Hand-Crafted Firewall Rules with PowerShell

Hand-Crafted Firewall Rules with PowerShell

It’s a lot like IPSec… but easier

In recent articles—"Controlling Windows Firewall with PowerShell" and "Controlling Windows Firewall with PowerShell, Part 2"—I’ve shown you how to configure Windows’ software firewall with PowerShell by discovering its many built-in firewall rules (get-netfirewallrule) and how to enable or disable them (enable-netfirewallrule and disable-netfirewallrule). In reality, though, built-in software firewalls are most useful when you can super-fine-tune them. So, the real power of the Windows Firewall that we’ve had since Windows Server 2008 lies in creating those fine-tuned rules. In fact, I’ve found Windows Firewall rules to be essentially “IPSec made easy.” You won't be surprised, then, to learn that PowerShell’s got a nifty tool to do that: New-NetFirewallRule. This month, you’ll start creating rules (and you'll see how not to disable your computer in the process).

Basics of Creating Firewall Rules

Essentially, every Windows Firewall rule has a name and three big parts: direction, criterion, and action. For example, suppose you have a firewall rule named Pass HTTP: If Windows Firewall recognizes an incoming [direction] packet destined for port 80 [criterion], it should allow it to pass [action]. The criterion in combination with the packet direction (port 80, inbound) tells Windows Firewall whether to employ the rule’s action (pass).

Leaving the criterion aside for a moment, New-NetFirewallRule lets you give your new rule a name with the -DisplayName parameter, a direction with the -Direction parameter (which takes either inbound or outbound, with a default value of inbound if you don’t specify the parameter), and the action with an -Action parameter (which takes either Allow or Block, with a default of Allow if you don’t specify the parameter). For example, let’s build a firewall rule that keeps your workstation from connecting to Remote Desktop on any system in the world. (It’s a good example because you can easily verify that it works and, more important, works great on your client Windows 8.1 PC, so you won’t need to build a server to test it. And by the way, let me suggest that you either print this article or save it to your computer’s local storage before trying some of the following examples, as some will have the effect of disconnecting you from the Internet, and I want you to have the “undo” commands close to hand.)

A First Rule

The most basic New-NetFirewallRule command is something like

new-netfirewallrule -displayname Mtest

A name is all it needs, as the defaults for action, direction, and criterion are Allow, Inbound, and Everything, as in “allow all incoming packets.”  New-NetFirewallRule also immediately enables the new rule, so as soon as you pressed Enter there, the rule took effect. You could have avoided that by adding the parameter –Enabled False, as in

new-netfirewallrule –displayname Mtest –Enabled False

And no, that’s not a typo: -Enabled really does take the string False rather than PowerShell’s built-in $false variable.  (Apparently the cmdlet’s author never figured out “switch variables.”)

As you’ve probably guessed by now, you can see attributes of the firewall rule with

get-netfirewallrule -displayname Mtest

If you do, you’ll notice that firewall rules not only have the human-friendly DisplayName but a GUID-like Name parameter that looks like "{b7072342-7f9a-493c-abf6-43dcde98a41e}." You’ll see that the NetFirewallRule cmdlets will accept the displayname with the -DisplayName parameter but will also accept the Name attribute passed with no parameter, as in

get-netfirewallrule "{b7072342-7f9a-493c-abf6-43dcde98a41e}"

If you look in the list of firewall rules in Control Panel, you’ll see that you now have a rule Mtest, further verifying that you got something done.

To delete and, in passing, remove a firewall rule, use remove-netfirewallrule, as in

remove-netfirewallrule -displayname mtest

That rule really didn’t have any dramatic effects, so let’s try another one and employ -Action and -Direction parameters, blocking all outgoing network traffic.  This cmdlet accomplishes that:

new-netfirewallrule -displayname Mtest -direction outbound -action block

Try pinging anything, and it’ll offer General Failure. (Remember: remove-netfirewallrule -displayname mtest will undo this.)

Adding Criteria: Blocking One Port

The remaining firewall rule component is by far the largest, so I can’t cover it in just one article. There’s just enough room, though, for one quick example. You’ll take your “block all outgoing” rule and tweak it to make it a “block all outgoing TCP port 3389 traffic” rule. To block a particular TCP port, add two parameters:  -Protocol TCP and -RemotePort. The new rule looks like this:

new-netfirewallrule -displayname Mtest -direction outbound -action block -protocol tcp -RemotePort 3389

Test this by pointing it to any computer that you know has Remote Desktop enabled, and use Test-NetConnection (as I do in this example with machine S1.bigfirm.com):

test-netconnection s1.bigfirm.com -Port 3389

Now you’ve got the basic build-a-rule tools. Next month, tons more fine-tuning!

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish