Email Password Remember me?  Lost your password?

Introduction

During the installation of my application, I needed to add it to the Windows firewall as an allowed application and open two ports for another application. This code will function as a custom action during the install to open the firewall on install and close it on uninstall. In trying to keep things as simple as possible, the following C# class library will be called from the setup - openFirewall() and closeFirewall().

First, I generated the FWSetupAction project as a C# class library. After that, I use the properties page to switch the output type to a console application to step through it with the debugger. When it's operational, switch back to the class library for integration with the MSI setup logic and incorporate it as a custom action.

After the initial project creation, rename Class1.cs to Firewall.cs in the Solution Navigator. If you're writing code anew, add the NetFwTypeLib reference first to allow intellisense to help you recognize the terms you'll be coding. This reference will be required for correct compilation, so whether you put it in before coding or after doesn't matter, but it will be needed. To add the reference, right click on References and select Browse. Browse to %windir%\system32\hnetcfg.dll and select it - the NetFwTypeLib will be created.

Edit the Firewall.cs class to have the following code:

using System;
using System.Collections.Generic;
using System.Text;
using System.Reflection;
using NetFwTypeLib;
using Microsoft.Win32;
namespace FWSetupAction
{
public class Firewall
{
    protected int[] discoPorts = { 0xD100, 0xD101 };
    protected INetFwProfile fwProfile;

    public void openFirewall()
    {
        ///////////// Firewall Authorize Application ////////////
        String imageFilename = getImageFilename();
        setProfile();
        NetFwAuthorizedApplications apps = fwProfile.AuthorizedApplications;
        INetFwAuthorizedApplication app = 
          ( INetFwAuthorizedApplication ) getInstance( "INetAuthApp" );
        app.Name = "Application Name";
        app.ProcessImageFileName = imageFilename;
        apps.Add( app );
        apps = null;

        //////////////// Open Needed Ports /////////////////
        INetFwOpenPorts openports = fwProfile.GloballyOpenPorts;
        foreach( int port in discoPorts )
        {
            INetFwOpenPort openport = 
              ( INetFwOpenPort ) getInstance( "INetOpenPort" );
            openport.Port = port;
            openport.Protocol = NET_FW_IP_PROTOCOL_.NET_FW_IP_PROTOCOL_UDP;
            openport.Name = "New Open Port";
            openports.Add( openport );
        }
        openports = null;
    } // openFirewall

    public void closeFirewall()
    {
        String imageFilename = getImageFilename();
        setProfile();
        INetFwAuthorizedApplications apps = fwProfile.AuthorizedApplications;
        apps.Remove( imageFilename );
        apps = null;
        INetFwOpenPorts ports = fwProfile.GloballyOpenPorts;
        ports.Remove( discoPorts[ 0 ], NET_FW_IP_PROTOCOL_.NET_FW_IP_PROTOCOL_UDP );
        ports.Remove( discoPorts[ 1 ], NET_FW_IP_PROTOCOL_.NET_FW_IP_PROTOCOL_UDP );
        ports = null;
    }

    protected string getImageFilename()
    {
        // Get install directory from the registry
        RegistryKey pRegKey = Registry.LocalMachine;
        pRegKey = pRegKey.OpenSubKey( "SOFTWARE\\Company Directory\\AppDir" );
        Object insDir = pRegKey.GetValue( "InstallDir" );
        return insDir + "RVP.exe";
    }

    protected void setProfile()
    {
        // Access INetFwMgr
        INetFwMgr fwMgr = ( INetFwMgr ) getInstance( "INetFwMgr" );
        INetFwPolicy fwPolicy = fwMgr.LocalPolicy;
        fwProfile = fwPolicy.CurrentProfile;
        fwMgr = null;
        fwPolicy = null;
    }

