Modifying Firewall Rules On a Unbooted System

If my subject wasn't clear, here is what I'm asking.
I want to know how I can "clear out", meaning restore to factory defaults, the firewall settings on an OS X Server installation. But not on the boot drive. My server has two drives. And as a last resort, I'd like to know how I can, while booted off it's backup drive, access the main boot drive and revert the firewall rules. That way I can boot off the main drive again, and have full access to the machine, where I can then go in and set it up again.
So I guess I need to know where on the filesystem these rules are stored. And if there is anything I have to do to flush old rules out. Again let me reiterate, I'm not talking about on a running OS X System, I'm talking about doing this to a secondary drive that isn't the boot drive.
Hopefully I won't need this information but just in case, best to have it on hand.
Thanks

If I understand you correctly...
On Leopard, it seems the firewall is started based on the presence of this file:
/etc/ipfilter/ipfwstate-on
If you remove it, the firewall should not be enabled allowing you to login and change the settings.

Similar Messages

How to setup user's rights to modify Windows Firewall Rules?

I would like to have an account in my system that doesn't have any other administrative privileges besides rights to modify the Windows Firewall rules by means of Firewall API. How to setup a minimal set of rights for this account to do the task?
Right now what I see is that if I try to call INetFwRule::put_RemoteAddresses from an account without administrative privileges, the call fails with access denied. There is no means to find out access to what is needed. The call fails even if the process
is run under high integrity level.
I tried to setup global security audit, but there were no relevant events logged.
I tried to monitor the process with procmon, there were no any access denied events logged.
I tried to give the full access for this account to the correspondent registry keys. It didn't help.
I stepped firewallapi.dll in a debugger and found out that what fails is an RPC call to some COM interface proxy. I assumed that probably it is a remote call to some HNetCfg.FwRule method. I tried to add the user account to the HNetCfg.FwRule launch and
access permission ACLs in the DCOM configuration utility. It didn't help either.
Dear Microsoft, why did you do such a simple thing as settings user rights so difficult? Can you reveal the secret what rights and privileges I have to set?
Thanks in advance.
Dei nostra Matrix est.

Here is what I found so far.
The firewall service calls RpcServerRegisterAuthInfo to setup RPC security from FwRpcAPIsRegisterAuthInfo. It happens during registration of RPC interfaces in FwRpcAPIsInterfaceCreate. FwRpcAPIsInterfaceCreate is called from FwRpcAPIsInitialize. And FwRpcAPIsInitialize
is used from FwServiceAsyncStartupRoutine.
After calling FwRpcAPIsRegisterAuthInfo function FwRpcAPIsInterfaceCreate calls ConvertStringSecurityDescriptorToSecurityDescriptor, which converts a textual description of a security descriptor to some binary form.
So my guess is that access rights are hard coded inside mpssvc.dll and what I have to do is just to find the textual representation of the correspondent descriptor.
I found 8 descriptors inside mpssvc.dll:
O:SYG:SYD:(A;;RCWD;;;BA)(A;;RCWD;;;NO)
O:SYG:SYD:(A;;RCWD;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;;RCWD;;;S-1-5-80-3526382388-830156861-4107432654-3665941875-1028450966)
O:SYG:SYD:(A;;RCWD;;;S-1-5-80-62724632-2456781206-3863850748-1496050881-1042387526)
O:SYG:SYD:(A;;RCWD;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)
O:SYG:SYD:(A;;RC;;;BA)(A;;RC;;;NO)(A;;RCWD;;;CY)
O:SYG:SYD:(A;;RCWD;;;BA)(A;;RCWD;;;NO)(A;;RC;;;CY)
O:SYG:SYD:(A;;RCWD;;;BA)(A;;RCWD;;;NO)(A;;RC;;;AU)
O:SYG:SYD:(A;;RC;;;AU)
I don't know yet which one corresponds to changing a firewall rule.
Dei nostra Matrix est.

