/****************************************************************** AddPortException ********************************************************************/ static HRESULT AddPortException( __in LPCWSTR wzName, __in int iProfile, __in_opt LPCWSTR wzRemoteAddresses, __in BOOL fIgnoreFailures, __in LPCWSTR wzPort, __in int iProtocol, __in LPCWSTR wzDescription ) { HRESULT hr = S_OK; BSTR bstrName = NULL; INetFwRules* pNetFwRules = NULL; INetFwRule* pNetFwRule = NULL; // convert to BSTRs to make COM happy bstrName = ::SysAllocString(wzName); ExitOnNull(bstrName, hr, E_OUTOFMEMORY, "failed SysAllocString for name"); // get the collection of firewall rules hr = GetFirewallRules(fIgnoreFailures, &pNetFwRules); ExitOnFailure(hr, "failed to get firewall rules object"); if (S_FALSE == hr) // user or package author chose to ignore missing firewall { ExitFunction(); } // try to find it (i.e., support reinstall) hr = pNetFwRules->Item(bstrName, &pNetFwRule); if (HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND) == hr) { hr = CreateFwRuleObject(bstrName, iProfile, wzRemoteAddresses, wzPort, iProtocol, wzDescription, &pNetFwRule); ExitOnFailure(hr, "failed to create FwRule object"); // enable it hr = pNetFwRule->put_Enabled(VARIANT_TRUE); ExitOnFailure(hr, "failed to to enable port exception"); // add it to the list of authorized ports hr = pNetFwRules->Add(pNetFwRule); ExitOnFailure(hr, "failed to add app to the authorized ports list"); } else { // we found an existing port exception (if we succeeded, that is) ExitOnFailure(hr, "failed trying to find existing port rule"); // enable it (just in case it was disabled) pNetFwRule->put_Enabled(VARIANT_TRUE); } LExit: ReleaseBSTR(bstrName); ReleaseObject(pNetFwRules); ReleaseObject(pNetFwRule); return fIgnoreFailures ? S_OK : hr; }
int __cdecl main() { HRESULT hrComInit = S_OK; HRESULT hr = S_OK; INetFwPolicy2 *pNetFwPolicy2 = NULL; INetFwRules *pFwRules = NULL; INetFwRule *pFwRule = NULL; long CurrentProfilesBitMask = 0; // The rule name, description, and group are provided as indirect strings for // localization purposes. These resource strings can be found in the rc file BSTR bstrRuleName = SysAllocString(L"@Add_GRE_Rule.exe,-128"); BSTR bstrRuleDescription = SysAllocString(L"@Add_GRE_Rule.exe,-129"); BSTR bstrRuleGroup = SysAllocString(L"@Add_GRE_Rule.exe,-127"); // Error checking for BSTR allocations if (NULL == bstrRuleName) { printf("Failed to allocate bstrRuleName\n"); goto Cleanup; } if (NULL == bstrRuleDescription) { printf("Failed to allocate bstrRuleDescription\n"); goto Cleanup; } if (NULL == bstrRuleGroup) { printf("Failed to allocate bstrRuleGroup\n"); goto Cleanup; } // Initialize COM. hrComInit = CoInitializeEx( 0, COINIT_APARTMENTTHREADED ); // Ignore RPC_E_CHANGED_MODE; this just means that COM has already been // initialized with a different mode. Since we don't care what the mode is, // we'll just use the existing mode. if (hrComInit != RPC_E_CHANGED_MODE) { if (FAILED(hrComInit)) { printf("CoInitializeEx failed: 0x%08lx\n", hrComInit); goto Cleanup; } } // Retrieve INetFwPolicy2 hr = WFCOMInitialize(&pNetFwPolicy2); if (FAILED(hr)) { goto Cleanup; } // Retrieve INetFwRules hr = pNetFwPolicy2->get_Rules(&pFwRules); if (FAILED(hr)) { printf("get_Rules failed: 0x%08lx\n", hr); goto Cleanup; } // Retrieve Current Profiles bitmask hr = pNetFwPolicy2->get_CurrentProfileTypes(&CurrentProfilesBitMask); if (FAILED(hr)) { printf("get_CurrentProfileTypes failed: 0x%08lx\n", hr); goto Cleanup; } // When possible we avoid