    protected Object getInstance( String typeName )
    {
        if( typeName == "INetFwMgr" )
        {
            Type type = Type.GetTypeFromCLSID(
            new Guid( "{304CE942-6E39-40D8-943A-B913C40C9CD4}" ) );
            return Activator.CreateInstance( type );
        }
        else if( typeName == "INetAuthApp" )
        {
            Type type = Type.GetTypeFromCLSID(
            new Guid( "{EC9846B3-2762-4A6B-A214-6ACB603462D2}" ) );
            return Activator.CreateInstance( type );
        }
        else if( typeName == "INetOpenPort" )
        {
            Type type = Type.GetTypeFromCLSID(
            new Guid( "{0CA545C6-37AD-4A6C-BF92-9F7610067EF5}" ) );
            return Activator.CreateInstance( type );
        }
        else return null;
    }

    static void Main( string[] args )
    {
        Firewall fw = new Firewall();
        fw.openFirewall();
        fw.closeFirewall();
    }
}
}

Once compiled, you're ready to test. Set a breakpoint on each of the firewall entry methods - openFirewall() and closeFirewall(), and step through the program. Use a DOS box to verify the operations. The netsh firewall command will verify the operation of the code:

• netsh fire show allowed - shows the programs that are allowed
• netsh fire show port - shows the ports that are open

Acknowledgements

• Thanks to Moah, a Windows XP SP2 Firewall Controller, http://www.codeproject.com/w2k/WinXPSP2Firewall.asp
• Thanks too to Dan Agonistes, Windows XP Service Pack 2 and the Windows Firewall, http://danagonistes.blogspot.com/2004/06/windows-xp-service-pack-2-and-windows.html.

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

NetFwAuthorizedApplications type triplebit 7:10 25 Sep '09   Sorry but the following line will not compile since NetFwAuthorizedApplications is an uknown type. Am I doing somthing wrong? Regards David Sign In·View Thread·PermaLink Re: NetFwAuthorizedApplications type Donsw 11:36 27 Oct '09   He had a typo it should be INetFwAuthorizedApplications cheers, Donsw My Recent Article : CDC - Change Data Capture Sign In·View Thread·PermaLink good for xp Donsw 8:00 18 Sep '09   This is good for xp, but the file is different for vista and xp so the same code will not work on both. You might want to update your article. cheers, Donsw My Recent Article : CDC - Change Data Capture Sign In·View Thread·PermaLink Does it work on vista? David Engler 11:10 29 May '08   I tried this code on vista, and it didnt seem to be working Sign In·View Thread·PermaLink 2.00/5 Re: Does it work on vista? Jmgxu 4:57 21 Dec '08   Add reference to system32/FirewallAPI.dll on vista Sign In·View Thread·PermaLink Help anybody - very peculiar bug Dave Midgley 9:13 28 Nov '07   Don or anybody I implemented your code in a very simple test program with an Add button that adds the application to the firewall list, and a Remove button that removes it. This works absolutely fine. Then I called the same code from an Installer class as part of the install custom action, so that when I install the program it adds itself to the firewall list. In this case the call to INetFwAuthorizedApplications.Add(INetFwAuthorizedApplication) throws a System.InvalidCastException. I am completely mystified as to why this should happen. If anyone else has experienced this problem I would be delighted to hear from them - if they've solved it that would be even better! Dave Sign In·View Thread·PermaLink Re: Help anybody - very peculiar bug [modified] Don Hamson 0:31 29 Nov '07   Issues with an "Installer class" vs. a normal application introduces many considerations that are very different from the core code in the example. When your Installer class executes, it's within the context of Microsoft's installer - msiexec which is a database and functionality combined to perform MS sanctified installations. They consider the authority to perform these operations, the ability to rollback operations; acceptability based on the concept of advertised functionality, etc. To be honest, I did get the example to work as an installer class when I first developed it using msiexec installing for Administrators as an Administrator; however for needing to install my application for unpriviledged users there were many msiexec context issues that I didn't have time to work through and ended up not using msiexec. For downloading some Google software, I noticed that they used the NSIS installer http://nsis.sourceforge.net/Main_Page. It's Windows specific, easy to learn and use, allows rebranding, looks very professional; and your executables behave like normal applications; ie you probably won't get the class cast exception running under NSIS. It could be too that Microsoft views this functionality as a security hole as mentioned in a previous thread and so the cast exception is intentional; or the underlying functionality may have changed and the example now has a bug. For me, I wasn't interested in becoming an install expert and soon reached diminishing returns with msiexec issues. I just needed my app installed as a priviledged app with those needed ports open. -- modified at 5:36 Thursday 29th November, 2007 Don Sign In·View Thread·PermaLink Setting things back to null Dave Midgley 8:16 28 Nov '07   I notice that you explicitly set a lot of the COM objects to null after they have been used. I would have thought this would be handled by the garbage collector, or is this an aspect of calling COM from managed code that I don't know about? Dave Sign In·View Thread·PermaLink Re: Setting things back to null Don Hamson 23:33 28 Nov '07   The tought behind that is that managed code will garbage collect when client references are null. And it is true that interface references are relinquished when the code runs out-of-scope; but lighter is better and I've had to debug memory loss issues in C++ code for forgetting to be explicit about it. Old habits I guess. Don Sign In·View Thread·PermaLink Error checking Dave Midgley 6:40 26 Nov '07   This is really useful and just what I need, many thanks. I do have one question - I am not very experienced in using COM from C#. I see from the MSDN pages that, for example, a call such as INetFwPolicy fwPolicy = fwMgr.LocalPolicy; is actually a call to get_LocalPolicy(INetFwPolicy** localPolicy) which returns an HRESULT (http://msdn2.microsoft.com/en-us/library/aa365291.aspx[^]), and can potentially fail. I wondered if you knew how to detect an error (presumably null is returned) and how to acquire the HRESULT error code. With a Platform Invoke call it is just a matter of calling GetLastWin32Error(). Is it the same with COM? Dave Sign In·View Thread·PermaLink Re: Error checking Don Hamson 17:51 26 Nov '07   Hi Dave, Your welcome, glad this example helped out. HRESULTs, if included in the method signature of a COM interface, must be returned. Returning null when the return type is an HRESULT violates the COM contract and just isn't cool. HRESULTS have high order bits that tell whether the returned HRESULT