TCP/IP filtering via script or batch file

L

Leonid

Doe's anybody have experience how to open/close TCP/IP ports on XPe box
using
batch or script files.

Thanks
Leonid
 
S

Sean Gahan

Leonid,
If you included ICF in your build, then you may use the icfutil tool
developed by MS. You can find out about in the NG:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=icfutil&btnG=Search or
icfutil website:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnxpesp1/html/icf_enable.asp
or if you want to script it:

OPTION EXPLICIT

DIM ICSSC_DEFAULT, CONNECTION_PUBLIC, CONNECTION_PRIVATE, CONNECTION_ALL
DIM NetSharingManager
DIM PublicConnection, PrivateConnection
DIM EveryConnectionCollection

DIM objArgs
DIM con

ICSSC_DEFAULT = 0
CONNECTION_PUBLIC = 0
CONNECTION_PRIVATE = 1
CONNECTION_ALL = 2

Main( )

sub Main( )
Set objArgs = WScript.Arguments
con = "NAME_OF_WAN_CONNECTION"
' if objArgs.Count = 1 then
' con = objArgs(0)

' WScript.Echo con

if Initialize() = TRUE then
GetConnectionObjects()

FirewallTestByName(con)
end if
' else
' DIM szMsg
' szMsg = "Invalid usage! Please provide the name of the connection
as the argument." & chr(13) & chr(13) & _
' "Usage:" & chr(13) & _
' " " + WScript.scriptname + " " + chr(34) +
"Connection Name" + chr(34)
' WScript.Echo( szMsg )
' end if

end sub


sub FirewallTestByName(conName)
on error resume next
DIM Item
DIM EveryConnection
DIM objNCProps
DIM szMsg
DIM bFound

bFound = false
for each Item in EveryConnectionCollection
set EveryConnection =
NetSharingManager.INetSharingConfigurationForINetConnection(Item)
set objNCProps = NetSharingManager.NetConnectionProps(Item)
if (ucase(conName) = ucase(objNCProps.Name)) then
szMsg = "Enabling Firwall on connection:" & chr(13) & _
"Name: " & objNCProps.Name & chr(13) & _
"Guid: " & objNCProps.Guid & chr(13) & _
"DeviceName: " & objNCProps.DeviceName & chr(13) & _
"Status: " & objNCProps.Status & chr(13) & _
"MediaType: " & objNCProps.MediaType

' WScript.Echo(szMsg)
bFound = true
EveryConnection.EnableInternetFirewall
exit for
end if
next

if( bFound = false ) then
' WScript.Echo( "Connection " & chr(34) & conName & chr(34) & " was
not found" )
end if

end sub

function Initialize()
DIM bReturn
bReturn = FALSE

set NetSharingManager = Wscript.CreateObject("HNetCfg.HNetShare.1")
if (IsObject(NetSharingManager)) = FALSE then
' Wscript.Echo("Unable to get the HNetCfg.HnetShare.1 object")
else
if (IsNull(NetSharingManager.SharingInstalled) = TRUE) then
' Wscript.Echo("Sharing isn't available on this platform.")
else
bReturn = TRUE
end if
end if
Initialize = bReturn
end function

function GetConnectionObjects()
DIM bReturn
DIM Item

bReturn = TRUE

if GetConnection(CONNECTION_PUBLIC) = FALSE then
bReturn = FALSE
end if

if GetConnection(CONNECTION_PRIVATE) = FALSE then
bReturn = FALSE
end if

if GetConnection(CONNECTION_ALL) = FALSE then
bReturn = FALSE
end if

GetConnectionObjects = bReturn

end function


function GetConnection(CONNECTION_TYPE)
DIM bReturn
DIM Connection
DIM Item
bReturn = TRUE

if (CONNECTION_PUBLIC = CONNECTION_TYPE) then
set Connection =
NetSharingManager.EnumPublicConnections(ICSSC_DEFAULT)
if (Connection.Count > 0) and (Connection.Count < 2) then
for each Item in Connection
set PublicConnection =
NetSharingManager.INetSharingConfigurationForINetConnection(Item)
next
else
bReturn = FALSE
end if
elseif (CONNECTION_PRIVATE = CONNECTION_TYPE) then
set Connection =
NetSharingManager.EnumPrivateConnections(ICSSC_DEFAULT)
if (Connection.Count > 0) and (Connection.Count < 2) then
for each Item in Connection
set PrivateConnection =
NetSharingManager.INetSharingConfigurationForINetConnection(Item)
next
else
bReturn = FALSE
end if
elseif (CONNECTION_ALL = CONNECTION_TYPE) then
set Connection = NetSharingManager.EnumEveryConnection
if (Connection.Count > 0) then
set EveryConnectionCollection = Connection
else
bReturn = FALSE
end if
else
bReturn = FALSE
end if

