Home / server / Questions / 325544
Accepted
frogstarr78
Asked: 2011-10-28 16:27:27 +0800 CST

How to create a Windows 2008 Advanced Firewall rules group definition through the command prompt

  • 772

Is there a way to create a group, or add to an existing group, to a rule in Windows Advanced Firewall (preferable through a command prompt or WSH script).

Edit:

enter image description here

windows firewall scripting command-line-interface

4 Answers

  1. Rules in the Windows Firewall can be bundle together and activated or deactivated as a group.

    With netsh advfirewall command you can add rules to the Firewall. Use the switch group= for manage the AdvFirewall groups.

    Use something like this:

    netsh advfirewall firewall set rule profile=domain group="Remote Desktop" new enable=Yes
    • 6

  2. While you specifically mention

    ... through the command prompt

    I'm gonna assume you mean using a script. With 2008, you can use powershell. Its pretty straightforward:

    function Add-FirewallRule {
   param( 
      $name,
      $tcpPorts,
      $appName = $null,
      $serviceName = $null
   )
    $fw = New-Object -ComObject hnetcfg.fwpolicy2 
    $rule = New-Object -ComObject HNetCfg.FWRule

    $rule.Name = $name
    if ($appName -ne $null) { $rule.ApplicationName = $appName }
    if ($serviceName -ne $null) { $rule.serviceName = $serviceName }
    $rule.Protocol = 6 #NET_FW_IP_PROTOCOL_TCP
    $rule.LocalPorts = $tcpPorts
    $rule.Enabled = $true
    $rule.Grouping = "@firewallapi.dll,-23255"
    $rule.Profiles = 7 # all
    $rule.Action = 1 # NET_FW_ACTION_ALLOW
    $rule.EdgeTraversal = $false

    $fw.Rules.Add($rule)
}

# Sample Usage
Add-FirewallRule "Test port 1234" "1234" $null $null
Add-FirewallRule "Test port 5555-6666" "5555-6666" $null $null
Add-FirewallRule "Test port 2222 Calc" 2222 "c:\windows\system32\calc.exe" $null
Add-FirewallRule "Test port 3333 W3SVC" 3333 $null "W3SVC"

    See this article for more detail...

    • 5
  3. Best Answer

    Found a solution for this old question that has also been bugging me for a long time!

    The New-NetFirewallRule TechNet article states this about the -Group parameter of the New-NetFirewallRule commandlet:

    [...] This parameter specifies the source string for the DisplayGroup parameter. [...] Rule groups can be used to organize rules by influence and allows batch rule modifications. Using the Set-NetFirewallRule cmdlets, if the group name is specified for a set of rules or sets, then all of the rules or sets in that group receive the same set of modifications. It is a good practice to specify this parameter value with a universal and world-ready indirect @FirewallAPI name.

    Note: The DisplayGroup parameter cannot be specified upon object creation using the New-NetFirewallRule cmdlet, but can be modified using dot-notation and the Set-NetFirewallRule cmdlet.

    That sounds like there's a chance, right? While trying to find out how to do this myself, I ran the following: 

    Get-NetFirewallRule -DisplayName "Core Networking - IPv6 (IPv6-In)" | Get-Member

    ...and noted that the DisplayGroup property only has a Get method, but the Group property (with its RuleGroup alias) has both a Get and a Set method.

    The PowerShell solution is as-follows:

    Thanks to @maoizm, this solution now works when 1 or more rules with the same DisplayName exist:

    $RuleName = "NameOfYourFirewallRuleGoesHere"
$RuleGroup = "YourGroupNameGoesHere"
Get-NetFirewallRule -DisplayName $RuleName | ForEach { $_.Group = '$RuleGroup'; Set-NetFirewallRule -InputObject $_ }

    And this will actually create a new group name that is assigned to your rule.

    Note: The netsh command does not have an add group command. See the syntax for Netsh AdvFirewall Firewall Commands here.

    • 4

  4. The netsh command line does not have a flag for this.

    As an alternative to the PowerShell solutions above, the group name is part of the registry hive.

    In fact, the .wfw Firewall export is actually a raw regf registry hive. If you import this into the registry editor, you can see that it's a list of REG_SZ pipe-delimited values.

    Custom values are located at 

    HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

    Here's a snapshot of a Google Chrome firewall entry (newlines added for readability)

    {7E29D2BA-3EBF-4AFD-BF6E-BA6486C74660}

v2.10|
Action=Allow|
Active=TRUE|
Dir=In|
Protocol=17|
LPort=5353|
App=C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe|
Name=Google Chrome (mDNS-In)|
Desc=Inbound rule for Google Chrome to allow mDNS traffic.|
EmbedCtxt=Google Chrome|

    The "Group" is stored under EmbedCtxt and its value is Google Chrome.

    ... so one could assume that you can manipulate the registry value using the same technique...

    1. Find the registry entry

      reg query HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules /f "Google Chrome"
    2. Overwrite the registry entry with a new/different value ...|EmbedCtx=My Custom Group|

      Note #1: Code intentionally omitted since appending to an existing registry value using command prompt is very tricky.

      Note #2: Without the trailing |, the value will be ignored.

    enter image description here

    • 1