Adding a rule to the Windows firewall

From ISXKB

(Difference between revisions)
Jump to: navigation, search
Current revision (07:16, 8 April 2015) (view source)
 
(One intermediate revision not shown.)
Line 46: Line 46:
begin
begin
   if CurStep=ssPostInstall then
   if CurStep=ssPostInstall then
-
     SetFirewallException('My Server', ExpandConstant('{app}')+'\TCPServer.exe');
+
     SetFirewallException('My Server', ExpandConstant('{app}\')+'TCPServer.exe');
end;
end;
Line 52: Line 52:
begin
begin
   if CurUninstallStep=usPostUninstall then
   if CurUninstallStep=usPostUninstall then
-
     RemoveFirewallException(ExpandConstant('{app}')+'\TCPServer.exe');
+
     RemoveFirewallException(ExpandConstant('{app}\')+'TCPServer.exe');
end;
end;
</pre>
</pre>
 +
The above code adds an exception for a particular executable file, which is usually sufficient to allow access to all ports opened by that executable.  In some rare cases however you may need to open ports globally or for an unknown executable -- one common example is when using HTTP.SYS either directly or through the .NET HttpListener, where it is not your application that actually ends up listening on the port.  The code snippets below will open a port exception instead (it's not a complete example):
-
Another way of adding a rule to the Windows firewall is the command line utility NET.EXE, which comes with Windows. However, the NET.EXE method does not work for some Windows Editions like e.g. Vista Basic. See [[http://support.microsoft.com/kb/949543 The "netsh firewall add portopening," "netsh firewall set portopening," and "netsh firewall set service" commands do not work on a computer that is running certain editions of Windows Vista]] on the Microsoft support page.
+
<pre>
 +
const
 +
  NET_FW_PROTOCOL_TCP = 6;
 +
  NET_FW_PROTOCOL_UDP = 17;
 +
 
 +
procedure SetFirewallPortException(AppName: string; Protocol, Port: integer);
 +
var
 +
  FirewallObject: Variant;
 +
  FirewallManager: Variant;
 +
  FirewallProfile: Variant;
 +
begin
 +
  try
 +
    FirewallObject := CreateOleObject('HNetCfg.FwOpenPort');
 +
    FirewallObject.Name := AppName;
 +
    FirewallObject.Scope := NET_FW_SCOPE_ALL;
 +
    FirewallObject.IpVersion := NET_FW_IP_VERSION_ANY;
 +
    FirewallObject.Protocol := Protocol;
 +
    FirewallObject.Port := Port;
 +
    FirewallObject.Enabled := True;
 +
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
 +
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
 +
    FirewallProfile.GloballyOpenPorts.Add(FirewallObject);
 +
  except
 +
  end;
 +
end;   
 +
 
 +
procedure RemoveFirewallPortException(Protocol, Port: integer);
 +
var
 +
  FirewallManager: Variant;
 +
  FirewallProfile: Variant;
 +
begin
 +
  try
 +
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
 +
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
 +
    FireWallProfile.GloballyOpenPorts.Remove(Port, Protocol);
 +
  except
 +
  end;
 +
end;
 +
</pre>
 +
 
 +
Another way of adding a rule to the Windows firewall is the command line utility NETSH.EXE, which comes with Windows. However, the NETSH.EXE method does not work for some Windows Editions like e.g. Vista Basic. See [http://support.microsoft.com/kb/949543 The "netsh firewall add portopening," "netsh firewall set portopening," and "netsh firewall set service" commands do not work on a computer that is running certain editions of Windows Vista] on the Microsoft support pages.
 +
 
 +
== External links ==
 +
*[http://support.microsoft.com/kb/949543 The "netsh firewall add portopening," "netsh firewall set portopening," and "netsh firewall set service" commands do not work on a computer that is running certain editions of Windows Vista] on the Microsoft support pages.
 +
*[http://technet.microsoft.com/en-us/library/cc737845%28WS.10%29.aspx Firewall Tools and Settings] on Microsoft Technet.
[[Category:Windows firewall]]
[[Category:Windows firewall]]

