4.2 Adding a Firewall Rule

  • Article

Once the client has a handle to an open policy store, the client can perform operations on the policy store. The protocol sequence that adds a firewall rule to the policy store is as follows.

Adding a firewall rule

Figure 3: Adding a firewall rule

To add a firewall rule, the client application first fills an FW_RULE structure. The following examples fill this structure to represent a rule to allow inbound traffic to port 80 for the "c:\servers\MyWebServer.exe" application, which is also a service with the WebServerSVC name. The example also places this rule in the "HTTPWebServer" rule group.

 FW_PORT_RANGE Port = {80,80};
 FW_RULE  HTTPRule = 
 {
     struct _tag_FW_RULE *pNext = NULL;                
     WORD            wSchemaVersion = 0x0200;
     WCHAR*          wszRuleId = L"{d439709f-d8ec-4d2e-b615-4cfcd9bacc05}";
     WCHAR*          wszName = L"Web server requests";
     WCHAR*          wszDescription = L"This rule allows incoming HTTP server requests";
     DWORD           dwProfiles = FW_PROFILE_TYPE_ALL;
     FW_DIRECTION    Direction = FW_DIR_IN;
     WORD            wIpProtocol = 0x0006;
     FW_PORTS               LocalPorts = {0x0000, {1, &Port}};
     FW_PORTS               RemotePorts = {0};
  
     FW_ADDRESSES        LocalAddresses = {0};
     FW_ADDRESSES        RemoteAddresses = {0};
     FW_INTERFACE_LUIDS  LocalInterfaceIds = {0};
     DWORD               dwLocalInterfaceTypes = 0;
     WCHAR*              wszLocalApplication = L"c:\servers\MyWebServer.exe";
     WCHAR*              wszLocalService = L"WebServerSVC";
     FW_RULE_ACTION      Action = FW_RULE_ACTION_ALLOW;
     WORD                wFlags = FW_RULE_FLAGS_ACTIVE; 
  
     WCHAR*              wszRemoteMachineAuthorizationList = NULL;
     WCHAR*              wszRemoteUserAuthorizationList = NULL;
     WCHAR*              wszEmbeddedContext = L"HTTP WebServer";
     FW_OS_PLATFORM_LIST PlatformValidityList = {0};
     
     FW_RULE_STATUS      Status = FW_RULE_STATUS_OK;     
     FW_RULE_ORIGIN_TYPE Origin = 0;
     WCHAR*              wszGPOName =NULL;
     DWORD               Reserved = 0;
     PFW_OBJECT_METADATA    pMetaData = NULL;
 };
 

Once the FW_RULE structure is filled out, the client can simply invoke the RPC RRPC_FWAddFirewallRule method, passing the required parameters as follows.

    DWORD
    RRPC_FWAddFirewallRule(
         [in] FW_CONN_HANDLE          rpcConnHandle = rpcBinding,
         [in] FW_POLICY_STORE_HANDLE  hPolicyStore = hStore,
         [in] PFW_RULE           pRule = &HTTPRule
         );
 

If the return code is FW_ERROR_ALREADY_EXISTS, the rule exists in the store. The client can try using a different Rule ID or bubble up the error.