Vista] on the Microsoft support pages.
 +
*[http://technet.microsoft.com/en-us/library/cc737845%28WS.10%29.aspx Firewall Tools and Settings] on Microsoft Technet.
[[Category:Windows firewall]]
[[Category:Windows firewall]]

Current revision

If you want to add your application to the white list of the Windows firewall, do the following:

// Utility functions for Inno Setup
//   used to add/remove programs from the windows firewall rules
// Code originally from http://news.jrsoftware.org/news/innosetup/msg43799.html

const
  NET_FW_SCOPE_ALL = 0;
  NET_FW_IP_VERSION_ANY = 2;

procedure SetFirewallException(AppName,FileName:string);
var
  FirewallObject: Variant;
  FirewallManager: Variant;
  FirewallProfile: Variant;
begin
  try
    FirewallObject := CreateOleObject('HNetCfg.FwAuthorizedApplication');
    FirewallObject.ProcessImageFileName := FileName;
    FirewallObject.Name := AppName;
    FirewallObject.Scope := NET_FW_SCOPE_ALL;
    FirewallObject.IpVersion := NET_FW_IP_VERSION_ANY;
    FirewallObject.Enabled := True;
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
    FirewallProfile.AuthorizedApplications.Add(FirewallObject);
  except
  end;
end;

procedure RemoveFirewallException( FileName:string );
var
  FirewallManager: Variant;
  FirewallProfile: Variant;
begin
  try
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
    FireWallProfile.AuthorizedApplications.Remove(FileName);
  except
  end;
end;

procedure CurStepChanged(CurStep: TSetupStep);
begin
  if CurStep=ssPostInstall then
     SetFirewallException('My Server', ExpandConstant('{app}\')+'TCPServer.exe');
end;

procedure CurUninstallStepChanged(CurUninstallStep: TUninstallStep);
begin
  if CurUninstallStep=usPostUninstall then
     RemoveFirewallException(ExpandConstant('{app}\')+'TCPServer.exe');
end;

The above code adds an exception for a particular executable file, which is usually sufficient to allow access to all ports opened by that executable. In some rare cases however you may need to open ports globally or for an unknown executable -- one common example is when using HTTP.SYS either directly or through the .NET HttpListener, where it is not your application that actually ends up listening on the port. The code snippets below will open a port exception instead (it's not a complete example):

const	
  NET_FW_PROTOCOL_TCP = 6;
  NET_FW_PROTOCOL_UDP = 17;

procedure SetFirewallPortException(AppName: string; Protocol, Port: integer);
var
  FirewallObject: Variant;
  FirewallManager: Variant;
  FirewallProfile: Variant;
begin
  try
    FirewallObject := CreateOleObject('HNetCfg.FwOpenPort');
    FirewallObject.Name := AppName;
    FirewallObject.Scope := NET_FW_SCOPE_ALL;
    FirewallObject.IpVersion := NET_FW_IP_VERSION_ANY;
    FirewallObject.Protocol := Protocol;
    FirewallObject.Port := Port;
    FirewallObject.Enabled := True;
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
    FirewallProfile.GloballyOpenPorts.Add(FirewallObject);
  except
  end;
end;    

procedure RemoveFirewallPortException(Protocol, Port: integer);
var
  FirewallManager: Variant;
  FirewallProfile: Variant;
begin
  try
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
    FireWallProfile.GloballyOpenPorts.Remove(Port, Protocol);
  except
  end;
end;

Another way of adding a rule to the Windows firewall is the command line utility NETSH.EXE, which comes with Windows. However, the NETSH.EXE method does not work for some Windows Editions like e.g. Vista Basic. See The "netsh firewall add portopening," "netsh firewall set portopening," and "netsh firewall set service" commands do not work on a computer that is running certain editions of Windows Vista on the Microsoft support pages.

External links

Personal tools
Ads: