Description

Some of my scripts, namely Get-CsConnections.ps1, require specific firewall rules be created in order to operate correctly. So I set out to automate as much as possible the creation of these rules. A function was born.

This little function can do pretty much everything the Windows Firewall wizard can do. You can specify local and remote ports, local and remote IP addresses, programs, services, direction Inbound or Outbound), TCP/UDP or Any, and more. I borrowed some of the info from the Windows Firewall chm file for the comment-based help file in the function. Just run

Get-Help New-FirewallRule

for detailed help.

I tried to think of (and test) common requirements for firewall rules, but if I’ve left something out, or something isn’t working as expected, feel free to leave a comment below.

Syntax

New-FirewallRule [[-name] ] [[-localPorts] ] [[-remotePorts] ] [[-localAddresses] ]
 [[-remoteAddresses] ] [[-program] ] [[-serviceName] ] [[-description] ] [-outbound] 
[-udp] [-block] [-readonly] [-any] [-domain] [-public] [-private] [-WhatIf] [-Confirm] []

Name This is the name of the firewall rule. As a best practice, give the firewall rule a unique name. If two rules have the same name, then you cannot easily manage them by using the netsh or PowerShell commands. Do not use the name “all” for a firewall rule because that is the name of a netsh command-line tool keyword.

LocalPorts If you are using the TCP or UDP protocol type, you can specify the local port by using one of the choices from the drop-down list or by specifying a port or a list of ports. The local port is the port on the computer on which the firewall profile is applied.

RemotePorts If you are using the TCP or UDP protocol type, you can specify the local port and remote port by using one of the choices from the drop-down list or by specifying a port or a list of ports. The remote port is the port on the computer that is attempting to communicate with the computer on which the firewall profile is applied.

LocalAddresses The local IP address is used by the local computer to determine if the rule applies. The rule applies only to network traffic that goes through a network adapter that is configured to use one of the specified local IP addresses.

RemoteAddresses Specify the remote IP addresses to which the rule applies. Network traffic matches the rule if the destination IP address is one of the addresses in the list.

Program Use this option to match network packets going to or from a specified program. If the program is not running, then no packets match the rule. Type the complete path to the program. You can include environment variables, where appropriate. When you add a program to the rule, Windows Firewall with Advanced Security dynamically opens (unblocks) and closes (blocks) the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall with Advanced Security opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall with Advanced Security closes the ports. Because of this dynamic behavior, adding programs to a rule is the recommended method for allowing unsolicited incoming traffic through Windows Firewall.

ServiceName Use this option to apply the rule only to services, not to other processes. Specify the short name of the service to which you want the rule to be applied.

Description This is a description of the rule. Use this to provide information about the rule, such as the rule owner, the rule requester, the purpose of the rule, a version number, or the date of creation.

Outbound Configures the rule as outbound. If not specified, the rule is created as inbound.

UDP Use this option to specify that the rule should filter UDP traffic. If not specified, and -Any is also not specified, the rule will filter TCP traffic. Cannot be used with -ANY.

Block Use this option to explicitly block any network packet that matches the firewall rule criteria. The block action takes precedence over the allow action, unless the Override block rules option is selected when the firewall rule is created.

ReadOnly If used, the rule will be created and attributes such as Program, Protocols, and Ports cannot be edited after creation. To change these settings, delete the rule and recreate it.

Any Use the option to filter traffic from any protocol. Cannot be used with -UDP.

Domain Applies when a computer is connected to a network that contains an Active Directory domain controller in which the computer’s domain account resides.

Private Applies when a computer is connected to a network in which the computer’s domain account does not reside, such as a home network. The private profile settings should be more restrictive than the domain profile settings. A network is assigned the private type by a local administrator.

Public Applies when a computer is connected to a domain through a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment. By default, newly discovered networks are assigned the public type.

Examples

There is a vast number of combinations that can be used to create rules. I’ve tested a bunch, but cannot possibly test every conceivable combination. Here are a couple of examples:

New-FirewallRule -Name "Test Rule" -Description "My cool Lync rule" -Domain -Public -Private -Any -Program "C:\Program Files\Microsoft Lync Server 2010\File Transfer Agent\FileTransferAgent.exe" -ReadOnly

New-FirewallRule -name "World Wide Web Services" -description "An inbound rule to allow HTTPS traffic for Internet Information Services (IIS) [TCP 443]" -domain -private -public -localports "443" -Program "System"

Installation

No installation needed. But the function does need to run in an elevated session.

Donations

I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.

Download

v1.0 (09-14-2012) New-FirewallRule.v1.0.zip

Changelog

See the changelog for information on features and bugs fixed in various versions.