Firewall parameters and their values are not the same as they are displayed in Firewall GUI, registry or by PowerShell commandlets.
Explain what is what by mapping powershell parameters to GUI and registry equivalents.
In this document registry values are enclosed in parentheses.
In addition, explanation of other parameters which are not self explanatory or well documented and usually need googling out what they do.
- Firewall Parameters
- Port(s) can be specified only for TCP/UDP
- The docs say we can specify ICMP Type/Code with port parameter which doesn't work.
NOTE: According to docs IPHTTPS(Out\In) ports are only supported on Windows Server
AnyAll Ports
RPCEPMapRPC Endpoint Mapper (RPC-EPMap)RPCRPC Dynamic Ports (RPC)IPHTTPSInIPHTTPS (IPTLSIn, IPHTTPSIn)
PlayToDiscoveryPlayTo Discovery (sets LocalOnlyMapping to Ply2Disc)TeredoEdge Traversal (Teredo)
IPHTTPSOutIPHTTPS (IPTLSOut, IPHTTPSOut)
- Keywords can be restricted to IPv4 or IPv6 by appending a 4 or 6
- Appending 4 or 6 to "Any" address is not valid
AnyAny IP Address (BLANK field)LocalSubnetLocal Subnet (LocalSubnet)InternetInternet (IntErnet)IntranetIntranet (IntrAnet)DefaultGatewayDefault Gateway (DefaultGateway)DNSDNS Servers (DNS)WINSWINS Servers (WINS)DHCPDHCP Servers (DHCP)IntranetRemoteAccessRemote Corp Network (RmtIntrAnet)PlayToDevicePlayTo Renderers (Ply2Renders)<unknown>Captive Portal Addresses
Address sections below were tested with:
- Private IP client TCP:
psping64 -4 192.168.8.104:555 - Server TCP:
psping64 -4 -s 192.168.8.104:555 - Directed broadcast, client ICMP:
psping64 -4 192.168.8.255
- Private IP address within subnet mask - YES
- Private IP address on different subnet (segment) - YES
- Directed broadcast address within subnet mask - YES
- Directed broadcast address on different subnet (segment) - ? (send yes)
- Limited broadcast address - Unknown
- Multicast address space - ?
- Private IP address within subnet mask - NO
- Private IP address on different subnet (segment) - YES
- Directed broadcast address within subnet mask - YES
- Directed broadcast address on different subnet (segment) - ? (send yes)
- Limited broadcast address - Unknown
- Multicast address space - ?
- Gateway address specified during static IP assignemt - YES
- For dynamic assignment the default gateway address obtained from DHCP is used ?
- If disconnected from network - ?
- The addresses specified in DNS entries for configured adapter - YES
- For dynamic assignment the default gateway address is used - ?
- If disconnected from network - ?
- The addresses specified in WINS entries for configured adapter - YES
- If the WINS entry is empty - ?
From addresses below, only the IPv4 loopback range is valid for Windows firewall rule.
| IPv4 | IPv6 | |
|---|---|---|
| Loopback Address | 127.0.0.0/8 | ::1/128 |
| Unspecified Address | 0.0.0.0/0 | ::/0 |
AnyAll interface types (BLANK field)WiredWired (Lan) - Network adapters which use wired network physical layersWirelessWireless (Wireless) - Network adapters which use the wireless 802 network physical layerRemoteAccessRemote access (RemoteAccess) - Network adapters which use VPN connections
NOTE: Not fully compatible with InterfaceType because InterfaceType parameter has higher
precedence over InterfaceAlias, mixing InterfaceType with InterfaceAlias doesn't make sense,
except if InterfaceType is Any, use just one of these two parameters.
[WildCardPattern] ([string])
[WildCardPattern] ([string], [System.Management.Automation.WildCardOptions])LocaluserAuthorized local Principals<unknown>Excepted local PrincipalsOwnerLocal User OwnerRemoteUserAuthorized Users
BlockAllow edge traversal (BLANK field)AllowBlock edge traversal (TRUE)DeferToUserDefer to user / Defer allow to user (Defer = User)DeferToAppDefer to application / Defer allow to application (TRUE, Defer = App)
-
Persistent store
Is what you see in Windows Firewall with Advanced security, accessed trough control panel or System settings. Rules created in this store are attached to the ActiveStore and activated on the computer immediately.
Example:
-PolicyStore PersistentStore -
GPO store:
is specified as computer name, and it is what you see in Local group policy, accessed trough secpol.msc or gpedit.msc
Example:
-PolicyStore ([System.Environment]::MachineName]) -
RSOP store:
Stands for "resultant set of policy" and is collection of all GPO stores that apply to local computer.
