none
Advanced Firewall. Multiple entries for remoteip cannot be defined in "netsh advfirewall firewall set rule" command

    Question

  • <!-- [if gte mso 10]> <mce:style>

    The online "netsh advfirewall firewall" manual reads as follows: “Multiple entries can be specified for remoteip by separating them with a comma.”

    In both Windows 7 Professional Version 6.1 (Build 7600) and Windows Server 2008R2   Enterprise Version 6.1 (Build 7600) the following command executes correctly:

    netsh advfirewall firewall set rule name =  "RuleName " new remoteip = IPAddress1

    But the following command

    netsh advfirewall firewall set rule name =  "RuleName " new remoteip = IPAddress1, IPAddress2

    Gives the following error:“A specified value is not valid.”

    In the usage information of " netsh advfirewall firewall set rule" I find the following:

    [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|

       <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]

    How can a list of IP addresses be submitted to the command?

    Sunday, January 23, 2011 4:43 PM

Answers

  • Try removing the spaces:

    netsh advfirewall firewall set rule name="SSH" new remoteip=139.100.100.1,139.100.100.2

    Or you may have to use the "add" verb in the command:

    netsh advfirewall firewall add rule name="SSH" new remoteip=139.100.100.1,139.100.100.2

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Tiger Li Tuesday, February 01, 2011 5:08 AM
    • Marked as answer by Tiger Li Tuesday, February 01, 2011 8:49 AM
    Sunday, January 30, 2011 2:14 PM
  • Hi,

     

    Thanks for posting here.

     

    I think it should no problem to insert mutli addresses as parameter when perform  netsh advfirewall firewall command line.

    Could you post the full command that you attempted to perform and encountered “A specified value is not valid.” error here for further investigation.

    Meanwhile, please refer to the KB article below:

     

    How to use the "netsh advfirewall firewall" context instead of the "netsh firewall" context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista

    http://support.microsoft.com/kb/947709

     

    Thanks

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Tuesday, February 01, 2011 8:49 AM
    Monday, January 24, 2011 9:47 AM

All replies

  • Hi,

     

    Thanks for posting here.

     

    I think it should no problem to insert mutli addresses as parameter when perform  netsh advfirewall firewall command line.

    Could you post the full command that you attempted to perform and encountered “A specified value is not valid.” error here for further investigation.

    Meanwhile, please refer to the KB article below:

     

    How to use the "netsh advfirewall firewall" context instead of the "netsh firewall" context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista

    http://support.microsoft.com/kb/947709

     

    Thanks

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Tuesday, February 01, 2011 8:49 AM
    Monday, January 24, 2011 9:47 AM
  • Hi,

    I am enclossing two commands as you requested. You can see that one IP command works but two IP commands fail.

    Pedro

    ********************************************************************************

    PS C:\> netsh advfirewall firewall set rule name ="SSH" new remoteip = 139.100.100.1

    Updated 1 rule(s).
    Ok.

    PS C:\> netsh advfirewall firewall set rule name ="SSH" new remoteip = 139.100.100.1, 139.100.100.2

    A specified value is not valid.

    Usage: set rule
          group=<string> | name=<string>
          [dir=in|out]
          [profile=public|private|domain|any[,...]]
          [program=<program path>]
          [service=service short name|any]
          [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
          [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
             <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
          [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any]
          [remoteport=0-65535|<port range>[,...]|any]
          [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
             tcp|udp|any]
          new
          [name=<string>]
          [dir=in|out]
          [program=<program path>
          [service=<service short name>|any]
          [action=allow|block|bypass]
          [description=<string>]
          [enable=yes|no]
          [profile=public|private|domain|any[,...]]
          [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
          [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
             <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
          [localport=0-65535|RPC|RPC-EPMap|any[,...]]
          [remoteport=0-65535|any[,...]]
          [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
             tcp|udp|any]
          [interfacetype=wireless|lan|ras|any]
          [rmtcomputergrp=<SDDL string>]
          [rmtusrgrp=<SDDL string>]
          [edge=yes|deferapp|deferuser|no (default=no)]
          [security=authenticate|authenc|authdynenc|notrequired]

