Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Programmatically add an application to Windows Firewall

I have an application that is installed and updated via ClickOnce. The application downloads files via FTP, and therefore needs to be added as an exception to the windows firewall. Because of the way that ClickOnce works, the path to the EXE changes with every update, so the exception needs to change also. What would be the best way to have the changes made to the firewall so that it's invisible to the end user?

(The application is written in C#)

like image 539
RichieACC Avatar asked Sep 22 '08 08:09

RichieACC


People also ask

How do I add a program to Windows Firewall?

Select the Start menu, type Allow an app through Windows Firewall, and select it from the list of results. Select Change settings. You might be asked for an administrator password or to confirm your choice. To add an app, select the check box next to the app, or select Allow another app and enter the path for the app.

How do I add an app to my firewall exceptions list Windows 10?

Click Start and select Control Panel. Click Windows Firewall. Click the Exceptions tab. Click Add Program.

How do I add apps to my firewall whitelist?

Whitelisting with the Windows Firewall To manage the whitelist in the Windows Firewall, click Start, type firewall and click Windows Defender Firewall. Click Allow a program or feature through Windows Firewall (or, if you're using Windows 10, click Allow an app or feature through Windows Firewall).


7 Answers

Not sure if this is the best way, but running netsh should work:

netsh firewall add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE

I think this requires Administrator Permissions though,for obvious reasons :)

Edit: I just don't know enough about ClickOnce to know whether or not you can run external programs through it.

like image 196
Michael Stum Avatar answered Oct 05 '22 20:10

Michael Stum


I found this article, which has a complete wrapper class included for manipulating the windows firewall. Adding an Application to the Exception list on the Windows Firewall

/// 

/// Allows basic access to the windows firewall API.
/// This can be used to add an exception to the windows firewall
/// exceptions list, so that our programs can continue to run merrily
/// even when nasty windows firewall is running.
///
/// Please note: It is not enforced here, but it might be a good idea
/// to actually prompt the user before messing with their firewall settings,
/// just as a matter of politeness.
/// 

/// 
/// To allow the installers to authorize idiom products to work through
/// the Windows Firewall.
/// 
public class FirewallHelper
{
    #region Variables
    /// 

    /// Hooray! Singleton access.
    /// 

    private static FirewallHelper instance = null;

    /// 

    /// Interface to the firewall manager COM object
    /// 

    private INetFwMgr fwMgr = null;
    #endregion
    #region Properties
    /// 

    /// Singleton access to the firewallhelper object.
    /// Threadsafe.
    /// 

    public static FirewallHelper Instance
    {
        get
        {
            lock (typeof(FirewallHelper))
            {
                if (instance == null)
                    instance = new FirewallHelper();
                return instance;
            }
        }
    }
    #endregion
    #region Constructivat0r
    /// 

    /// Private Constructor.  If this fails, HasFirewall will return
    /// false;
    /// 

    private FirewallHelper()
    {
        // Get the type of HNetCfg.FwMgr, or null if an error occurred
        Type fwMgrType = Type.GetTypeFromProgID("HNetCfg.FwMgr", false);

        // Assume failed.
        fwMgr = null;

        if (fwMgrType != null)
        {
            try
            {
                fwMgr = (INetFwMgr)Activator.CreateInstance(fwMgrType);
            }
            // In all other circumnstances, fwMgr is null.
            catch (ArgumentException) { }
            catch (NotSupportedException) { }
            catch (System.Reflection.TargetInvocationException) { }
            catch (MissingMethodException) { }
            catch (MethodAccessException) { }
            catch (MemberAccessException) { }
            catch (InvalidComObjectException) { }
            catch (COMException) { }
            catch (TypeLoadException) { }
        }
    }
    #endregion
    #region Helper Methods
    /// 

    /// Gets whether or not the firewall is installed on this computer.
    /// 

    /// 
    public bool IsFirewallInstalled
    {
        get
        {
            if (fwMgr != null &&
                  fwMgr.LocalPolicy != null &&
                  fwMgr.LocalPolicy.CurrentProfile != null)
                return true;
            else
                return false;
        }
    }