This applies to domain computers, on home computer RSOP consists of single local GPO (group policy object)Example:
-PolicyStore RSOP -
Active store:
Active store is the sum of Persistent store and all GPO stores (RSOP) that apply to local computer. in other words it's a master store.
Example:
-PolicyStore ActiveStore -
SystemDefaults:
Read-only store contains the default state of firewall rules that ship with Windows Server 2012. In other words, all predefined firewall rules are here.
Example:
Get-NetFirewallRule -PolicyStore SystemDefaults -
StaticServiceStore:
Read-only store contains all the service restrictions that ship with Windows Server 2012. Rules that cover optional and product-dependent features, can be used to harden firewall.
Example:
Get-NetFirewallRule -PolicyStore StaticServiceStore -
ConfigurableServiceStore:
This read-write store contains all the service restrictions that are added for third-party services. In addition, network isolation rules that are created for Windows Store application containers will appear in this policy store. Network isolation rules that are created for Windows Store application containers are stored in the registry (and aren't accessible with Get-NetFirewallRule) under:
HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRulesExample:
Get-NetFirewallRule -PolicyStore ConfigurableServiceStore
For more information see New-NetFirewallRule
The meaning of this parameter value depends on which parameter is it used:
"*"Applies to: services only OR application packages only (?)AnyApplies to: all programs AND (services OR application packages) (BLANK field)
Both of which are applied only if a packet meet the specified rule conditions
The option Allow unicast response to multicast or broadcast traffic
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.
If you set this setting to Yes (default), and this computer sends a multicast or broadcast message
to other computers, Windows Defender Firewall waits as long as three seconds for unicast responses
from the other computers and then blocks all later responses.
Otherwise if you set the option to No, Windows Defender Firewall blocks the unicast responses
sent by those other computers.
Not configured is equivalent to Yes (default) as long as control panel firewall does not
override this option.
NOTE: This setting has no effect if the unicast message is a response to a DHCP broadcast message sent by this computer. Windows Defender Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts.
This is how parameters are used on command line, most of them need to be enclosed in quotes if assigned to variable first.
Name = "NotePadFirewallRule"
DisplayName = "Firewall Rule for program.exe"
Group = "Program Firewall Rule Group"
Ensure = "Present"
Enabled = True
Profile = "Domain, Private"
Direction = Outbound
RemotePort = 8080, 8081
LocalPort = 9080, 9081
Protocol = TCP
Description = "Firewall Rule for program.exe"
Program = "c:\windows\system32\program.exe"
Service = WinRM
Authentication = "Required"
Encryption = "Required"
InterfaceAlias = "Ethernet"
InterfaceType = Wired
LocalAddress = 192.168.2.0-192.168.2.128, 192.168.1.0/255.255.255.0, 10.0.0.0/8
LocalUser = "O:LSD:(D;;CC;;;S-1-15-3-4)(A;;CC;;;S-1-5-21-3337988176-3917481366-464002247-1001)"
Package = "S-1-15-2-3676279713-3632409675-756843784-3388909659-2454753834-4233625902-1413163418"
Platform = "6.1"
RemoteAddress = 192.168.2.0-192.168.2.128, 192.168.1.0/255.255.255.0, 10.0.0.0/8
RemoteMachine = "O:LSD:(D;;CC;;;S-1-5-21-1915925333-479612515-2636650677-1621)(A;;CC;;;S-1-5-21-1915925333-479612515-2636650677-1620)"
RemoteUser = "O:LSD:(D;;CC;;;S-1-15-3-4)(A;;CC;;;S-1-5-21-3337988176-3917481366-464002247-1001)"
DynamicTransport = ProximitySharing
EdgeTraversalPolicy = Block
IcmpType = 51, 52
IcmpType = 34:4
LocalOnlyMapping = $true
LooseSourceMapping = $true
OverrideBlockRules = $true
Owner = "S-1-5-21-3337988176-3917481366-464002247-500"
Their meaning in order how they appear in firewall log file:
#Version:
- Displays which version of the Windows Firewall security log is installed
#Software:
- Displays the name of the software creating the log
#Time:
- Indicates that all of the timestamps in the log are in local time
#Fields:
- Displays a static list of fields that are available for security log entries, as follows:
date
- Displays the year, month, and day that the recorded transaction occurred
time
- Displays the hour, minute, and seconds at which the recorded transaction occurred
action
- Displays which operation was observed by Windows Firewall
- The options available are
OPEN,OPEN-INBOUND,CLOSE,DROP, andINFO-EVENTS-LOST
protocol
- Displays the protocol that was used for the communication
- The options available are
TCP,UDP,ICMP, and a protocol number for packets
src-ip
- Displays the source IP address (the IP address of the computer attempting to establish communication)
dst-ip
- Displays the destination IP address of a communication attempt
src-port
- Displays the source port number of the sending computer
- Only TCP and UDP display a valid src-port entry
- All other protocols display a src-port entry of
-
dst-port
- Displays the port number of the destination computer
- Only TCP and UDP display a valid dst-port entry
- All other protocols display a dst-port entry of
-
size
- Displays the packet size, in bytes.