    Remarks:

          - Sets a new parameter value on an identified rule. The command fails
            if the rule does not exist. To create a rule, use the add command.
          - Values after the new keyword are updated in the rule.  If there are
            no values, or keyword new is missing, no changes are made.
          - A group of rules can only be enabled or disabled.
          - If multiple rules match the criteria, all matching rules will
            be updated.
          - Rule name should be unique and cannot be "all".
          - If a remote computer or user group is specified, security must be
            authenticate, authenc or authdynenc.
          - Setting security to authdynenc allows systems to dynamically
            negotiate the use of encryption for traffic that matches
            a given Windows Firewall rule. Encryption is negotiated based on
            existing connection security rule properties. This option
            enables the ability of a machine to accept the first TCP
            or UDP packet of an inbound IPsec connection as long as
            it is secured, but not encrypted, using IPsec.
            Once the first packet is processed, the server will
            re-negotiate the connection and upgrade it so that
            all subsequent communications are fully encrypted.
          - Authdynenc is valid only when dir=in.
          - If action=bypass, the remote computer group must be specified when dir=in.
          - If service=any, the rule applies only to services.
          - ICMP type or code can be "any".
          - Edge can only be specified for inbound rules.

    Examples:

          Change the remote IP address on a rule called "allow80":
          netsh advfirewall firewall set rule name="allow80" new
          remoteip=192.168.0.2

          Enable a group with grouping string "Remote Desktop":
          netsh advfirewall firewall set rule group="remote desktop" new
          enable=yes

          Change the localports on the rule "Allow port range" for udp-
          Set rule name="Allow port range" dir=out protocol=udp localport=5000-5020 action=allow
    PS C:\>

    **********************************************************************

    Saturday, January 29, 2011 10:42 AM
  • Try removing the spaces:

    netsh advfirewall firewall set rule name="SSH" new remoteip=139.100.100.1,139.100.100.2

    Or you may have to use the "add" verb in the command:

    netsh advfirewall firewall add rule name="SSH" new remoteip=139.100.100.1,139.100.100.2

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Tiger Li Tuesday, February 01, 2011 5:08 AM
    • Marked as answer by Tiger Li Tuesday, February 01, 2011 8:49 AM
    Sunday, January 30, 2011 2:14 PM
  • Hi

    Trying to figure out how to add a remote IP in a script. This obviously wont work:

    netsh advfirewall firewall add rule name=firewallrule dir=in localport=1401 protocol=tcp remoteip=2.148.0.0/255.252.0.0 profile=domain action=allow

    netsh advfirewall firewall set rule name=firewallrule add remoteip=31.24.128.0/255.255.248.0

    This command which works, will replace the allready given remote IP:
    netsh advfirewall firewall set rule name=firewallrule new remoteip=31.24.128.0/255.255.248.0
    I have allmost 700 IP-addresses that I want to add to the firewall using a script. There is to many IP-addresses for this to work in a single command line in both dos and powershell.
    Any suggestions would be appreciated!
    Regards
    Oystein Sund

    • Proposed as answer by Mick Bobin Sunday, May 22, 2011 3:23 AM
    Friday, April 01, 2011 8:31 AM
  • Have a look at this script, you should be able to customise it for what you want. Note that although the script currently works fine for Win7 firewall it seems to fail with an error under Server 2008.

    http://blog.whitesites.com/Bulk-import-IPs-into-your-Windows-Server-2008-R2-Firewall__634324176371718750_blog.htm

     

    Cheers

     

    Mick Bobin

    Sunday, May 22, 2011 3:25 AM
  • Try this, it worked for me. Remember that the 'set' will remove what is existing in the ip address list.  I have written these to a file for in order to persist them.

