Batch Files - Windows Firewall

Written: 09/15/12

Last Updated: 06/15/13

This article will focus on how to create rules for Windows Firewall, through the use of batch files. Specifically, the topics shown here will discuss how to create a whitelist/blacklist for a desired application. A whitelist is a list of IP addresses that are considered to be trusted; any IP address on that list will be given access. A blacklist is the exact opposite, it is a list of all of the IP addresses that you do not trust, and any IP address on that list will be denied access. In Windows Firewall, the default for the incoming connections is to deny all connections not explicitly given access. The default for the outgoing connections is to allow all connections not explicitly denied. For more information on Windows Firewall read Microsoft’s FAQ, located here. Note – This article assumes that you know what an IP address is. If you do not, you can read the Wikipedia article on it here.

Since the article is specifically focused on using batch files to configure Windows Firewall, I will not cover how to create a rule through the GUI. That being said, you can see an example that I have here.

To interface with Windows Firewall through a batch file we will be using the command “netsh advfirewall firewall”. More info on what this command is and other options can be found on Microsoft’s TechNet article here. The specific commands under this command that we will be using are “add rule” and “set rule”. The “add rule” command does exactly what it states, it allows you to add a new rule. The “set rule” command allows you to update an existing rule.

Description of Parameters

There are a number of parameters that this command accepts; however, the defaults for most of them will be fine for this example. The parameters that we will be using are as follows: name, dir, action, program, and remoteip.

The “name” parameter is the name that you wish to give the rule. This name can contain spaces; however, those need to be included in double quotes.

The “dir” parameter is used to specify whether this rule should apply to incoming or outgoing connections. In this example, we will set rules for both incoming and outgoing connections. Whether the rule is considered to be incoming or outgoing is based on which side starts the handshake for the specified protocol (i.e. TCP, UDP, etc…). For example, when you go to a website, the web server will see the connection as incoming, because your system was the one that initiated the handshake. Depending on the application, some connections that you would expect to be an outgoing connection could in fact be an incoming connection and vice-versa. It is best to set rules for both incoming and outgoing connections, such that you know exactly who is connecting to your system and vice-versa.

The “action” parameter is used to specify how the traffic should be filtered. For this example, we will use both the “allow” and “block” properties. The “program” parameter is used to specify the full path to the executable that you wish to create a rule for. Once again, if your path has spaces in it you will need to place double quotes around the value for this parameter.

The “remoteip” parameter is used to determine which IP addresses this rule should apply to. These can be specified as ranges or as individual IP addresses. You can also have a list of addresses and ranges by comma delimiting them. For ranges, a single hyphen should be placed between the range like this: 127.0.0.1-127.0.0.5.

Example

For this example, we will assume that you have a program called “Test.exe” and that it is located at the directory “C:\This is a test\Test.exe”. I will also assume that you only wish to allow access to the following IP addresses: 127.0.0.1-127.0.0.5, 61.0.0.4, 72.87.0.5. (Note that these IP addresses are nothing in particular and are purely used as an example) In this example only the IP addresses stated above will be able to access the program “Test.exe”, all others will be completely blocked out.

To create the rules, copy and paste the below code into a batch file and run it. Assuming everything went well, the script will say it worked, obviously, for a real scenario you will want to change my assumptions to suit your needs.

@echo off
:: This command demonstrates the use of a whitelist.
:: All of the IP addresses we want to grant access to are explicitly listed.
netsh advfirewall firewall add rule name="TEST - allow incoming" dir=in action=allow program="C:\This is a test\Test.exe" remoteip=61.0.0.4,72.87.0.5,127.0.0.1-127.0.0.5
:: This command demonstrates the use of a blacklist.
:: All of the IP addresses we want to grant access to are explicitly not listed.
netsh advfirewall firewall add rule name="TEST - block outgoing" dir=out action=block program="C:\This is a test\Test.exe" remoteip=0.0.0.0-61.0.0.3,61.0.0.5-72.87.0.4,72.87.0.6-127.0.0.0,127.0.0.6-255.255.255.255

Let’s say that the individual at 127.0.0.3 has made you angry and you no longer want to give him access. Instead of deleting the rule and recreating it, we will instead update it to the new IP addresses by using the “set rule” command. This command has a slightly different syntax than the “add rule” command, and requires that you first provide enough information to find the rule that you want to change, and then provide the parameters that you wish to change it to.

To update the new rule and to remove access to 127.0.0.3 copy and paste the below code into a batch file and run it.

@echo off
:: This command demonstrates the use of a whitelist.
:: All of the IP addresses we want to grant access to are explicitly listed.
netsh advfirewall firewall set rule name="TEST - allow incoming" dir=in new name="TEST - allow incoming" dir=in action=allow program="C:\This is a test\Test.exe" remoteip=61.0.0.4,72.87.0.5,127.0.0.1-127.0.0.2,127.0.0.4-127.0.0.5
:: This command demonstrates the use of a blacklist.
:: All of the IP addresses we want to grant access to are explicitly not listed.
netsh advfirewall firewall set rule name="TEST - block outgoing" dir=out new name="TEST - block outgoing" dir=out action=block program="C:\This is a test\Test.exe" remoteip=0.0.0.0-61.0.0.3,61.0.0.5-72.87.0.4,72.87.0.6-127.0.0.0,127.0.0.3,127.0.0.6-255.255.255.255

Discussion (2)

There are 2 responses to “Batch Files – Windows Firewall”.

  1. Bill responded:

    · Reply

    If I wanted to set this rule for all applications and not just test.exe, can I omit the Program= clause or how would I do this?

    • Yes. If you do not include the program option then the rule will apply to all programs.

Leave a Reply