netsh advfirewall add- how to prevent multiple entries by command line

[SAIT]

Hi
I´m using a little script to enter "add rule" to the firewall in Win 7

f.e.

netsh advfirewall firewall add rule name="Firefox Updater" dir=out program="%ProgramFiles% (x86)\Mozilla Firefox\updater.exe" enable=yes profile=any action=allow

This works fine so far.
But if i start the script again, it will create the same rule AGAIN (with the same name and everything).

Can I prevent this? Maybe I need some unique identifier that prevents double entries?
Or should I better check - using some if/else commands - if a rule exists and if not add it (but how do i do THAT?).

I don´t want to create a lot of single script files, i just want to use one which i might extend with new entries if a new tool is coming along. I know this might not be the nicest solution for a security matter, but it´s fine for me

Aside from that, if someone is doing the same thing or something similar, are you still using the batch cmd or are you on Power Shell?


Thanks a lot!

 

[SAIT]

Anyone?
Maybe the idea isn´t very interesting?

 

[Jacee]

This shows how to set rules in Win 7 firewall How to Set Windows 7 Firewall Rules

 

[SAIT]

Thank you Jacee, but I already know how to set rules.
The command syntax from my previous post itself is right. My problem is that if I start it (f.e.) accidentally twice, i get 2 rules with the same name.

The solution I´m looking for is something like a unique identifier that prevents that from happening and return a "hey, you already got a out rule by that name, you can´t put another one in".

 

[bpetya]

Batch script to create/delete port rule in Win7 firewall

(...) My problem is that if I start it (f.e.) accidentally twice, i get 2 rules with the same name.

The solution I´m looking for is something like a unique identifier that prevents that from happening and return a "hey, you already got a out rule by that name, you can´t put another one in".

Hi,
I prefer batch cmd scripts for my tasks. The next script is an extensible solution to do the job for you, with your return message . I hope it's good for you.

The basic idea is: if you use the same name for the created rule all the times, first you must check if it exist or not. If exist: jump over; if not: create the rule.
I use command line parameters for job specification, and call a small subroutine for it.

On deleting, all the rules with the specified name are deleted!
Good luck!
P

[FONT=Courier New]@echo off[/FONT]
[FONT=Courier New]:: [/FONT]
[FONT=Courier New]:: Batch script to create and delete port rules in Win7 firewall[/FONT]
[FONT=Courier New]:: Created by Péter Barabás ([/FONT][FONT=Courier New]barabas_p(at)yahoo...[/FONT][FONT=Courier New])[/FONT]
[FONT=Courier New]::[/FONT]
[FONT=Courier New]setlocal[/FONT]
 
[FONT=Courier New]:: In the next two line, you can set the parameters for script:[/FONT]
[FONT=Courier New]set PORTNUMBER=4567[/FONT]
[FONT=Courier New]set RULENAME="Open MyPort %PORTNUMBER%"[/FONT]
 
[FONT=Courier New]:: Using command line parameter for selecting process:[/FONT]
[FONT=Courier New]if "%1"=="/o" call :_OpeningPort[/FONT]
[FONT=Courier New]if "%1"=="/d" call :_DelRules[/FONT]
[FONT=Courier New]if "%1"=="" echo No parameter. Exiting.[/FONT]
[FONT=Courier New]goto :EOF[/FONT]
 
[FONT=Courier New]:_OpeningPort[/FONT]
[FONT=Courier New]:: Opening Port on firewall:[/FONT]
[FONT=Courier New]netsh advfirewall firewall show rule name=%RULENAME% >nul[/FONT]
[FONT=Courier New]if not ERRORLEVEL 1 ([/FONT]
[FONT=Courier New]rem Rule %RULENAME% already exist.[/FONT]
[FONT=Courier New]echo Hey, you already got a out rule by that name, you can´t put another one in![/FONT]
[FONT=Courier New]) else ([/FONT]
[FONT=Courier New]echo Rule %RULENAME% not exist. Creating...[/FONT]
[FONT=Courier New]netsh advfirewall firewall add rule name=%RULENAME% dir=in action=allow protocol=TCP localport=%PORTNUMBER% remoteip=LocalSubnet profile=private interfacetype=lan[/FONT]
[FONT=Courier New])[/FONT]
[FONT=Courier New]goto :EOF[/FONT]
 
[FONT=Courier New]:_DelRules[/FONT]
[FONT=Courier New]:: Deleting enabled port:[/FONT]
[FONT=Courier New]netsh advfirewall firewall show rule name=%RULENAME% >nul[/FONT]
[FONT=Courier New]if not ERRORLEVEL 1 ([/FONT]
[FONT=Courier New]echo Rule %RULENAME% exist. Deleting...[/FONT]
[FONT=Courier New]netsh advfirewall firewall delete rule name=%RULENAME% protocol=tcp localport=%PORTNUMBER%[/FONT]
[FONT=Courier New]) else ([/FONT]
[FONT=Courier New]echo Rule %RULENAME% does not exist. [/FONT]
[FONT=Courier New])[/FONT]
[FONT=Courier New]goto :EOF[/FONT]

 

[SAIT]

Thank you Peter.
You´re solution has been very helpful and is already more advanced than what i intented to do. I just needed the check sequence.

So what this is how i proceed now when I want to add a new rule:
1. I copy an existing older block and paste it at the end of my file
2. I chance the Rulename and ProgPath variables to the new program i want to add
( i keep the rules very simple, nothing with ports etc...)
3. I run the script. The script checks the existence and reacts according to Peter´s code, then it goes on to the next rule block.

At the end i see the result in the CMD Box like this

Hey, you already got a out rule by that name, you cannot put another one in!
Hey, you already got a out rule by that name, you cannot put another one in!
Hey, you already got a out rule by that name, you cannot put another one in!
Rule "test" not exist. Creating...
OK.


It´s not the most elegant solution, someone might want to do this with a loop sequence, but I don´t know how and it works fine for me this way.

I don´t get any doublettes in my rule set this way PLUS
i can use the same script on a similar machine without changing the code. Before that I had to put a REM in front of each rule after i added it, which of course needed to be removed on new installations.

@echo off

:: -----------------------------------------------
Rem Rule - added on xxx.xxx.2011
set RULENAME="Firefox"
Set ProgPath="%ProgramFiles% (x86)\Mozilla Firefox\firefox.exe"

netsh advfirewall firewall show rule name=%RULENAME% >nul
if not ERRORLEVEL 1 (
rem Rule %RULENAME% already exist.
echo Hey, you already got a out rule by that name, you cannot put another one in!

) else (
echo Rule %RULENAME% not exist. Creating...
netsh advfirewall firewall add rule name=%RULENAME% dir=out program=%ProgPath% enable=yes profile=any action=allow description=%RULENAME% 
)
:: -----------------------------------------------


Rem Rule - added on xxx.xxx.2011
set RULENAME="Firefox Updater"
Set ProgPath="%ProgramFiles% (x86)\Mozilla Firefox\updater.exe"


netsh advfirewall firewall show rule name=%RULENAME% >nul
if not ERRORLEVEL 1 (
rem Rule %RULENAME% already exist.
echo Hey, you already got a out rule by that name, you cannot put another one in!

) else (
echo Rule %RULENAME% not exist. Creating...
netsh advfirewall firewall add rule name=%RULENAME% dir=out program=%ProgPath% enable=yes profile=any action=allow description=%RULENAME% 
)
:: -----------------------------------------------

If someone want to play along with this, please go ahead.
Thanks again for the help

 

[glenh]

Just delete the rule first. If it doesn't exist then no harm done