none
Windows 2008 r2 Firewall - Add remote IP to Scope of an Inbound Rule.. RRS feed

  • Question

  • I am attempting to add an IP to the scope of a Firewall Incoming rule (Remote IP. This is a predefined rule for DNS. I will have to add it to both the TCP and UDP Incoming rule.

    I have done some searching and found a class that should work but when I use it the IP is not added. 

    I should also add this is a class within an ASP.Net web application.

    Any help is appreciated!

    Imports Microsoft.VisualBasic
    Imports NetFwTypeLib
    Imports System.Net
    
    Public Class Firewall
        Implements IDisposable
        Private _policy As INetFwPolicy2 = Nothing
    
        Private ReadOnly Property Policy As INetFwPolicy2
            Get
                If _policy Is Nothing Then
                    _policy = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2")), INetFwPolicy2)
                End If
                Return _policy
            End Get
        End Property
    
        Public Sub Add(ipAddress As IPAddress, ruleName As String)
            Dim firewallRule As NetFwTypeLib.INetFwRule = Policy.Rules.Item(ruleName)
            Dim NewAddress As String = ipAddress.ToString & "/255.255.255.255"
            If Not firewallRule.RemoteAddresses.Contains(NewAddress) Then
                firewallRule.RemoteAddresses += "," & NewAddress
            End If
        End Sub
    
        Public Sub Remove(ipAddress As IPAddress, ruleName As String)
            Dim firewallRule As NetFwTypeLib.INetFwRule = Policy.Rules.Item(ruleName)
            Dim NewAddress As String = ipAddress.ToString & "/255.255.255.255"
            If firewallRule.RemoteAddresses.Contains(NewAddress) Then
                Dim ipList As String = firewallRule.RemoteAddresses
                ipList = ipList.Replace(NewAddress, "")
                ipList = ipList.Replace(",,", ",")
                firewallRule.RemoteAddresses = ipList
            End If
        End Sub
    
        Public Function Exists(ipAddress As IPAddress, ruleName As String) As Boolean
            Dim firewallRule As NetFwTypeLib.INetFwRule = Policy.Rules.Item(ruleName)
            Dim NewAddress As String = ipAddress.ToString & "/255.255.255.255"
            If firewallRule.RemoteAddresses.Contains(NewAddress) Then
                Return True
            Else
                Return False
            End If
        End Function
    
        Private disposedValue As Boolean
        Protected Overridable Sub Dispose(disposing As Boolean)
            If Not Me.disposedValue Then
                If disposing Then
                End If
                If Not _policy Is Nothing Then
                    _policy = Nothing
                End If
            End If
            Me.disposedValue = True
        End Sub
    
        Public Sub Dispose() Implements IDisposable.Dispose
            Dispose(True)
            GC.SuppressFinalize(Me)
        End Sub
    
    End Class




    • Edited by mkiessli Thursday, April 10, 2014 2:56 PM
    Thursday, April 10, 2014 3:29 AM

Answers

  • Hi,

    Maybe you can add a firewall rule to allow this ip address.

    Please try to check the following about how to programmatically adding firewall rules in C#:

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.UI;
    using System.Web.UI.WebControls;
    using NetFwTypeLib;
     
    namespace gatekeeper
    {
        public partial class key : System.Web.UI.Page
        {
            protected void Page_Load(object sender, EventArgs e)
            {
     
            }
     
            protected void Button1_Click(object sender, EventArgs e)
            {
                if (TextBox1.Text == "YourPassword")
                {
                    string ip = Request.ServerVariables["remote_addr"].ToString();
                    INetFwRule firewallRule = (INetFwRule)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule"));
                    firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW;
                    firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN;
                    firewallRule.RemoteAddresses = ip;
                    firewallRule.Protocol = 6;
                    firewallRule.LocalPorts = "1433,1000,3389,21,8050,8051,8052,8053";
                    firewallRule.Enabled = true;
                    firewallRule.InterfaceTypes = "All";
                    firewallRule.Name = "Released by GateKeeper : " + ip;
                    INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
                    firewallPolicy.Rules.Add(firewallRule);
                    Response.Write("Authenticated");
                    Response.End();
                }
            }
        }
    }

    asp.net code:

    <body>
        <form id="form1" runat="server">
        <table style="width: 100%">
            <tr>
                <td style="width: 73px">Password:</td>
                <td>
                    <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
                </td>
            </tr>
        </table>
        <div>
         
            <br />
            <asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="Enter" />
         
        </div>
        </form>
    </body>

    One very important thing: Impersonation is required on the Web Root application (IIS –> Sites —> Authentication Icon)
    And another important thing: NetFwTypeLib is required on server.Check your Windows Server version and language and if necessary download and install this lib.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Friday, April 11, 2014 2:45 AM
    Moderator

All replies

  • Hi,

    Maybe you can add a firewall rule to allow this ip address.