0x8007000e (E_OUTOFMEMORY) while adding a firewall rule using the windows firewall COM API

Hello,
Configuration: Windows Embedded 8 64-bit.
I'm using the Windows Firewall with Advanced Security COM API. The program uses the INetFwRules interface. Basically, I'm using the following code (Form the code sample available here : http://msdn.microsoft.com/en-us/library/windows/desktop/dd339604%28v=vs.85%29.aspx.)
I get the error when performing "hr = pFwRules->Add(pFwRule);".
We can also encounter the problem when removing a rule (using pFwRules->Remove(ruleName);)
HRESULT hrComInit = S_OK;
HRESULT hr = S_OK;
INetFwPolicy2 *pNetFwPolicy2 = NULL;
INetFwRules *pFwRules = NULL;
INetFwRule *pFwRule = NULL;
long CurrentProfilesBitMask = 0;
BSTR bstrRuleName = SysAllocString(L"SERVICE_RULE");
BSTR bstrRuleDescription = SysAllocString(L"Allow incoming network traffic to myservice");
BSTR bstrRuleGroup = SysAllocString(L"Sample Rule Group");
BSTR bstrRuleApplication = SysAllocString(L"%systemroot%\\system32\\myservice.exe");
BSTR bstrRuleService = SysAllocString(L"myservicename");
BSTR bstrRuleLPorts = SysAllocString(L"135");
// Initialize COM.
hrComInit = CoInitializeEx(
0,
COINIT_APARTMENTTHREADED
// Ignore RPC_E_CHANGED_MODE; this just means that COM has already been
// initialized with a different mode. Since we don't care what the mode is,
// we'll just use the existing mode.
if (hrComInit != RPC_E_CHANGED_MODE)
if (FAILED(hrComInit))
printf("CoInitializeEx failed: 0x%08lx\n", hrComInit);
goto Cleanup;
// Retrieve INetFwPolicy2
hr = WFCOMInitialize(&pNetFwPolicy2);
if (FAILED(hr))
goto Cleanup;
// Retrieve INetFwRules
hr = pNetFwPolicy2->get_Rules(&pFwRules);
if (FAILED(hr))
printf("get_Rules failed: 0x%08lx\n", hr);
goto Cleanup;
// Create a new Firewall Rule object.
hr = CoCreateInstance(
__uuidof(NetFwRule),
NULL,
CLSCTX_INPROC_SERVER,
__uuidof(INetFwRule),
(void**)&pFwRule);
if (FAILED(hr))
printf("CoCreateInstance for Firewall Rule failed: 0x%08lx\n", hr);
goto Cleanup;
// Populate the Firewall Rule object
pFwRule->put_Name(bstrRuleName);
pFwRule->put_Description(bstrRuleDescription);
pFwRule->put_ApplicationName(bstrRuleApplication);
pFwRule->put_ServiceName(bstrRuleService);
pFwRule->put_Protocol(NET_FW_IP_PROTOCOL_TCP);
pFwRule->put_LocalPorts(bstrRuleLPorts);
pFwRule->put_Grouping(bstrRuleGroup);
pFwRule->put_Profiles(CurrentProfilesBitMask);
pFwRule->put_Action(NET_FW_ACTION_ALLOW);
pFwRule->put_Enabled(VARIANT_TRUE);
// Add the Firewall Rule
hr = pFwRules->Add(pFwRule);
if (FAILED(hr))
printf("Firewall Rule Add failed: 0x%08lx\n", hr);
goto Cleanup;
This works pretty well but, sometimes, at system startup, adding a rule ends up with the error 0x8007000e (E_OUTOFMEMORY) ! At startup, the system is always loaded cause several applications starts at the same time. But nothing abnormal. This is quite a random
issue.
According MSDN documentation, this error indicates that the system "failed to allocate the necessary memory".
I'm not convinced that we ran out of memory.
Has someone experienced such an issue? How to avoid this?
Thank you in advance.
Regards, -Ruben-

Does Windows 8 desktop have the same issue? Are you building a custom WE8S image, or are you using a full WE8S image? The reason I ask is to make sure you have the modules in the image to support the operation.
Is Windows Embedded 8.1 industry an option?
www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

Can't add a new Firewall Rule

I have a very curious issue: I cannot add any new firewall rules at all! Clicking on the New Button does nothing and on the console I get
System Preferences[487] * -[NSCFString objectForKey:]: selector not recognized [self = 0x3f11b0]
I have flushed the firewall with ipfw, deleted the plist file, repaired permissions but the problem ist still there. Any suggestions? (apart from reinstallation)
Adding Firewall Rules through ipfw works...