Current revision

If you want to add your application to the white list of the Windows firewall, do the following:

// Utility functions for Inno Setup
//   used to add/remove programs from the windows firewall rules
// Code originally from http://news.jrsoftware.org/news/innosetup/msg43799.html

const
  NET_FW_SCOPE_ALL = 0;
  NET_FW_IP_VERSION_ANY = 2;

procedure SetFirewallException(AppName,FileName:string);
var
  FirewallObject: Variant;
  FirewallManager: Variant;
  FirewallProfile: Variant;
begin
  try
    FirewallObject := CreateOleObject('HNetCfg.FwAuthorizedApplication');
    FirewallObject.ProcessImageFileName := FileName;
    FirewallObject.Name := AppName;
    FirewallObject.Scope := NET_FW_SCOPE_ALL;
    FirewallObject.IpVersion := NET_FW_IP_VERSION_ANY;
    FirewallObject.Enabled := True;
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
    FirewallProfile.AuthorizedApplications.Add(FirewallObject);
  except
  end;
end;

procedure RemoveFirewallException( FileName:string );
var
  FirewallManager: Variant;
  FirewallProfile: Variant;
begin
  try
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
    FireWallProfile.AuthorizedApplications.Remove(FileName);
  except
  end;
end;

procedure CurStepChanged(CurStep: TSetupStep);
begin
  if CurStep=ssPostInstall then
     SetFirewallException('My Server', ExpandConstant('{app}\')+'TCPServer.exe');
end;

procedure CurUninstallStepChanged(CurUninstallStep: TUninstallStep);
begin
  if CurUninstallStep=usPostUninstall then
     RemoveFirewallException(ExpandConstant('{app}\')+'TCPServer.exe');
end;

The above code adds an exception for a particular executable file, which is usually sufficient to allow access to all ports opened by that executable. In some rare cases however you may need to open ports globally or for an unknown executable -- one common example is when using HTTP.SYS either directly or through the .NET HttpListener, where it is not your application that actually ends up listening on the port. The code snippets below will open a port exception instead (it's not a complete example):

const	
  NET_FW_PROTOCOL_TCP = 6;
  NET_FW_PROTOCOL_UDP = 17;

procedure SetFirewallPortException(AppName: string; Protocol, Port: integer);
var
  FirewallObject: Variant;
  FirewallManager: Variant;
  FirewallProfile: Variant;
begin
  try
    FirewallObject := CreateOleObject('HNetCfg.FwOpenPort');
    FirewallObject.Name := AppName;
    FirewallObject.Scope := NET_FW_SCOPE_ALL;
    FirewallObject.IpVersion := NET_FW_IP_VERSION_ANY;
    FirewallObject.Protocol := Protocol;
    FirewallObject.Port := Port;
    FirewallObject.Enabled := True;
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
    FirewallProfile.GloballyOpenPorts.Add(FirewallObject);
  except
  end;
end;    

procedure RemoveFirewallPortException(Protocol, Port: integer);
var
  FirewallManager: Variant;
  FirewallProfile: Variant;
begin
  try
    FirewallManager := CreateOleObject('HNetCfg.FwMgr');
    FirewallProfile := FirewallManager.LocalPolicy.CurrentProfile;
    FireWallProfile.GloballyOpenPorts.Remove(Port, Protocol);
  except
  end;
end;

Another way of adding a rule to the Windows firewall is the command line utility NETSH.EXE, which comes with Windows. However, the NETSH.EXE method does not work for some Windows Editions like e.g. Vista Basic. See The "netsh firewall add portopening," "netsh firewall set portopening," and "netsh firewall set service" commands do not work on a computer that is running certain editions of Windows Vista on the Microsoft support pages.

External links

Personal tools
Ads: