Question:
We define a new Windows firewall rule for some program to accept inbound TCP connections on some port. This can be done using either netsh.exe utility or Powershell New-NetFirewallRule cmdlet. For a example, here’s a sample command to allow notepad.exe to accept TCP connections on port 5001 (I know, notepad can’t do that):
|
1 2 |
New-NetFirewallRule -program "C:\windows\System32\notepad.exe" -direction Inbound -Action Allow -Protocol tcp -LocalPort 5001 -Name "Testing Notepad on port 5001" -DisplayName "Testing Notepad on port 5001" |
To retrieve/view this rule, one can again use netsh.exe or Get-NetFirewallRule cmdlet.
Ideally we’d like to use Powershell Get-NetFirewallRule, but we are not able to view the actual program path that was used when the rule was created.
Here’s the output of netsh.exe:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
netsh advfirewall firewall show rule name="Testing Notepad on port 5001" verbose Rule Name: Testing Notepad on port 5001 ---------------------------------------------------------------------- Enabled: Yes Direction: In Profiles: Domain,Private,Public Grouping: LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: 5001 RemotePort: Any Edge traversal: No Program: C:\windows\System32\notepad.exe InterfaceTypes: Any Security: NotRequired Rule source: Local Setting Action: Allow Ok. |
Here’s the output of Get-NetFirewallRule cmdlet:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
Get-NetFirewallRule -Name "Testing Notepad on port 5001" | Format-list * Name : Testing Notepad on port 5001 ID : Testing Notepad on port 5001 Group : Platform : {} LSM : False DisplayName : Testing Notepad on port 5001 Enabled : True Profile : Any Direction : Inbound Action : Allow EdgeTraversalPolicy : Block PrimaryStatus : OK Status : The rule was parsed successfully from the store. (65536) EnforcementStatus : NotApplicable PolicyStoreSourceType : Local Caption : Description : ElementName : Testing Notepad on port 5001 InstanceID : Testing Notepad on port 5001 CommonName : PolicyKeywords : PolicyDecisionStrategy : 2 PolicyRoles : ConditionListType : 3 CreationClassName : MSFT|FW|FirewallRule|Testing Notepad on port 5001 ExecutionStrategy : 2 Mandatory : PolicyRuleName : Priority : RuleUsage : SequencedActions : 3 SystemCreationClassName : SystemName : DisplayGroup : LocalOnlyMapping : False LooseSourceMapping : False Owner : Platforms : {} PolicyStoreSource : PersistentStore Profiles : 0 RuleGroup : StatusCode : 65536 PSComputerName : CimClass : root/standardcimv2:MSFT_NetFirewallRule CimInstanceProperties : {Caption, Description, ElementName, InstanceID...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemPropertieses |
Any suggestions or ideas on retrieving program path, port, protocol, etc., using Powershell cmdlet?
Answer:
You should use Get-NetFirewall*Filter cmdlets for this.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
PS> Get-Command Get-NetFirewall*Filter CommandType Name Version Source ----------- ---- ------- ------ Function Get-NetFirewallAddressFilter 2.0.0.0 NetSecurity Function Get-NetFirewallApplicationFilter 2.0.0.0 NetSecurity Function Get-NetFirewallInterfaceFilter 2.0.0.0 NetSecurity Function Get-NetFirewallInterfaceTypeFilter 2.0.0.0 NetSecurity Function Get-NetFirewallPortFilter 2.0.0.0 NetSecurity Function Get-NetFirewallSecurityFilter 2.0.0.0 NetSecurity Function Get-NetFirewallServiceFilter 2.0.0.0 NetSecurity |
All of that cmdlets have -AssociatedNetFirewallRule parameter, which accepts pipeline input.
In your case, you can use following command:
|
1 2 |
Get-NetFirewallRule -Name "Testing Notepad on port 5001" | Get-NetFirewallApplicationFilter |