Whenever I use ipfw I lose the ability to use System Preferences. At first I thought that it compared kernel memory with the plist file and if it found a difference, assumed another firewall was running and disabled itself. But I also deleted the plist file (assuming it would build one from kmem) but that didn't work. Right now I assume there's another file somewhere. It wouldn't make any sense to keep another table in kmem. The weird part is that rules can be the same, but different sequence numbers will cause this problem. There weren't sequence numbers in the plist file, so there's probably another file somewhere.
I think your error is from the missing plist file. A reboot should clear it up.

Appending Firewall Rules to vShield Edge with PowerCLI Script

Hi,
I have a script which enables us to upload 4k worth of firewall rules, but every time it executes, all existing rules are over written.
Is this something to do with the API or just a scripting issue - if so, can anyone suggest how to append on to the existing set?
Update:
So obviously the following line seems to create a new instance of the firewall:
$fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
Because the next 3 lines after are setting the main firewall parameters again - something you wouldn't need to do if we were just adding new rules to the existing firewall.
$fwService.DefaultAction = "drop"
$fwService.LogDefaultAction = $false
$fwService.IsEnabled = $true
Is there a way to use a PowerShell command such as add-member rather than new-object?
param (
[parameter(Mandatory = $true, HelpMessage="vCD Server")][alias("-server","s")][ValidateNotNullOrEmpty()][string[]]$CIServer,
[parameter(Mandatory = $true, HelpMessage="Org")][alias("-vOrg","o")][ValidateNotNullOrEmpty()][string[]]$orgName,
[parameter(Mandatory = $true, HelpMessage="OrgNet")][alias("-orgNet","n")][ValidateNotNullOrEmpty()][string[]]$orgNet,
[parameter(Mandatory = $true, HelpMessage="CSV Path")][alias("-file","f")][ValidateNotNullOrEmpty()][string[]]$csvFile
# Add in the VI Toolkit
if ( (Get-PSSnapin -Name VMware.VimAutomation.Core -ErrorAction SilentlyContinue) -eq $null ) {
Add-PSsnapin VMware.VimAutomation.Core
if ( (Get-PSSnapin -Name VMware.VimAutomation.Cloud -ErrorAction SilentlyContinue) -eq $null ) {
Add-PSsnapin VMware.VimAutomation.Cloud
try {
Connect-CIServer -Server $CIServer 2>&1 | out-null
} catch {
Exit
#Search EdgeGW
try {
$myOrgNet = Get-Org -Name $orgName | Get-OrgNetwork -Name $orgNet
$edgeHREF = $myOrgNet.ExtensionData.EdgeGateway.Href
$edgeView = Search-Cloud -QueryType EdgeGateway -ErrorAction Stop | Get-CIView | where {$_.href -eq $edgeHREF}
} catch {
[System.Windows.Forms.MessageBox]::Show("Exception: " + $_.Exception.Message + " - Failed item:" + $_.Exception.ItemName ,"Error.",0,[System.Windows.Forms.MessageBoxIcon]::Exclamation)
Exit
#Item to Configure Services
$edgeView.Configuration.EdgeGatewayServiceConfiguration
$fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
$fwService.DefaultAction = "drop"
$fwService.LogDefaultAction = $false
$fwService.IsEnabled = $true
$fwService.FirewallRule = @()
Ipcsv -path $csvFile |
foreach-object
$fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule
$rowNum = $_.Num -as [int]
$fwService.FirewallRule[$rowNum].description = $_.Descr
$fwService.FirewallRule[$rowNum].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols
switch ($_.Proto)
"tcp" { $fwService.FirewallRule[$rowNum].protocols.tcp = $true }
"udp" { $fwService.FirewallRule[$rowNum].protocols.udp = $true }
"any" { $fwService.FirewallRule[$rowNum].protocols.any = $true }
default { $fwService.FirewallRule[$rowNum].protocols.any = $true }
$fwService.FirewallRule[$rowNum].sourceip = $_.SrcIP
if ($_.SrcPort -eq "any" ) { $srcPort = "-1" } else { $srcPort = $_.SrcPort }
$fwService.FirewallRule[$rowNum].sourceport = $srcPort
$fwService.FirewallRule[$rowNum].destinationip = $_.DstIP
$fwService.FirewallRule[$rowNum].destinationportrange = $_.DstPortRange
$fwService.FirewallRule[$rowNum].policy = $_.Policy
#$fwService.FirewallRule[$rowNum].direction = $_.Direction
#$fwService.FirewallRule[$rowNum].MatchOnTranslate = [System.Convert]::ToBoolean($_.MatchOnTranslate)
$fwService.FirewallRule[$rowNum].isenabled = [System.Convert]::ToBoolean($_.isEnabled)
$fwService.FirewallRule[$rowNum].enablelogging = [System.Convert]::ToBoolean($_.EnableLogging)
#configure Edge
$edgeView.ConfigureServices($fwService)
Thanks,
Scott.

Hi,
Agree with Ed, you can publish CAS array VIP to internet, and use it to configure Federated Delegation.
Thanks.
Niko Cheng
TechNet Community Support

Is it possible to copy the SoD rules in the same system to diff. Rule SetId

Hi all,
We have created SoD rules as per our business requirement in RAR 5.3 Component connecting to the QA system. We want to copy the same rules into another different RULE SET for the same QA system. Is this possible?
Ex: ABRULE SET - Tailored as per Business Requirement and generated rules linking to QA system [Manually configured the SoD rules].We will use this Rule set for our Production System as it was frozen as per the Business Requirement (This we will do by establishing another JCO to production system)
We wanted to copy the entire SoD rules of ABRULESET to another rule set say YZRULESET. This YZRULESET we will use for making any configuration changes in future before making changes to ABRULESET which will be connected to Production System.
Is it possible to copy the SoD RULES from one Rule Set ID to another Rule Set ID within the same system? If yes, please provide us the procedure on how to copy the rules of one Rule set Id to another Rule set ID.
We explored the options of Export & Import Rules but no where it asked for new Rule Set ID for copying.
Thanks and Best Regards,
Srihari.K

Here is a method I've seen a few customers use, which seems like a good idea:
- load the standard rule set
- create a new empty rule set
- create your risks in the new rule set ( initially this could be a re-import of the risks, risk_desc and risk_ruleset files with a few changes done in excel to change the IDs)
This means you have an exact copy of the SAP standard risks in your own rule set, using the SAP functions.
Even if you have to define your own risks, there's an enormous value in the functions. The identification of TCodes and objects that do similar business transactions is probably the most difficult thing to reproduce on your own.
Now, whenever you have to change a risk (risk level, description, owner) you do that in your own name space
If you have to change a function (modify objects, add custom TCodes), you COPY the function to your own name space and change the risk in your name space to use the changed function.
If you want to be smart, you do all your own stuff in copies of the text files that come with the support packs (i.e. not in rule architect). That may not be an option if your compliance requirements want you to use the change history or automatic workflows that RAR provides, but if you don't need that, here's the advantage of this:
When a new set of rules arrives every few months, you delete your rules with a deletion script you can get from SAP support, upload the standard rule text files, upload your own text files, and you're set with your own rule set that makes use of SAP's latest updated functions.
This is (currently) basically the only way to automatically apply SAP changes without doing it manually, thus leveraging changes to functions by SAP.
All your changes will be in your own text files, which you can document and version control according to your requirements.
Not exactly the way according to the manual, but an interesting concept worth considering.