    /// 

    /// Returns whether or not the firewall is enabled.
    /// If the firewall is not installed, this returns false.
    /// 

    public bool IsFirewallEnabled
    {
        get
        {
            if (IsFirewallInstalled && fwMgr.LocalPolicy.CurrentProfile.FirewallEnabled)
                return true;
            else
                return false;
        }
    }

    /// 

    /// Returns whether or not the firewall allows Application "Exceptions".
    /// If the firewall is not installed, this returns false.
    /// 

    /// 
    /// Added to allow access to this metho
    /// 
    public bool AppAuthorizationsAllowed
    {
        get
        {
            if (IsFirewallInstalled && !fwMgr.LocalPolicy.CurrentProfile.ExceptionsNotAllowed)
                return true;
            else
                return false;
        }
    }

    /// 

    /// Adds an application to the list of authorized applications.
    /// If the application is already authorized, does nothing.
    /// 

    /// 
    ///         The full path to the application executable.  This cannot
    ///         be blank, and cannot be a relative path.
    /// 
    /// 
    ///         This is the name of the application, purely for display
    ///         puposes in the Microsoft Security Center.
    /// 
    /// 
    ///         When applicationFullPath is null OR
    ///         When appName is null.
    /// 
    /// 
    ///         When applicationFullPath is blank OR
    ///         When appName is blank OR
    ///         applicationFullPath contains invalid path characters OR
    ///         applicationFullPath is not an absolute path
    /// 
    /// 
    ///         If the firewall is not installed OR
    ///         If the firewall does not allow specific application 'exceptions' OR
    ///         Due to an exception in COM this method could not create the
    ///         necessary COM types
    /// 
    /// 
    ///         If no file exists at the given applicationFullPath
    /// 
    public void GrantAuthorization(string applicationFullPath, string appName)
    {
        #region  Parameter checking
        if (applicationFullPath == null)
            throw new ArgumentNullException("applicationFullPath");
        if (appName == null)
            throw new ArgumentNullException("appName");
        if (applicationFullPath.Trim().Length == 0)
            throw new ArgumentException("applicationFullPath must not be blank");
        if (applicationFullPath.Trim().Length == 0)
            throw new ArgumentException("appName must not be blank");
        if (applicationFullPath.IndexOfAny(Path.InvalidPathChars) >= 0)
            throw new ArgumentException("applicationFullPath must not contain invalid path characters");
        if (!Path.IsPathRooted(applicationFullPath))
            throw new ArgumentException("applicationFullPath is not an absolute path");
        if (!File.Exists(applicationFullPath))
            throw new FileNotFoundException("File does not exist", applicationFullPath);
        // State checking
        if (!IsFirewallInstalled)
            throw new FirewallHelperException("Cannot grant authorization: Firewall is not installed.");
        if (!AppAuthorizationsAllowed)
            throw new FirewallHelperException("Application exemptions are not allowed.");
        #endregion

        if (!HasAuthorization(applicationFullPath))
        {
            // Get the type of HNetCfg.FwMgr, or null if an error occurred
            Type authAppType = Type.GetTypeFromProgID("HNetCfg.FwAuthorizedApplication", false);

            // Assume failed.
            INetFwAuthorizedApplication appInfo = null;

            if (authAppType != null)
            {
                try
                {
                    appInfo = (INetFwAuthorizedApplication)Activator.CreateInstance(authAppType);
                }
                // In all other circumnstances, appInfo is null.
                catch (ArgumentException) { }
                catch (NotSupportedException) { }
                catch (System.Reflection.TargetInvocationException) { }
                catch (MissingMethodException) { }
                catch (MethodAccessException) { }
                catch (MemberAccessException) { }
                catch (InvalidComObjectException) { }
                catch (COMException) { }
                catch (TypeLoadException) { }
            }

            if (appInfo == null)
                throw new FirewallHelperException("Could not grant authorization: can't create INetFwAuthorizedApplication instance.");

            appInfo.Name = appName;
            appInfo.ProcessImageFileName = applicationFullPath;
            // ...
            // Use defaults for other properties of the AuthorizedApplication COM object

