Advanced Firewall. Multiple entries for remoteip cannot be defined in "netsh advfirewall firewall set rule" command
-
Sunday, January 23, 2011 4:43 PM<!-- [if gte mso 10]> <mce:style>
The online "netsh advfirewall firewall" manual reads as follows: “Multiple entries can be specified for remoteip by separating them with a comma.”
In both Windows 7 Professional Version 6.1 (Build 7600) and Windows Server 2008R2 Enterprise Version 6.1 (Build 7600) the following command executes correctly:
netsh advfirewall firewall set rule name = "RuleName " new remoteip = IPAddress1
But the following command
netsh advfirewall firewall set rule name = "RuleName " new remoteip = IPAddress1, IPAddress2
Gives the following error:“A specified value is not valid.”
In the usage information of " netsh advfirewall firewall set rule" I find the following:
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
How can a list of IP addresses be submitted to the command?
All Replies
-
Monday, January 24, 2011 9:47 AMModerator
Hi,
Thanks for posting here.
I think it should no problem to insert mutli addresses as parameter when perform netsh advfirewall firewall command line.
Could you post the full command that you attempted to perform and encountered “A specified value is not valid.” error here for further investigation.
Meanwhile, please refer to the KB article below:
How to use the "netsh advfirewall firewall" context instead of the "netsh firewall" context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista
http://support.microsoft.com/kb/947709
Thanks
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.- Marked As Answer by Tiger LiModerator Tuesday, February 01, 2011 8:49 AM
-
Saturday, January 29, 2011 10:42 AM
Hi,
I am enclossing two commands as you requested. You can see that one IP command works but two IP commands fail.
Pedro
********************************************************************************
PS C:\> netsh advfirewall firewall set rule name ="SSH" new remoteip = 139.100.100.1
Updated 1 rule(s).
Ok.PS C:\> netsh advfirewall firewall set rule name ="SSH" new remoteip = 139.100.100.1, 139.100.100.2
A specified value is not valid.
Usage: set rule
group=<string> | name=<string>
[dir=in|out]
[profile=public|private|domain|any[,...]]
[program=<program path>]
[service=service short name|any]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any]
[remoteport=0-65535|<port range>[,...]|any]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any]
new
[name=<string>]
[dir=in|out]
[program=<program path>
[service=<service short name>|any]
[action=allow|block|bypass]
[description=<string>]
[enable=yes|no]
[profile=public|private|domain|any[,...]]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[localport=0-65535|RPC|RPC-EPMap|any[,...]]
[remoteport=0-65535|any[,...]]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any]
[interfacetype=wireless|lan|ras|any]
[rmtcomputergrp=<SDDL string>]
[rmtusrgrp=<SDDL string>]
[edge=yes|deferapp|deferuser|no (default=no)]
[security=authenticate|authenc|authdynenc|notrequired]Remarks:
- Sets a new parameter value on an identified rule. The command fails
if the rule does not exist. To create a rule, use the add command.
- Values after the new keyword are updated in the rule. If there are
no values, or keyword new is missing, no changes are made.
- A group of rules can only be enabled or disabled.
- If multiple rules match the criteria, all matching rules will
be updated.
- Rule name should be unique and cannot be "all".
- If a remote computer or user group is specified, security must be
authenticate, authenc or authdynenc.
- Setting security to authdynenc allows systems to dynamically
negotiate the use of encryption for traffic that matches
a given Windows Firewall rule. Encryption is negotiated based on
existing connection security rule properties. This option
enables the ability of a machine to accept the first TCP
or UDP packet of an inbound IPsec connection as long as
it is secured, but not encrypted, using IPsec.
Once the first packet is processed, the server will
re-negotiate the connection and upgrade it so that
all subsequent communications are fully encrypted.
- Authdynenc is valid only when dir=in.
- If action=bypass, the remote computer group must be specified when dir=in.
- If service=any, the rule applies only to services.
- ICMP type or code can be "any".
- Edge can only be specified for inbound rules.Examples:
Change the remote IP address on a rule called "allow80":
netsh advfirewall firewall set rule name="allow80" new
remoteip=192.168.0.2Enable a group with grouping string "Remote Desktop":
netsh advfirewall firewall set rule group="remote desktop" new
enable=yesChange the localports on the rule "Allow port range" for udp-
Set rule name="Allow port range" dir=out protocol=udp localport=5000-5020 action=allow
PS C:\>**********************************************************************
-
Sunday, January 30, 2011 2:14 PM
Try removing the spaces:
netsh advfirewall firewall set rule name="SSH" new remoteip=139.100.100.1,139.100.100.2
Or you may have to use the "add" verb in the command:
netsh advfirewall firewall add rule name="SSH" new remoteip=139.100.100.1,139.100.100.2
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory ServicesThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Proposed As Answer by Tiger LiModerator Tuesday, February 01, 2011 5:08 AM
- Marked As Answer by Tiger LiModerator Tuesday, February 01, 2011 8:49 AM
-
Friday, April 01, 2011 8:31 AM
Hi
Trying to figure out how to add a remote IP in a script. This obviously wont work:
netsh advfirewall firewall add rule name=firewallrule dir=in localport=1401 protocol=tcp remoteip=2.148.0.0/255.252.0.0 profile=domain action=allow
netsh advfirewall firewall set rule name=firewallrule add remoteip=31.24.128.0/255.255.248.0
This command which works, will replace the allready given remote IP:netsh advfirewall firewall set rule name=firewallrule new remoteip=31.24.128.0/255.255.248.0I have allmost 700 IP-addresses that I want to add to the firewall using a script. There is to many IP-addresses for this to work in a single command line in both dos and powershell.Any suggestions would be appreciated!RegardsOystein Sund- Proposed As Answer by Mick Bobin Sunday, May 22, 2011 3:23 AM
-
Sunday, May 22, 2011 3:25 AM
Have a look at this script, you should be able to customise it for what you want. Note that although the script currently works fine for Win7 firewall it seems to fail with an error under Server 2008.
Cheers
Mick Bobin
-
Thursday, December 15, 2011 5:14 PM
Try this, it worked for me. Remember that the 'set' will remove what is existing in the ip address list. I have written these to a file for in order to persist them.
Once you have called this command, refresh your firewall list rule UI or the display will not update to show you what has been completed.
WriteFile(
"192.168.0.9");
WriteFile(
"192.167.0.1");
WriteFile(
"192.169.0.2");
WriteFile(
"192.170.0.2");
WriteFile(
"192.170.1.2");
string currentIPs = ReadFile();
cmd =
@"netsh advfirewall firewall set rule name=KnownHackIP new remoteip=" + currentIPs ;
nvc_droplist.Add(val,
"True");
WriteFile(val);
skipVal = val;
// Process proc = new Process();
System.Diagnostics.
ProcessStartInfo procStartInfo =
new System.Diagnostics.ProcessStartInfo("cmd", "/c " + cmd);
// The following commands are needed to redirect the standard output.
// This means that it will be redirected to the Process.StandardOutput StreamReader.
procStartInfo.RedirectStandardOutput =
true;
procStartInfo.UseShellExecute =
false;
// Do not create the black window.
procStartInfo.CreateNoWindow =
true;
// Now we create a process, assign its ProcessStartInfo and start it
System.Diagnostics.
Process proc = new System.Diagnostics.Process();
proc.StartInfo = procStartInfo;
proc.Start();
// Get the output into a string
string result = proc.StandardOutput.ReadToEnd();
// Display the command output.
Console.WriteLine(result);
}
-
Friday, February 03, 2012 1:22 PM
Wonderful tip... thanks very much..
However, I was wondering whether there is a way to load the list of the IP addresses from a txt file instead of having to type all these ip addresses at the end of the netsh command?
Is something like that possible?
Thank you in advance.......
-
Thursday, May 03, 2012 2:46 AM
There is an omission in the netsh documentation section for remoteip (and it may affect other variables that can accept a list of values)
"You can specify multiple entries for remoteip by separating them with a comma. Do not include any spaces."
As Pedro and others have found, if you try to add multiple subnets for remote IP with this command:netsh advfirewall firewall set rule name="Windows Backup (RPC)" dir=in new remoteip=10.1.0.0/16,192.168.1.0/24
You will receive the error
A specified value is not valid.
If you put quote marks around the list items, it will work:
PS C:\Users\Administrator> netsh advfirewall firewall set rule name="Windows Backup (RPC)" dir=in new remoteip="10.1.0.0/16,192.168.1.0/24"
Updated 1 rule(s).
Ok.
PS C:\Users\Administrator>- Proposed As Answer by ridicully Thursday, May 03, 2012 2:46 AM
.png)