Winfows Firewall rule

Hi all
i need a script for enable firewall rules with inbound and outbound rules
please help me

PowerShell 3.0 does not include the NetSecurity module or its cmdlets. To use those cmdlets, you will need PowerShell 4.0 on Windows 8.1 or Server 2012 R2.
In order to modify the Windows Firewall in earlier versions of Windows you will need to use netsh. This windows programs can be used in the PowerShell console and used inside PowerShell scripts. Please keep in mind that netsh is different between different
versions of Windows. The netsh commands you use in XP are different than in Windows Vista and Windows 7. This was due to the introduction of the Windows Firewall with Advanced Security in Windows Vista vs Windows Firewall introduced in XP SP2.
I am not aware of a way to modify WF with WMI.
This URL has some examples of using netsh firewall and netsh advfirewall.
http://support.microsoft.com/kb/947709/en-us
Edit: Added URL

Security Firewall Rules

I've created an HTML DB, Public, Internet application. Now the System Administrator is creating rules in the Firewall to tighten up security.
Specifically, he wants to limit internet users so the can only access the application and certain pages:
/<servername>:8080/pls/htmldb/f?p=###:#
Everything is working a-ok, untill we discovered that the date picker item and the help message popup submits urls that do not appear standard f?p=. These popup windows require separate firewall rules to allow the word FLOW etc.
We have the rules worked out for this application. However, I need to know all possible html urls that HTML DB might submit so I can be better prepared to secure HTML DB pages.
Does this question make sense? In other words, when running an HTML DB application, I can see the f?p=# in the Browser's Address bar. I cannot, however, see the url submitted when a date_picker field is selected.
What are the possible URLs that HTML DB might submit. I don't need every possible URL because wild cards are used in the firewall rules.
Thanks in Advance

TR - I'd start with this list:
F
P
Z
HTMLDB
HTMLDB_ADMIN
HTMLDB_LOGIN
WWV_FLOW
WWV_FLOW_ITEM_HELP
WWV_FLOW_FILE_MGR
HTMLDB_UTIL
WWV_FLOW_UTILITIES
HTMLDB_CUSTOM_AUTH
WWV_FLOW_CUSTOM_AUTH_STD
WWV_SPELING
Scott

What Specific Firewall Rules are Needed for the DPM Server?

Hello,
We want to confirm which firewall ports need to be opened on the DPM server (not protected servers) for all DPM processes, so that we can set these rules in group policy. Below are what we
think are the needed rules. Note that we have rules for both new DPM 2012 installs and upgrades from DPM 2010 to 2012, since these use different program paths.
Rule Name
Program Path
Protocol
Local Port
DPM 2012 DCOM Port
Any
TCP
135
DPM 2012 AM Port
Any
TCP
6075
DPM 2012 RTM Agent Coordinator
C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.0.1908.0\dpmac.exe
Any
Any
DPM 2012 SP1 Agent Coordinator
C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.1.3313.0\dpmac.exe
Any
Any
DPM 2012 R2 Agent Coordinator
C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.2.1205.0\dpmac.exe
Any
Any
DPM 2012 AM Service Host (New Install
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\AMSvcHost.exe
Any
Any
DPM 2012 AM Service Host (Upgrade Install)
%ProgramFiles%\Microsoft DPM\DPM\bin\AMSvcHost.exe
Any
Any
DPM 2012 DPM AM Service (New Install)
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMAMService.exe
Any
Any
DPM 2012 DPM AM Service (Upgrade Install)
%ProgramFiles%\Microsoft DPM\DPM\bin\DPMAMService.exe
Any
Any
DPM 2012 MSDPM (New Install)
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\msdpm.exe
Any
Any
DPM 2012 MSDPM (Upgrade Install)
%ProgramFiles%\Microsoft DPM\DPM\bin\msdpm.exe
Any
Any
DPM 2012 DPMRA (New Install)
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMRA.exe
Any
Any
DPM 2012 DPMRA (Upgrade Install)
%ProgramFiles%\Microsoft DPM\DPM\bin\DPMRA.exe
Any
Any
Questions:
Are any of these rules not needed?
We know the Agent Coordinator rules are needed on protected servers. Are they also needed on the DPM server (including if we use secondary DPM servers)?
The DPM Configuring Firewalls TechNet page says DCOM uses TCP 135 and the RPC Dynamic ports. Does that mean we also need a rule that opens all TCP RPC Dynamic ports for
any program? Or is this not necessary since we have rules for msdpm.exe and dpmra.exe? Reference:
http://technet.microsoft.com/en-us/library/hh757794
What other rules may be missing, if any?
Note that we do not include rules for ports 53 (DNS), 88 (Kerberos), 389 (LDAP), 137-139 & 445 (NetBIOS) because we already open these ports in other group policy objects.
Also, the below forums post says two exceptions for SQL Server are needed on the DPM server to allow the Remote Administrator console to work. Is there any documentation in the DPM TechNet site on these rules?
http://social.technet.microsoft.com/Forums/en-US/aa88fd00-6836-46d3-8a93-edb487109118/dpm-2012-remote-administration?forum=dataprotectionmanager
Thanks,
-Taylorbox

