4.2 Adding a Firewall Rule
Once the client has a handle to an open policy store, the client can perform operations on the policy store. The protocol sequence that adds a firewall rule to the policy store is as follows.
Figure 3: Adding a firewall rule
To add a firewall rule, the client application first fills an FW_RULE structure. The following examples fill this structure to represent a rule to allow inbound traffic to port 80 for the "c:\servers\MyWebServer.exe" application, which is also a service with the WebServerSVC name. The example also places this rule in the "HTTPWebServer" rule group.
-
FW_PORT_RANGE Port = {80,80}; FW_RULE HTTPRule = { struct _tag_FW_RULE *pNext = NULL; WORD wSchemaVersion = 0x0200; WCHAR* wszRuleId = L"{d439709f-d8ec-4d2e-b615-4cfcd9bacc05}"; WCHAR* wszName = L"Web server requests"; WCHAR* wszDescription = L"This rule allows incoming HTTP server requests"; DWORD dwProfiles = FW_PROFILE_TYPE_ALL; FW_DIRECTION Direction = FW_DIR_IN; WORD wIpProtocol = 0x0006; FW_PORTS LocalPorts = {0x0000, {1, &Port}}; FW_PORTS RemotePorts = {0}; FW_ADDRESSES LocalAddresses = {0}; FW_ADDRESSES RemoteAddresses = {0}; FW_INTERFACE_LUIDS LocalInterfaceIds = {0}; DWORD dwLocalInterfaceTypes = 0; WCHAR* wszLocalApplication = L"c:\servers\MyWebServer.exe"; WCHAR* wszLocalService = L"WebServerSVC"; FW_RULE_ACTION Action = FW_RULE_ACTION_ALLOW; WORD wFlags = FW_RULE_FLAGS_ACTIVE; WCHAR* wszRemoteMachineAuthorizationList = NULL; WCHAR* wszRemoteUserAuthorizationList = NULL; WCHAR* wszEmbeddedContext = L"HTTP WebServer"; FW_OS_PLATFORM_LIST PlatformValidityList = {0}; FW_RULE_STATUS Status = FW_RULE_STATUS_OK; FW_RULE_ORIGIN_TYPE Origin = 0; WCHAR* wszGPOName =NULL; DWORD Reserved = 0; PFW_OBJECT_METADATA pMetaData = NULL; };
Once the FW_RULE structure is filled out, the client can simply invoke the RPC RRPC_FWAddFirewallRule method, passing the required parameters as follows.
-
DWORD RRPC_FWAddFirewallRule( [in] FW_CONN_HANDLE rpcConnHandle = rpcBinding, [in] FW_POLICY_STORE_HANDLE hPolicyStore = hStore, [in] PFW_RULE pRule = &HTTPRule );
If the return code is FW_ERROR_ALREADY_EXISTS, the rule exists in the store. The client can try using a different Rule ID or bubble up the error.