    Once you have called this command, refresh your firewall list rule UI or the display will not update to show you what has been completed. 

    WriteFile(

     

    "192.168.0.9");

    WriteFile(

     

    "192.167.0.1");

    WriteFile(

     

    "192.169.0.2");

    WriteFile(

     

    "192.170.0.2");

    WriteFile(

     

    "192.170.1.2");

     

     

    string currentIPs = ReadFile();

    cmd =

     

    @"netsh advfirewall firewall set rule name=KnownHackIP new remoteip=" + currentIPs ;

    nvc_droplist.Add(val,

     

    "True");

    WriteFile(val);

    skipVal = val;

     

     

     

    // Process proc = new Process();

    System.Diagnostics.

     

    ProcessStartInfo procStartInfo =

     

     

    new System.Diagnostics.ProcessStartInfo("cmd", "/c " + cmd);

     

     

    // The following commands are needed to redirect the standard output.

     

     

    // This means that it will be redirected to the Process.StandardOutput StreamReader.

    procStartInfo.RedirectStandardOutput =

     

    true;

    procStartInfo.UseShellExecute =

     

    false;

     

     

    // Do not create the black window.

    procStartInfo.CreateNoWindow =

     

    true;

     

     

    // Now we create a process, assign its ProcessStartInfo and start it

    System.Diagnostics.

     

    Process proc = new System.Diagnostics.Process();

    proc.StartInfo = procStartInfo;

    proc.Start();

     

     

    // Get the output into a string

     

     

    string result = proc.StandardOutput.ReadToEnd();

     

     

    // Display the command output.

     

     

    Console.WriteLine(result);

     

     

    }

    Thursday, December 15, 2011 5:14 PM
  • Wonderful tip... thanks very much..

    However, I was wondering whether there is a way to load the list of the IP addresses from a txt file instead of having to type all these ip addresses at the end of the netsh command?

    Is something like that possible?

    Thank you in advance.......

    Friday, February 03, 2012 1:22 PM
  • There is an omission in the netsh documentation section for remoteip (and it may affect other variables that can accept a list of values)

    "You can specify multiple entries for remoteip by separating them with a comma. Do not include any spaces."

    As Pedro and others have found, if you try to add multiple subnets for remote IP with this command:
    netsh advfirewall firewall set rule name="Windows Backup (RPC)" dir=in new remoteip=10.1.0.0/16,192.168.1.0/24

    You will receive the error

    A specified value is not valid.

    If you put quote marks around the list items, it will work:

    PS C:\Users\Administrator> netsh advfirewall firewall set rule name="Windows Backup (RPC)" dir=in new remoteip="10.1.0.0/16,192.168.1.0/24"
    Updated 1 rule(s).
    Ok.
    PS C:\Users\Administrator>
    • Proposed as answer by ridicully Thursday, May 03, 2012 2:46 AM
    Thursday, May 03, 2012 2:46 AM
  • I enclosed my subnets in quotes,

    netsh advfirewall firewall set rule name="Windows Internet Naming Service (WINS) (NB-Name-UDP-In)" remoteip="10.100.0.0/16,10.101.0.0/16,10.102.0.0/16"

    and still I was the Usage message and no updates to my rule. When I reviewed the syntax, I noticed the first line of the error message:

    "For 'set' commands, the 'new' keyword must be present and must not be the last argument provided."

    And later in the Usage text:

    - Values after the new keyword are updated in the rule.  If there are
      no values, or keyword new is missing, no changes are made.

    I added the "new" keyword:

    netsh advfirewall firewall set rule name="Windows Internet Naming Service (WINS) (NB-Name-UDP-In)" new remoteip="10.100.0.0/16,10.101.0.0/16,10.102.0.0/16"

    and that was all I needed.


    --Geoff

    Monday, April 14, 2014 7:18 PM