    Please try to check the following about how to programmatically adding firewall rules in C#:

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.UI;
    using System.Web.UI.WebControls;
    using NetFwTypeLib;
     
    namespace gatekeeper
    {
        public partial class key : System.Web.UI.Page
        {
            protected void Page_Load(object sender, EventArgs e)
            {
     
            }
     
            protected void Button1_Click(object sender, EventArgs e)
            {
                if (TextBox1.Text == "YourPassword")
                {
                    string ip = Request.ServerVariables["remote_addr"].ToString();
                    INetFwRule firewallRule = (INetFwRule)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule"));
                    firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW;
                    firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN;
                    firewallRule.RemoteAddresses = ip;
                    firewallRule.Protocol = 6;
                    firewallRule.LocalPorts = "1433,1000,3389,21,8050,8051,8052,8053";
                    firewallRule.Enabled = true;
                    firewallRule.InterfaceTypes = "All";
                    firewallRule.Name = "Released by GateKeeper : " + ip;
                    INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
                    firewallPolicy.Rules.Add(firewallRule);
                    Response.Write("Authenticated");
                    Response.End();
                }
            }
        }
    }

    asp.net code:

    <body>
        <form id="form1" runat="server">
        <table style="width: 100%">
            <tr>
                <td style="width: 73px">Password:</td>
                <td>
                    <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
                </td>
            </tr>
        </table>
        <div>
         
            <br />
            <asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="Enter" />
         
        </div>
        </form>
    </body>

    One very important thing: Impersonation is required on the Web Root application (IIS –> Sites —> Authentication Icon)
    And another important thing: NetFwTypeLib is required on server.Check your Windows Server version and language and if necessary download and install this lib.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Friday, April 11, 2014 2:45 AM
    Moderator
  • Hello Amy! 

    Thank you for your suggestion.  I have converted it to VB, see code below.

    Also I see that I may just be able to add a raw rule for an IP without having to add it to a predefined rule.  Would this cause a problem, per say if I added a custom IP to block port 80? Would I have to whitelist the predefined rule or would it still allow all to see a webpage but the new rule would block the IP specified on port 80? In other words which rule would be effective? Would the default port 80 rule override the custom one?

    Also is the syntax for removing the rule just as easy?

    Imports System.Collections.Generic
    Imports System.Linq
    Imports System.Web
    Imports System.Web.UI
    Imports System.Web.UI.WebControls
    Imports NetFwTypeLib
    
    Namespace gatekeeper
    	Public Partial Class key
    		Inherits System.Web.UI.Page
    		Protected Sub Page_Load(sender As Object, e As EventArgs)
    
    		End Sub
    
    		Protected Sub Button1_Click(sender As Object, e As EventArgs)
    			If TextBox1.Text = "YourPassword" Then
    				Dim ip As String = Request.ServerVariables("remote_addr").ToString()
    				Dim firewallRule As INetFwRule = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule")), INetFwRule)
    				firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW
    				firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN
    				firewallRule.RemoteAddresses = ip
    				firewallRule.Protocol = 6
    				firewallRule.LocalPorts = "1433,1000,3389,21,8050,8051,8052,8053"
    				firewallRule.Enabled = True
    				firewallRule.InterfaceTypes = "All"
    				firewallRule.Name = "Released by GateKeeper : " & ip
    				Dim firewallPolicy As INetFwPolicy2 = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2")), INetFwPolicy2)
    				firewallPolicy.Rules.Add(firewallRule)
    				Response.Write("Authenticated")
    				Response.[End]()
    			End If
    		End Sub
    	End Class
    End Namespace

    Also should I add a global Disallow rule to prevent all others from accessing that port?