is an error or not and the subsystem for which the code applies. Please check the appropriate include file for the details on the bit designations and error code values. In practice, I recall using "if( hr != S_OK )" or some derivitive of it to detect errors and maintain memory and interface pointer integrity (C++). You might also look at COM smart pointers that can help in handling errors and protecting integrity. I don't recall the convention for C#; but guessing from the first signature you listed, you're probably right that fwPolicy would receive a null if fwMgr.LocalPolicy had a problem returning the INetFwPolicy interface. Hope this helps, Don Don Sign In·View Thread·PermaLink Re: Error checking Dave Midgley 8:14 28 Nov '07   Having done some testing, it turns out that the calls do not return null if a COM error occurs (many of the calls don't have a return value anyway, so that wouldn't work). In fact they they throw an exception. Dave Sign In·View Thread·PermaLink Re: Error checking Don Hamson 23:19 28 Nov '07   Hi Dave, Not surprising, exceptions are a preferred mechanism to return error conditions because they can't be ignored by client code. Don Don Sign In·View Thread·PermaLink necessary privs AleRanza 6:11 25 May '07   Hi to all, someone know which specific privs a user must have to open a firewall port? thanks Sign In·View Thread·PermaLink Re: necessary privs Don Hamson 14:48 25 May '07   Hi AleRanza, When I coded/tested this originally, I used the admin user. Our needs were that the admin user would install our application and a limited user would just use it. Someone more familiar with the details of specific privileges will have to address your question; I've tried, but just don't know the intracacies of the XP security system. Don Sign In·View Thread·PermaLink A different way of doing things Yiogi 6:04 11 Jan '07   I have converted your code to a class, so that someone can actually use it in an application from any point in the code the programmer considers suitable. I have separated the open and close ports and made the class take as parameters the application location to open as well as what ports need to be opened. As I believe some users might find it useful, I'm posting the code below. Great article by the way. using System; using System.Collections.Generic; using System.Text; using System.Reflection; using NetFwTypeLib; using Microsoft.Win32; namespace FWSetupAction { public class Firewall { protected INetFwProfile fwProfile; #region openFirewall /// /// Opens the given ports on windows firewall. Also opens entirely the given application on the firewall. /// Please remember that you need administrative rights to use this function. /// /// The path of the application. Please include the ending \ /// The name of the executable to open /// The ports that you wish to open individually public void openFirewall(string filePath, string applicationName, int[] portsToOpen) { ///////////// Firewall Authorize Application //////////// String imageFilename = filePath + applicationName; setProfile(); INetFwAuthorizedApplications apps = fwProfile.AuthorizedApplications; INetFwAuthorizedApplication app = (INetFwAuthorizedApplication)getInstance("INetAuthApp"); app.Name = applicationName; app.ProcessImageFileName = imageFilename; apps.Add(app); apps = null; //////////////// Open Needed Ports ///////////////// INetFwOpenPorts openports = fwProfile.GloballyOpenPorts; foreach (int port in portsToOpen) { INetFwOpenPort openport = (INetFwOpenPort)getInstance("INetOpenPort"); openport.Port = port; openport.Protocol = NET_FW_IP_PROTOCOL_.NET_FW_IP_PROTOCOL_TCP; openport.Name = applicationName + " Operation Port (" + port.ToString() + ")"; openports.Add(openport); } openports = null; } #endregion // openFirewall #region closeFirewall /// /// Deletes the firewall ports specified from the windows firewall exclusions list. Also deletes /// the given application from the excluded apps. /// /// The path of the application. Please include the ending \ /// The name of the executable to close /// The ports that you wish to close individually public void closeFirewall(string filePath, string applicationName, int[] portsToClose) { String imageFilename = filePath + applicationName; setProfile(); INetFwAuthorizedApplications apps = fwProfile.AuthorizedApplications; apps.Remove(imageFilename); apps = null; INetFwOpenPorts ports = fwProfile.GloballyOpenPorts; foreach (int port in portsToClose) { ports.Remove(port, NET_FW_IP_PROTOCOL_.NET_FW_IP_PROTOCOL_TCP); } ports = null; } #endregion #region setProfile protected void setProfile() { // Access INetFwMgr INetFwMgr fwMgr = (INetFwMgr)getInstance("INetFwMgr"); INetFwPolicy fwPolicy = fwMgr.LocalPolicy; fwProfile = fwPolicy.CurrentProfile; fwMgr = null; fwPolicy = null; } #endregion #region getInstance protected Object getInstance(String typeName) { if (typeName == "INetFwMgr") { Type type = Type.GetTypeFromCLSID( new Guid("{304CE942-6E39-40D8-943A-B913C40C9CD4}")); return Activator.CreateInstance(type); } else if (typeName == "INetAuthApp") { Type type = Type.GetTypeFromCLSID( new Guid("{EC9846B3-2762-4A6B-A214-6ACB603462D2}")); return Activator.CreateInstance(type); } else if (typeName == "INetOpenPort") { Type type = Type.GetTypeFromCLSID( new Guid("{0CA545C6-37AD-4A6C-BF92-9F7610067EF5}")); return Activator.CreateInstance(type); } else return null; } #endregion #region OpenFirewallPorts /// /// Opens the given ports on windows firewall. Also opens entirely the given application on the firewall. /// Please remember that you need administrative rights to use this function. /// /// The path of the application. Please include the ending \ /// The name of the executable to open /// The ports that you wish to open individually public static void OpenFirewallPorts(string executableFilePath, string applicationName, int[] portsToOpen) { Firewall fw = new Firewall(); fw.openFirewall(executableFilePath, applicationName, portsToOpen); } #endregion #region CloseFirewallPorts /// /// Deletes the firewall ports specified from the windows firewall exclusions list. Also deletes /// the given application from the excluded apps. /// /// The path of the application. Please include the ending \ /// The name of the executable to close /// The ports that you wish to close individually public static void CloseFirewallPorts(string executableFilePath, string applicationName, int[] portsToClose) { Firewall fw = new Firewall(); fw.closeFirewall(executableFilePath, applicationName, portsToClose); } #endregion } } Sign In·View Thread·PermaLink Re: A different way of doing things shysan 3:29 24 Apr '07   Well, there could be situation where application is added to FW exception list but user switches to different network. This network profile will not have the app entry in FW exception list associated with this profile. To take care of this, you could make entry of the application in both Domain and Standard profile instead of Current. e.g. fwPolicy->GetProfileByType(NET_FW_PROFILE_DOMAIN,&m_pNetFWProfileDomain); fwPolicy->GetProfileByType(NET_FW_PROFILE_STANDARD,&m_pNetFWProfileStandard); http://technet2.microsoft.com/windowsserver/en/library/3ccb6af5-d960-4a8d-b12b-70692dc47bf41033.mspx?mfr=true[FYI : How Windows Firewall Works] Sign In·View Thread·PermaLink security caveat kckn4fun 3:03 26 Jul '06   One thing I didn't see in your article (which I just assume) is that you need to be logged in as an Administrator to do this... which makes the previous poster's comments moot. Otherwise, a very good article! Sign In·View Thread·PermaLink Re: security caveat Don Hamson 9:34 26 Jul '06   Good point, I'd forgotten about that aspect of it. Absolutely true -in order to install apps, write to the registry, change the firewall; you need to have Administrator privs. Thanks very much, Don Don Sign In·View Thread·PermaLink Re: security caveat tverweij 22:17 26 Jul '06   But on the Home editions (that almost everyone outside the IT business uses because it is cheaper) everyone is an administrator. So, I am still convinced this is an security hole. All security changes should at least be validated by a human to prevent "terror" apps from misusing it. Sign In·View Thread·PermaLink 1.00/5 Re: security caveat [modified] Don Hamson 4:36 27 Jul '06   As said in the previous topic, Microsoft provides the INetFwMgr api which is available to any installation software that uses it. If you view it as a security leak, you'll have to discuss it with Microsoft. To your point about validating security changes; anytime you install an application, essentially you are endorsing all the changes that that install will make to your machine. -- modified at 9:36 Thursday 27th July, 2006 Sign In·View Thread·PermaLink 5.00/5 Re: security caveat Jason Barry 14:20 26 Jun '08   If you install AOL Instant Messenger or iTunes, they automatically add themselves. The API is provided so that people can make use of them. Sign In·View Thread·PermaLink This is not a feature, but a security leak [modified] tverweij 8:04 25 Jul '06   An application that add's itself to the windows firewall? Nice for spyware and virusses. Please report this code to microsoft, so they can plug this hole ..... Sign In·View Thread·PermaLink 1.00/5 Re: This is not a feature, but a security leak Don Hamson 2:36 26 Jul '06   This code uses the Microsoft's firewall api so it's functionality they provide, not a hole in their security. It's true that you need to know the authenticity of the apps that you install; but not all apps are spyware and your machine would be pretty boring if your firewall prevented all network communications. By the way, if you run an app that needs to open and listen on a socket; Microsoft's firewall will prompt to see if you want to allow the application. It's interesting too that allowed applications are actually more secure than opening ports. Open ports remain open whether the app that needs them is running or not. For allowed applications, the ports they listen on are open only when they execute; otherwise those ports are closed. Not all applications are spyware and legitimate applications do this routinely - file and print sharing, iTunes, games, instant messangers, etc. Don Sign In·View Thread·PermaLink 5.00/5 Re: This is not a feature, but a security leak tverweij 22:20 26 Jul '06   I concur that network connections are needed, and that the most programs available are thrust worthy. But, spyware firms are very good in misleading humans, so these apps will be installed. One of the pro's of XP is the Firewall, protecting these users. But, by providing such api's, the normal users (with xp-home) lose their protection. Sign In·View Thread·PermaLink 1.00/5

Last Visit: 16:08 23 Nov '09     Last Update: 16:08 23 Nov '09 12 Next »