Does anyone have any comments on this post? We would especially appreciate some input from Microsoft reps to help us ensure we're setting up the correct firewall rules.
Thanks,
-Taylorbox

Editing firewall rules: adding ip addresses into firewall rule

I foud a out to use "netsh advfirewall firewall set rule name = "name" new remoteip=1.1.1.1" for setting an ip address into a rule.
But how can I add an ip to the rule? In this case I would replace the IP adresses and not add one.
Background is that I have a firewall rule on my FTP Server to block several ip ranges due normal brute force attacks. This works but I plan to write a program for this to do this automaticly. So I need to append the list.
Any hints?

Thank you for the reply.
Meanwhile I found a way which is ok for me.
Background:
I have a public FTP which I want to limit the access to my country only because this would be enough. The advantage of doeing this is that I can avoid bruteforce attacks from other countries (mostly from Asia).
I wrote a text file with the information which is needed for the netsh. Here I can modify the text.
In this script I looked for the provider addresses from ripe.net.
pushd advfirewall
set store gpo=<policy>
popd
pushd advfirewall firewall
set rule name="FTP (eingehend)" new remoteip=194.25.0.0/16,193.158.0.0/16,193.159.0.0/16,195.145.0.0/16,62.156.0.0/16,195.243.0.0/16,62.157.0.0/16,212.184.0.0/16,212.185.0.0/16,62.158.0.0/16,62.159.0.0/16,62.155.0.0/16,62.154.0.0/16,62.153.0.0/16,62.224.0.0/16,62.225.0.0/16,62.226.0.0/15,217.0.0.0/13,217.80.0.0/12,217.224.0.0/11,80.128.0.0/11,81.28.64.0/20,84.128.0.0/10,87.128.0.0/11,87.160.0.0/11,91.0.0.0/10,79.192.0.0/10,93.192.0.0/10,160.44.0.0/16,164.16.0.0/12,164.32.0.0/15,164.34.0.0/16,195.50.128.0/19,195.50.160.0/19,212.144.0.0/16,145.253.0.0/16,145.254.0.0/16,213.23.0.0/17,213.23.128.0/17,82.82.0.0/15,84.56.0.0/13,88.64.0.0/12,92.72.0.0/13,94.216.0.0/13,188.96.0.0/12,212.59.32.0/19,81.14.128.0/17,89.182.0.0/15,89.182.0.0/15,89.14.0.0/15,77.176.0.0/12,93.128.0.0/13,95.112.0.0/12,151.189.128.0/17,151.189.64.0/18,151.189.0.0/18,80.226.0.0/16,90.186.0.0/15,77.24.0.0/15,193.254.128.0/19,193.254.160.0/20,80.187.0.0/16,88.128.0.0/16,212.23.96.0/19,92.116.0.0/15,188.46.0.0/16,193.100.0.0/15,193.96.0.0/14,193.102.0.0/16,193.103.0.0/16,194.115.0.0/16,194.139.0.0/16,194.172.0.0-194.175.255.255,193.155.0.0/16,195.124.0.0-195.127.255.255,213.68.0.0/16,213.69.0.0/16,213.70.0.0/15,195.90.0.0/19,195.158.160.0/19,212.202.0.0/16,213.160.0.0/19,213.148.128.0/19,217.146.0.0/16,212.60.192.0/18,83.236.0.0/16,84.245.128.0/18,87.193.0.0/16,87.234.0.0/16,92.192.0.0/11,83.169.128.0/18,88.134.0.0/16,91.64.0.0/14,77.20.0.0/14,95.88.0.0/14,188.192.0.0/14,195.80.192.0/19,195.32.128.0/17,212.63.32.0/19,212.5.0.0/19,212.4.160.0/19,212.84.192.0/18,212.110.192.0/19,212.105.192.0/19,194.140.96.0/19,62.145.0.0/19,212.99.128.0/18,212.99.192.0/19,62.206.0.0/16,62.8.128.0/17,217.78.160.0/20,213.217.64.0/18,82.113.96.0/19,89.204.128.0/19,194.97.0.0/16,62.104.0.0/16,195.20.224.0/19,212.227.0.0/16,213.165.64.0/19,217.72.192.0/20,217.160.0.0/16,2.165.0.0/16,87.106.0.0/16,93.122.0.0/17,193.254.128.0/19,193.254.160.0/20,80.187.0.0/16,88.128.0.0/16,172.16.0.0/16