if (TRUE = bReturn) then

if (Connection.Count = 0) then
' Wscript.Echo("No " +
CStr(ConvertConnectionTypeToString(CONNECTION_TYPE)) + " connections exist
(Connection.Count gave us 0)")
bReturn = FALSE
'valid to have more than 1 connection returned from
EnumEveryConnection
elseif (Connection.Count > 1) and (CONNECTION_ALL <>
CONNECTION_TYPE) then
' Wscript.Echo("ERROR: There was more than one " +
ConvertConnectionTypeToString(CONNECTION_TYPE) + " connection (" +
CStr(Connection.Count) + ")")
bReturn = FALSE
end if
end if
' Wscript.Echo(CStr(Connection.Count) + " objects for connection type " +
ConvertConnectionTypeToString(CONNECTION_TYPE))

GetConnection = bReturn
end function

function ConvertConnectionTypeToString(ConnectionID)
DIM ConnectionString

if (ConnectionID = CONNECTION_PUBLIC) then
ConnectionString = "public"
elseif (ConnectionID = CONNECTION_PRIVATE) then
ConnectionString = "private"
elseif (ConnectionID = CONNECTION_ALL) then
ConnectionString = "all"
else
ConnectionString = "Unknown: " + CStr(ConnectionID)
end if

ConvertConnectionTypeToString = ConnectionString
end function


Regards,

Sean Gahan
 
L

Leonid

Thanks Sean
1. Hopefully I included ICF tool into my image. So I'll learn the topics you
sent
2. Also thanks for script. One more question: Is it the same thing to drive
the firewall settings or TCP/IP filtering (advanced options for Network
card)?
Regards
\Leonid
 
D

Doug Hoeffel

Leonid:

I've setup TCP/IP port filtering via WMI. I'm out of the office this week
so if I can get access to my source code I'll post the code.

HTH
.... Doug
 
S

Sean Gahan

Leonid,
1. If you are not familiar with the icfutil, then most likely it is not be
in your image.
2. You are welcome for the script. I would assume that if you set up an ip
filter, this would act as a firewall, but I have not worked with the filters
on a windows box and so therefore I can not say with certainty.

BTW: I am very interested in seeing what Doug post.

Regards,

Sean Gahan
 
D

Doug Hoeffel

This works for me. You will need to modify the reg strings for your network
driver:

================================================
Set WMIInterface = CreateObject("WbemScripting.SWbemLocator")
Set WMIServiceInterface = WMIInterface.ConnectServer(".", "Root\cimv2", "",
"")


Function SetFilterPorts(adapterIndex, tcpPortString, udpPortString,
protocolString)
queryString = "select * from Win32_NetworkAdapterConfiguration where
Index = " & adapterIndex

Dim retStatus
retStatus = -1
Set oNetAdapterCfg =
WMIServiceInterface.Get("Win32_NetworkAdapterConfiguration")

Set oMethodEnableFilterSec =
oNetAdapterCfg.Methods_.Item("EnableIPFilterSec")
Set oInParam = oMethodEnableFilterSec.InParameters.SpawnInstance_()

oInParam.IPFilterSecurityEnabled = TRUE

Set oOutParam = oNetAdapterCfg.ExecMethod_(oMethodEnableFilterSec.Name,
oInParam)
If oOutParam.ReturnValue = 0 or oOutParam.ReturnValue = 1 Then
Set cards = WMIServiceInterface.ExecQuery(queryString)
tcpPortArray = Split(tcpPortString)
udpPortArray = Split(udpPortString)
protocolArray = Split(protocolString)

For Each objCard In cards
retStatus = objCard.EnableIPSec(tcpPortArray, udpPortArray,
protocolArray)
Next
End If
SetFilterPorts = retStatus
End Function


Set WshShell = CreateObject("WScript.Shell")
vendor =
WshShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\E100E\Enum\0")
driverID = WshShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Enum\" & vendor &
"\Driver")
myArray = Split(driverID, "\")
netIndex = myArray(1)

' set the TCP, UDP, and IP port filtering
rc = SetFilterPorts(netIndex, "20 21 23 104 139 700 5631 10113 10114 10115
", "137 138 5632 ", "6 17 ")
===========================================

HTH... Doug
 
S

Sean Gahan

Doug,

1.. Thank you for the script, it rocks!
2.. Do you use this is a firewall?
Regards,



Sean Gahan
 
D

Doug Hoeffel

Sean:

Basically yes I use this as a firewall. The image that I deployed last year
did not have ICF. This kind of port filtering has protected me from most
but not all viruses.

HTH... Doug
 
L

Leonid

Thank you guys for your replay.
One more question:
What will happen if I have several ( for example 2 LAN cards: wired and
wireless)?

\Leonid
 
D

Doug Hoeffel

Leonid:

I think you will need to add port filtering on all interfaces separately.

HTH
.... Doug
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top