tcpflags
- Displays the TCP control flags found in the TCP header of an IP packet:
AckAcknowledgment field significant
FinNo more data from sender
PshPush function
RstReset the connection
SynSynchronize sequence numbers
UrgUrgent Pointer field significant
tcpsyn
- Displays the TCP sequence number in the packet
tcpack
- Displays the TCP acknowledgement number in the packet
tcpwin
- Displays the TCP window size, in bytes, in the packet
icmptype
- Displays a number that represents the Type field of the ICMP message
icmpcode
- Displays a number that represents the Code field of the ICMP message
info
- Displays an entry that depends on the type of action that occurred
- For example, an INFO-EVENTS-LOST action will result in an entry of the number of events that occurred
but were not recorded in the log from the time of the last occurrence of this event type.
path
- Displays the direction of the communication
- The options available are
SEND,RECEIVE,FORWARD, andUNKNOWN
For more information see Interpreting the Windows Firewall Log
The following are mappings between log file, firewall UI and PowerShell parameters.
The true meaning of source/destination is not straightforward, explanation is given in section above and here is how to convert this info to other firewall/traffic contexts.
| Log | GUI | PowerShell |
|---|---|---|
| src-ip | Local Address | LocalAddress |
| dst-ip | Remote Address | RemoteAddress |
| src-port | Local Port | LocalPort |
| dst-port | Remote Port | RemotePort |
| Log | GUI | PowerShell |
|---|---|---|
| src-ip | Remote Address | RemoteAddress |
| dst-ip | Local Address | LocalAddress |
| src-port | Remote Port | RemotePort |
| dst-port | Local Port | LocalPort |
Hidden parameters
The following hidden parameters are part of CIM class and are not visible in firewall UI
The detailed status of the rule, as a numeric error code.
A value of 65536 means STATUS_SUCCESS or NO_ERROR, meaning there is no problem with this rule.
This field is ignored
This field is ignored
This field is ignored.
This field is ignored.
Which profiles this rule is active on
The meaning of a value is as follows:
NOTE: Combinations sum up, ex. a value of 5 means "Public" and "Domain"
Any = 0
Public = 4
Private = 2
Domain = 1
If this object is retrieved from the ActiveStore, describes the current enforcement status of the rule.
0 = Invalid
1 = Full
2 = FirewallOffInProfile
3 = CategoryOff
4 = DisabledObject
5 = InactiveProfile
6 = LocalAddressResolutionEmpty
7 = RemoteAddressResolutionEmpty
8 = LocalPortResolutionEmpty
9 = RemotePortResolutionEmpty
10 = InterfaceResolutionEmpty
11 = ApplicationResolutionEmpty
12 = RemoteMachineEmpty
13 = RemoteUserEmpty
14 = LocalGlobalOpenPortsDisallowed
15 = LocalAuthorizedApplicationsDisallowed
16 = LocalFirewallRulesDisallowed
17 = LocalConsecRulesDisallowed
18 = NotTargetPlatform
19 = OptimizedOut
20 = LocalUserEmpty
21 = TransportMachinesEmpty
22 = TunnelMachinesEmpty
23 = TupleResolutionEmpty
One might think this has something to do with "Local Session Manager" but it's a shorthand for
"Loose Source Mapping", the meaning is the same as LooseSourceMapping property.
Specifies which platforms the rule is applicable on.
If null, the rule applies to all platforms (the default).
Each entry takes the form Major.Minor+
If + is specified, then it means that the rule applies to that version or greater.
+ may only be attached to the final item in the list.
For more information see MSFT_NetFirewallRule class or Second link
Applies only to UDP.
UDP traffic is inferred by checking the following fields:
- local address
- remote address
- protocol
- local port
- remote port
TODO: Rules which do not specify some of these fields, how does the above apply then?
ex. only to new connections or existing connections? (statefull/stateless filtering)
Whether to group UDP packets into conversations based only upon the local address and port.
If this parameter is set to True, then the remote address and port will be ignored when inferring
remote sessions.
Sessions will be grouped based on local address, protocol, and local port.
Whether to group UDP packets into conversations based upon the local address, local port and remote port.
If set, the rule accepts packets incoming from a host other than the one the packets were sent to.
TODO: Explain why this parameter can't be specified for inbound rule
For more information see New-NetFirewallRule