Add firewall rule with custom environment variable in program path

Hi,
We want to create a firewall rule for a program which is placed in folder which changes sometimes. I know you can add a firewall with the ProgramFiles environment variable like this:
netsh advfirewall firewall add rule name="Test Firewall rule" dir=in program="%%ProgramFiles%%\Test\Test.exe" action=allow security=notrequired
The environment variable ProgramFiles isn't expanded and if the Program Files folder is different on a system the rule still works.
We try to use this with a custom environment variable which we set a system environment variable with this command:
SETX SomeFolder "D:\Some Folder\Apr 2015" /M
If we use the command below to add the firewall rule in a batch file the environment variable SomeFolder is expanded correctly and the program path is added as a static path.
netsh advfirewall firewall add rule name="Some Firewall Rule" dir=in program="%SomeFolder%\AFile.exe" action=allow security=notrequired
Because the folder changes sometimes we want to change the environment variable SomeFolder and not remove the old firewall rule and create a new one. We want to add the environment variable SomeFolder to the program path as a (dynamic) environment variable
and not as the expanded path at the moment when the rule is added. If we use this command:
netsh advfirewall firewall add rule name="Some Firewall Rule" dir=in program="%%SomeFolder%%\AFile.exe" action=allow security=notrequired
We get the error:
          Windows Firewall with Advanced Security
          An error occurred while adding the rule.
          Error: The parameter is incorrect
          Status: The application name could not be resolved
          OK
Why can't we use %%SOMEFOLDER%% like we can use %%PROGRAMFILES%%? The same error is shown when we try to add the firewall rule through the management console 'Windows Firewall with Advanced Security'
W. Spu

Hi,
Based on my plenty of test with this problem, it seems like there is no better method to achieve your requirement. To add new policy to firewall, it would be better using general cmdlet. The path parameter like %%SomeFolder%% do have problem in add firewall
policy cmdlet.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Ensure that the firewall rules are activated every time you restart

I'm trying to set up a server and the Getting Started guide recommends doing this but it doesn't have Arch-specific instructions. How do I go about doing this?
The Debian/Ubuntu way which seems simple to me is :
sudo nano /etc/network/if-pre-up.d/firewall
and then copy this into the file :
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
And then making it executable for the current user/group.
Will this work on Arch? I'm just trying to be cautious.
What's the Arch way for re-instating rules upon a complete reboot of the system?

Well, there's iptables-save and there's
$ cat /usr/lib/systemd/system/iptables.service [~]
[Unit]
Description=Packet Filtering Framework
[Service]
Type=oneshot
ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Last edited by lucke (2015-01-20 21:42:59)

How to reload firewall rules from command line on firewall ?