            // Authorize this application
            fwMgr.LocalPolicy.CurrentProfile.AuthorizedApplications.Add(appInfo);
        }
        // otherwise it already has authorization so do nothing
    }
    /// 

    /// Removes an application to the list of authorized applications.
    /// Note that the specified application must exist or a FileNotFound
    /// exception will be thrown.
    /// If the specified application exists but does not current have
    /// authorization, this method will do nothing.
    /// 

    /// 
    ///         The full path to the application executable.  This cannot
    ///         be blank, and cannot be a relative path.
    /// 
    /// 
    ///         When applicationFullPath is null
    /// 
    /// 
    ///         When applicationFullPath is blank OR
    ///         applicationFullPath contains invalid path characters OR
    ///         applicationFullPath is not an absolute path
    /// 
    /// 
    ///         If the firewall is not installed.
    /// 
    /// 
    ///         If the specified application does not exist.
    /// 
    public void RemoveAuthorization(string applicationFullPath)
    {

        #region  Parameter checking
        if (applicationFullPath == null)
            throw new ArgumentNullException("applicationFullPath");
        if (applicationFullPath.Trim().Length == 0)
            throw new ArgumentException("applicationFullPath must not be blank");
        if (applicationFullPath.IndexOfAny(Path.InvalidPathChars) >= 0)
            throw new ArgumentException("applicationFullPath must not contain invalid path characters");
        if (!Path.IsPathRooted(applicationFullPath))
            throw new ArgumentException("applicationFullPath is not an absolute path");
        if (!File.Exists(applicationFullPath))
            throw new FileNotFoundException("File does not exist", applicationFullPath);
        // State checking
        if (!IsFirewallInstalled)
            throw new FirewallHelperException("Cannot remove authorization: Firewall is not installed.");
        #endregion

        if (HasAuthorization(applicationFullPath))
        {
            // Remove Authorization for this application
            fwMgr.LocalPolicy.CurrentProfile.AuthorizedApplications.Remove(applicationFullPath);
        }
        // otherwise it does not have authorization so do nothing
    }
    /// 

    /// Returns whether an application is in the list of authorized applications.
    /// Note if the file does not exist, this throws a FileNotFound exception.
    /// 

    /// 
    ///         The full path to the application executable.  This cannot
    ///         be blank, and cannot be a relative path.
    /// 
    /// 
    ///         The full path to the application executable.  This cannot
    ///         be blank, and cannot be a relative path.
    /// 
    /// 
    ///         When applicationFullPath is null
    /// 
    /// 
    ///         When applicationFullPath is blank OR
    ///         applicationFullPath contains invalid path characters OR
    ///         applicationFullPath is not an absolute path
    /// 
    /// 
    ///         If the firewall is not installed.
    /// 
    /// 
    ///         If the specified application does not exist.
    /// 
    public bool HasAuthorization(string applicationFullPath)
    {
        #region  Parameter checking
        if (applicationFullPath == null)
            throw new ArgumentNullException("applicationFullPath");
        if (applicationFullPath.Trim().Length == 0)
            throw new ArgumentException("applicationFullPath must not be blank");
        if (applicationFullPath.IndexOfAny(Path.InvalidPathChars) >= 0)
            throw new ArgumentException("applicationFullPath must not contain invalid path characters");
        if (!Path.IsPathRooted(applicationFullPath))
            throw new ArgumentException("applicationFullPath is not an absolute path");
        if (!File.Exists(applicationFullPath))
            throw new FileNotFoundException("File does not exist.", applicationFullPath);
        // State checking
        if (!IsFirewallInstalled)
            throw new FirewallHelperException("Cannot remove authorization: Firewall is not installed.");