    If in fact I have none blocked by this system, logic suggests that all users will be able to use the port, as the code does not append IP's to the one rule, rather creates a unique rule for each IP added.

    Thank you again I will report back if this works to mark as an Answered question.

    ------- UPDATE ---------------------------------------------------------------------------

    I now have it adding and removing rules, see code below.

    It does seem inefficient, but when I try to combine the add tcp/udp I get a catastrophic error..

    Imports System.Net
    Imports NetFwTypeLib
    
    Partial Class _Default
        Inherits System.Web.UI.Page
    
        Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load
            Label1.Text = Request.UserHostAddress
        End Sub
    
        Protected Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
            AddruleTCP(Add.Text, "EP>TCP DNS Opened by GateKeeper : ")
            AddruleUDP(Add.Text, "EP>UDP DNS Opened by GateKeeper : ")
        End Sub
    
        Protected Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click
            RemoveruleTCP(remove.Text, "EP>TCP DNS Opened by GateKeeper : ")
            RemoveruleTCP(remove.Text, "EP>UDP DNS Opened by GateKeeper : ")
        End Sub
    
        Public Sub AddruleTCP(ipAddress As String, ruleName As String)
            'TCP RULE
            Dim firewallRule As INetFwRule = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule")), INetFwRule)
            firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW
            firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN
            firewallRule.RemoteAddresses = ipAddress
            firewallRule.Protocol = 6
            firewallRule.LocalPorts = "53"
            firewallRule.Enabled = True
            firewallRule.InterfaceTypes = "All"
            firewallRule.Name = ruleName & ipAddress
            Dim firewallPolicy As INetFwPolicy2 = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2")), INetFwPolicy2)
            firewallPolicy.Rules.Add(firewallRule)
            Response.Write("Authenticated TCP")
        End Sub
    
        Public Sub AddruleUDP(ipAddress As String, ruleName As String)
            'UDP RULE
            Dim firewallRule As INetFwRule = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule")), INetFwRule)
            firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW
            firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN
            firewallRule.RemoteAddresses = ipAddress
            firewallRule.Protocol = 17
            firewallRule.LocalPorts = "53"
            firewallRule.Enabled = True
            firewallRule.InterfaceTypes = "All"
            firewallRule.Name = ruleName & ipAddress
            Dim firewallPolicy As INetFwPolicy2 = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2")), INetFwPolicy2)
            firewallPolicy.Rules.Add(firewallRule)
            Response.Write("Authenticated UDP")
        End Sub
    
        Public Sub RemoveruleTCP(ipAddress As String, ruleName As String)
            'TCP RULE
            Dim firewallRule As INetFwRule = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule")), INetFwRule)
            firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW
            firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN
            firewallRule.RemoteAddresses = ipAddress
            firewallRule.Protocol = 6
            firewallRule.LocalPorts = "53"
            firewallRule.Enabled = True
            firewallRule.InterfaceTypes = "All"
            firewallRule.Name = ruleName & ipAddress
            Dim firewallPolicy As INetFwPolicy2 = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2")), INetFwPolicy2)
            firewallPolicy.Rules.Remove(ruleName & ipAddress)
            Response.Write("Removed TCP")
        End Sub
    
        Public Sub RemoveruleUDP(ipAddress As String, ruleName As String)
            'UDP RULE
            Dim firewallRule As INetFwRule = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule")), INetFwRule)
            firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW
            firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN
            firewallRule.RemoteAddresses = ipAddress
            firewallRule.Protocol = 17
            firewallRule.LocalPorts = "53"
            firewallRule.Enabled = True
            firewallRule.InterfaceTypes = "All"
            firewallRule.Name = ruleName & ipAddress
            Dim firewallPolicy As INetFwPolicy2 = DirectCast(Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2")), INetFwPolicy2)
            firewallPolicy.Rules.Remove(ruleName & ipAddress)
            Response.Write("Removed UDP")
        End Sub
    End Class

    Hopefully someone can suggest a more streamlined approach.

    Also the thought remains, if I have inbound IP based rule for my specific port, how do I stop all others from using it?

    Thanks again!


    • Edited by mkiessli Friday, April 11, 2014 4:28 AM
    Friday, April 11, 2014 3:28 AM