Hi all,
I am trying to create script that controls firewall on server. OS version is OS X Server 10.5.6.
Part of firewall rules is created using firewall admin tools, part of Server Admin Tools. My first question is where are those rules stored permanently ? As far as I understood it should be set of ipfw rules but they are not stored in /etc/ipfilter/ipfw.conf.
Idea of script is this:
I have set of rules that should be controlled by Server Admin Tools.
Also, I have some dynamic rules.
Whenever some change occurs, I created script that does following:
/sbin/ipfw -f flush - to flush all existing rules
/sbin/serveradmin stop ipfilter - to stop existing firewall
/sbin/serveradmin start ipfilter - to restart firewall and reload permanent rules
Add my set of rules...
After flushing all rules and issuing stop and start ipfilter none of rules set through Server Admin Tools are not reloaded. So how should I reload them ? How to save them permanently in the first place ?
Please note that I do not have access to server (for security reasons). I am developing script on my Mac, sending to client and he tests it. So I cannot do a lot of testing.
Thank you in advance.
Best regards,
Dusan

Unix and Terminal queries are best posted to the Unix forum under OS X Technologies where those mavens frolic.

HT1507 I do not see a firewall tab when going to System Preferences Sharing?

I do not see a firewall tab when going to System Preferences>Sharing.
I am unable to make or receive iChat video calls.
Trying to figure out what is going on with my router.

Hi,
For others.
The Firewall is in System Preferences > Security > Firewall
There are then slight variances in Leopard and Snow Leopard/Lion about when you turn it ON and when you can access the Advanced Button
If it is set to ON then you need to go to the Advanced Button and Enable Allow Signed software
You may also need to add iChat (Or message beta) to the List.
NOTE
Enabling Stealth will stop iChat/Messages from working.
8:28 PM Wednesday; March 28, 2012
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
 iMac 2.5Ghz 5i 2011 (Lion 10.7.3)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images."  No, Seriously

SA 540 INBOUND FIREWALL RULES NOT WORKING

Hi all,
I am having trouble configuring the firewall for the SA 540.
client 1 (160.222.46.154) ----- switch ------ sa 540 ------ cisco 887 W ------ client 2 (50.0.0.10).
client 1 can ping client 2, however client 2 cannot ping client 1. The default outbound policy (allow all) is set on the sa 540, and I have tried configuring a blanket ipv4 rule on the sa 540 to allow 'all' to 'any' (for all services) related to traffic from the WAN to LAN, and visa versa. The output from the logs are as follows:
Fri Jan 7 13:43:04 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
Component: KERNEL
Fri Jan 7 13:43:09 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
Component: KERNEL
Fri Jan 7 13:43:14 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=UDP SPT=60737 DPT=53
Component: KERNEL
Basically any connection identified as coming in from the WAN (i.e. IN=WAN) is dropped. I set up a new vlan on the cisco 887 W, in the 160.222.46.x address space, and connected a spare port directly to the sa 540 and had no problem testing connectivity to any device via ping. Obviously the zone communication is LAN to LAN and firewall treats the traffice differently.
I assumed that creating an all encompassing rule to allow all trafiic, for all services, between the LAN and WAN (in both directions) would be equivalent to placing the appliance in PASS THROUGH mode? There is no securtiy set on the 887 W or the switch.
Also is anybody could explain what 'SELF' means in the conttext IN=SELF or OUT=SELF it would be much appreciated. Firmware is latest.
Thank you.
Regards
Marc

On closer analysis and with some help from Experts Exchange it did seem non sensical to have both the IN and OUT as the WAN interface, but I had literally exhausted every avenue possible bar 1- changing the routing mode to CLASSIC and configuring a static route (which was at a higher administrative level than my RIP advertised routes) and took preferece when forwarding the packets.
Now the SA540 firewall rules work as I would expect and I can route between all zones. To summise it appears as if the Double NAT from the router (887W) and then the SA540 was the issue, and the innability to configure any workaround in the interface of the SA54O firewall rules.
It really makes you appreciate the power of the command line and the full scope of CIsco's command line options. Does anybody know if (and how) it would be possible to configure Double NAT on the SA540?
Regards
Marc

Modifying Firewall Rules On a Unbooted System

Similar Messages

Maybe you are looking for