        #endregion

        // Locate Authorization for this application
        foreach (string appName in GetAuthorizedAppPaths())
        {
            // Paths on windows file systems are not case sensitive.
            if (appName.ToLower() == applicationFullPath.ToLower())
                return true;
        }

        // Failed to locate the given app.
        return false;

    }

    /// 

    /// Retrieves a collection of paths to applications that are authorized.
    /// 

    /// 
    /// 
    ///         If the Firewall is not installed.
    ///   
    public ICollection GetAuthorizedAppPaths()
    {
        // State checking
        if (!IsFirewallInstalled)
            throw new FirewallHelperException("Cannot remove authorization: Firewall is not installed.");

        ArrayList list = new ArrayList();
        //  Collect the paths of all authorized applications
        foreach (INetFwAuthorizedApplication app in fwMgr.LocalPolicy.CurrentProfile.AuthorizedApplications)
            list.Add(app.ProcessImageFileName);

        return list;
    }
    #endregion
}

/// 

/// Describes a FirewallHelperException.
/// 

/// 
///
/// 
public class FirewallHelperException : System.Exception
{
    /// 

    /// Construct a new FirewallHelperException
    /// 

    /// 
    public FirewallHelperException(string message)
      : base(message)
    { }
}

The ClickOnce sandbox did not present any problems.

like image 25
RichieACC Avatar answered Oct 05 '22 22:10

RichieACC


It's possible to access the data from the firewall, look at the following articles.

  • Windows XP SP2 Firewall Controller
  • Controlling Windows Firewall using C# via COM Interop

The real question is does the ClickOnce sandbox allows this kind of access? My guess would be that it doesn't. Maybe you could use a webservice? (For more information about the data access methods in ClickOnce see Accessing Local and Remote Data in ClickOnce Applications)

like image 42
Davy Landman Avatar answered Oct 05 '22 22:10

Davy Landman


Assuming we're using a Visual Studio Installer->Setup Project - You need an installer class like this inside an assembly that's being installed, and then make sure you add a custom action for the "Primary output" in the install phase.

using System.Collections;
using System.ComponentModel;
using System.Configuration.Install;
using System.IO;
using System.Diagnostics;

namespace YourNamespace
{
    [RunInstaller(true)]
    public class AddFirewallExceptionInstaller : Installer
    {
        protected override void OnAfterInstall(IDictionary savedState)
        {
            base.OnAfterInstall(savedState);

            var path = Path.GetDirectoryName(Context.Parameters["assemblypath"]);
            OpenFirewallForProgram(Path.Combine(path, "YourExe.exe"),
                                   "Your program name for display");
        }

        private static void OpenFirewallForProgram(string exeFileName, string displayName)
        {
            var proc = Process.Start(
                new ProcessStartInfo
                    {
                        FileName = "netsh",
                        Arguments =
                            string.Format(
                                "firewall add allowedprogram program=\"{0}\" name=\"{1}\" profile=\"ALL\"",
                                exeFileName, displayName),
                        WindowStyle = ProcessWindowStyle.Hidden
                    });
            proc.WaitForExit();
        }
    }
}
like image 41
Chamath Viduranga Avatar answered Oct 05 '22 21:10

Chamath Viduranga


The easiest way I know would be to use netsh, you can simply delete the rule and re-create it, or set up a port rule, if yours is fixed.
Here is a page describing the options for its firewall context.

like image 27
Hasturkun Avatar answered Oct 05 '22 22:10

Hasturkun


The dead link to "Adding an Application to the Exception list on the Windows Firewall" can be found on The Wayback Machine:

http://web.archive.org/web/20070707110141/http://www.dot.net.nz/Default.aspx?tabid=42&mid=404&ctl=Details&ItemID=8

like image 39
Rick Avatar answered Oct 05 '22 21:10

Rick


This answer might be to late. This is what I ended up using:

https://support.microsoft.com/en-gb/help/947709/how-to-use-the-netsh-advfirewall-firewall-context-instead-of-the-netsh

like image 25
Tono Nam Avatar answered Oct 05 '22 22:10

Tono Nam