adding firewall rules to the Public profile. // If Public is currently active and it is not the only active profile, we remove it from the bitmask if ((CurrentProfilesBitMask & NET_FW_PROFILE2_PUBLIC) && (CurrentProfilesBitMask != NET_FW_PROFILE2_PUBLIC)) { CurrentProfilesBitMask ^= NET_FW_PROFILE2_PUBLIC; } // Create a new Firewall Rule object. hr = CoCreateInstance( __uuidof(NetFwRule), NULL, CLSCTX_INPROC_SERVER, __uuidof(INetFwRule), (void**)&pFwRule); if (FAILED(hr)) { printf("CoCreateInstance for Firewall Rule failed: 0x%08lx\n", hr); goto Cleanup; } // Populate the Firewall Rule Name hr = pFwRule->put_Name(bstrRuleName); if (FAILED(hr)) { printf("put_Name failed: 0x%08lx\n", hr); goto Cleanup; } // Populate the Firewall Rule Description hr = pFwRule->put_Description(bstrRuleDescription); if (FAILED(hr)) { printf("put_Description failed: 0x%08lx\n", hr); goto Cleanup; } // Populate the Firewall Rule Protocol hr = pFwRule->put_Protocol(47); if (FAILED(hr)) { printf("put_Protocol failed: 0x%08lx\n", hr); goto Cleanup; } // Populate the Firewall Rule Group hr = pFwRule->put_Grouping(bstrRuleGroup); if (FAILED(hr)) { printf("put_Grouping failed: 0x%08lx\n", hr); goto Cleanup; } // Populate the Firewall Rule Profiles hr = pFwRule->put_Profiles(CurrentProfilesBitMask); if (FAILED(hr)) { printf("put_Profiles failed: 0x%08lx\n", hr); goto Cleanup; } // Populate the Firewall Rule Action hr = pFwRule->put_Action(NET_FW_ACTION_ALLOW); if (FAILED(hr)) { printf("put_Action failed: 0x%08lx\n", hr); goto Cleanup; } // Populate the Firewall Rule Enabled hr = pFwRule->put_Enabled(VARIANT_TRUE); if (FAILED(hr)) { printf("put_Enabled failed: 0x%08lx\n", hr); goto Cleanup; } // Add the Firewall Rule hr = pFwRules->Add(pFwRule); if (FAILED(hr)) { printf("Firewall Rule Add failed: 0x%08lx\n", hr); goto Cleanup; } Cleanup: // Free BSTR's SysFreeString(bstrRuleName); SysFreeString(bstrRuleDescription); SysFreeString(bstrRuleGroup); // Release the INetFwRule object if (pFwRule != NULL) { pFwRule->Release(); } // Release the INetFwRules object if (pFwRules != NULL) { pFwRules->Release(); } // Release the INetFwPolicy2 object if (pNetFwPolicy2 != NULL) { pNetFwPolicy2->Release(); } // Uninitialize COM. if (SUCCEEDED(hrComInit)) { CoUninitialize(); } return 0; }
/****************************************************************** RemoveException - Removes the exception rule with the given name. ********************************************************************/ static HRESULT RemoveException( __in LPCWSTR wzName, __in BOOL fIgnoreFailures ) { HRESULT hr = S_OK;; INetFwRules* pNetFwRules = NULL; // convert to BSTRs to make COM happy BSTR bstrName = ::SysAllocString(wzName); ExitOnNull(bstrName, hr, E_OUTOFMEMORY, "failed SysAllocString for path"); // get the collection of firewall rules hr = GetFirewallRules(fIgnoreFailures, &pNetFwRules); ExitOnFailure(hr, "failed to get firewall rules object"); if (S_FALSE == hr) // user or package author chose to ignore missing firewall { ExitFunction(); } hr = pNetFwRules->Remove(bstrName); ExitOnFailure(hr, "failed to remove authorized app"); LExit: ReleaseBSTR(bstrName); ReleaseObject(pNetFwRules); return fIgnoreFailures ? S_OK : hr; }
ErrorCode FirewallSecurityProvider::RemoveFirewallRule( wstring const & policyName) { #if defined(PLATFORM_UNIX) return CleanupRulesForAllProfiles(policyName, 0); #else if (this->State.Value != FabricComponentState::Opened) { WriteInfo( TraceFirewallSecurityProvider, Root.TraceId, "FirewallSecurityProvider cannot remove rule '{0}' since provider is not open", policyName); return ErrorCode(ErrorCodeValue::OperationFailed); } HRESULT hr = S_OK; hr = CoInitializeEx( 0, COINIT_MULTITHREADED ); if (FAILED(hr)) { ErrorCode error = ErrorCode::FromHResult(hr); WriteError(TraceFirewallSecurityProvider, Root.TraceId, "Failed to create CoInitialize {0}", error); return error; } INetFwPolicy2* fwPolicy; hr = CoCreateInstance( __uuidof(NetFwPolicy2), NULL, CLSCTX_INPROC_SERVER, __uuidof(INetFwPolicy2), (void**)&fwPolicy); if (FAILED(hr)) { ErrorCode error = ErrorCode::FromHResult(hr); WriteError(TraceFirewallSecurityProvider, Root.TraceId, "Failed to create INetFwPolicy2 {0}", error); return error; } INetFwRules *pFwRules = NULL; // Retrieve INetFwRules hr = fwPolicy->get_Rules(&pFwRules); if (FAILED(hr)) { WriteWarning( TraceFirewallSecurityProvider, Root.TraceId, "Failed to get firewall rules, hresult {0}", hr); return ErrorCode::FromHResult(hr); } else { auto error = CleanupRulesForAllProfiles(policyName, pFwRules); WriteTrace( error.ToLogLevel(), TraceFirewallSecurityProvider, Root.TraceId, "Removing firewall rules for policy {0} returned error {1}", policyName, error); // Release the INetFwRules object if (pFwRules != NULL) { pFwRules->Release(); } if (fwPolicy != NULL) { fwPolicy->Release(); } return error; } #endif }
ErrorCode FirewallSecurityProvider::ConfigurePortFirewallPolicy( wstring const & policyName, vector<LONG> ports) { if (this->State.Value != FabricComponentState::Opened) { WriteInfo( TraceFirewallSecurityProvider, Root.TraceId, "FirewallSecurityProvider cannot open ports for policy '{0}' since provider is not open", policyName); return ErrorCode(ErrorCodeValue::OperationFailed); } HRESULT hr = S_OK; #if defined(PLATFORM_UNIX) auto err = CleanupRulesForAllProfiles(policyName, 0); if (!err.IsSuccess()) { WriteInfo( TraceFirewallSecurityProvider, Root.TraceId, "Failed to remove firewall rule, error {0}, rulename", err, policyName); } wstring ruleDescription = wformatString("Rule for WindowsFabric service package {0}", policyName); for (auto it = profilesEnabled_.begin(); it != profilesEnabled_.end() && SUCCEEDED(hr); ++it) { for (auto iter = ports.begin(); iter != ports.end(); ++iter) { for (auto it1 = allprotocols_.begin(); it1 != allprotocols_.end(); it1++) { hr = this->AddRule(0, FirewallSecurityProvider::GetFirewallRuleName(policyName, false, *it, *it1), ruleDescription, *it, *it1, *iter, false); if (SUCCEEDED(hr)) { hr = this->AddRule(0, FirewallSecurityProvider::GetFirewallRuleName(policyName, true, *it, *it1), ruleDescription, *it, *it1, *iter, true); } if (FAILED(hr)) { break; } } } } return ErrorCode::FromHResult(hr); #else hr = CoInitializeEx( 0, COINIT_MULTITHREADED ); if (FAILED(hr)) { ErrorCode error = ErrorCode::FromHResult(hr); WriteError(TraceFirewallSecurityProvider, Root.TraceId, "Failed to create CoInitialize {0}", error); return error; } INetFwPolicy2* fwPolicy; hr = CoCreateInstance( __uuidof(NetFwPolicy2), NULL, CLSCTX_INPROC_SERVER, __uuidof(INetFwPolicy2), (void**)&fwPolicy); if (FAILED(hr)) { ErrorCode error = ErrorCode::FromHResult(hr); WriteError(TraceFirewallSecurityProvider, Root.TraceId, "Failed to create INetFwPolicy2 {0}", error); return error; } INetFwRules *pFwRules = NULL; LONG currentProfilesBitMask = 0; // Retrieve INetFwRules hr = fwPolicy->get_Rules(&pFwRules); if (FAILED(hr)) { WriteWarning( TraceFirewallSecurityProvider, Root.TraceId, "Failed to get firewall rules, hresult {0}", hr); } else { auto err = CleanupRulesForAllProfiles(policyName, pFwRules); if (!err.IsSuccess()) { WriteInfo( TraceFirewallSecurityProvider, Root.TraceId, "Failed to remove firewall rule, error {0}, rulename", err, policyName); } // Retrieve Current Profiles bitmask hr = fwPolicy->get_CurrentProfileTypes(¤tProfilesBitMask); if (SUCCEEDED(hr)) { wstring ruleDescription = wformatString("Rule for WindowsFabric service package {0}", policyName); bool currentUserProfileEnabled = false; for (auto it = profilesEnabled_.begin(); it != profilesEnabled_.end() && SUCCEEDED(hr); ++it) { for (auto iter = ports.begin(); iter != ports.end(); ++iter) { for (auto it1 = allprotocols_.begin(); it1 != allprotocols_.end(); it1++) { hr = this->AddRule( pFwRules, FirewallSecurityProvider::GetFirewallRuleName(policyName, false, *it, *it1), ruleDescription, *it, *it1, *iter, false); if (SUCCEEDED(hr)) { hr = this->AddRule( pFwRules, FirewallSecurityProvider::GetFirewallRuleName(policyName, true, *it, *it1), ruleDescription, *it, *it1, *iter, true); } if (FAILED(hr)) { break; } } } if (*it & currentProfilesBitMask) { currentUserProfileEnabled = true; } } if (!currentUserProfileEnabled) { WriteWarning( TraceFirewallSecurityProvider, Root.TraceId, "Did not enable firewallpolicy for current profile {0}", currentProfilesBitMask); } } else { WriteWarning( TraceFirewallSecurityProvider, Root.TraceId, "Failed to get current profile types, hresult {0}", hr); } // Release the INetFwRules object if (pFwRules != NULL) { pFwRules->Release(); } if (fwPolicy != NULL) { fwPolicy->Release(); } } return ErrorCode::FromHResult(hr); #endif }
int __cdecl main() { HRESULT hrComInit = S_OK; HRESULT hr = S_OK; ULONG cFetched = 0; CComVariant var; IUnknown *pEnumerator; IEnumVARIANT* pVariant = NULL; INetFwPolicy2 *pNetFwPolicy2 = NULL; INetFwRules *pFwRules = NULL; INetFwRule *pFwRule = NULL; long fwRuleCount; // Initialize COM. hrComInit = CoInitializeEx( 0, COINIT_APARTMENTTHREADED ); // Ignore RPC_E_CHANGED_MODE; this just means that COM has already been // initialized with a different mode. Since we don't care what the mode is, // we'll just use the existing mode. if (hrComInit != RPC_E_CHANGED_MODE) { if (FAILED(hrComInit)) { wprintf(L"CoInitializeEx failed: 0x%08lx\n", hrComInit); goto Cleanup; } } // Retrieve INetFwPolicy2 hr = WFCOMInitialize(&pNetFwPolicy2); if (FAILED(hr)) { goto Cleanup; } // Retrieve INetFwRules hr = pNetFwPolicy2->get_Rules(&pFwRules); if (FAILED(hr)) { wprintf(L"get_Rules failed: 0x%08lx\n", hr); goto Cleanup; } // Obtain the number of Firewall rules hr = pFwRules->get_Count(&fwRuleCount); if (FAILED(hr)) { wprintf(L"get_Count failed: 0x%08lx\n", hr); goto Cleanup; } wprintf(L"The number of rules in the Windows Firewall are %d\n", fwRuleCount); // Iterate through all of the rules in pFwRules pFwRules->get__NewEnum(&pEnumerator); if(pEnumerator) { hr = pEnumerator->QueryInterface(__uuidof(IEnumVARIANT), (void **) &pVariant); } while(SUCCEEDED(hr) && hr != S_FALSE) { var.Clear(); hr = pVariant->Next(1, &var, &cFetched); if (S_FALSE != hr) { if (SUCCEEDED(hr)) { hr = var.ChangeType(VT_DISPATCH); } if (SUCCEEDED(hr)) { hr = (V_DISPATCH(&var))->QueryInterface(__uuidof(INetFwRule), reinterpret_cast<void**>(&pFwRule)); } if (SUCCEEDED(hr)) { // Output the properties of this rule DumpFWRulesInCollection(pFwRule); } } } Cleanup: // Release pFwRule if (pFwRule != NULL) { pFwRule->Release(); } // Release INetFwPolicy2 if (pNetFwPolicy2 != NULL) { pNetFwPolicy2->Release(); } // Uninitialize COM. if (SUCCEEDED(hrComInit)) { CoUninitialize(); } return 0; }