kuay23
asked on
Using netsh in batch file to turn on firewall with exceptions
I need urgent help on this, i need to turn on about a 100 user's XP's windows firewall. I am doing this through a .bat file. This batch file is used for mapping network drives.
I tested using this commands added into the batch file
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
Its works fine for the first login but in the second login my network drives fail to reconnect. After some tests i found out that if the firewall and exceptions are already in, the .bat file the netsh commands will somehow fail.
My question is How can i add in conditions to the netsh code to check if the settings are already there? maybe some if else statements i guess.
Thanks!
I tested using this commands added into the batch file
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
Its works fine for the first login but in the second login my network drives fail to reconnect. After some tests i found out that if the firewall and exceptions are already in, the .bat file the netsh commands will somehow fail.
My question is How can i add in conditions to the netsh code to check if the settings are already there? maybe some if else statements i guess.
Thanks!
When running things in a batch file that you only want to run once you need to include some kind of test to keep them from running again.
For example, if you copy a file in the %systemroot% directory called fwpatch1.dat while starting the firewall then when the batch runs it can look for the existance of that file and pass an error level back keeping the remaining portion of the file from executing.
example:
IF EXIST %2 GOTO END
For example, if you copy a file in the %systemroot% directory called fwpatch1.dat while starting the firewall then when the batch runs it can look for the existance of that file and pass an error level back keeping the remaining portion of the file from executing.
example:
IF EXIST %2 GOTO END
alandc is correct, a simple file is all you need to create and check for:
@echo off
if exist %systemroot%\Firewall_set. txt goto exit
:set_fw
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
REM This will create the Firewall_set.txt file in the %systemroot% folder
echo "Firewall Settings are set" > %systemroot%\Firewall_set. txt
:exit
Or you can check the firewall itself...
From the cmd prompt... test the tokens/delimiters this way
for /f "tokens=1 delims= " %i IN ('"netsh firewall show config" ^| findstr /i 8194') Do echo %i
In a batch file use this: (you actually don't need the else goto but it's easier to read for some folks)
@echo off
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
:fw-settings
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
:end
http://www.xinn.org/logonscripting101.html http://xinn.org/logonscripting102.html Examples to text tiles are in the pages
-rich
@echo off
if exist %systemroot%\Firewall_set.
:set_fw
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
REM This will create the Firewall_set.txt file in the %systemroot% folder
echo "Firewall Settings are set" > %systemroot%\Firewall_set.
:exit
Or you can check the firewall itself...
From the cmd prompt... test the tokens/delimiters this way
for /f "tokens=1 delims= " %i IN ('"netsh firewall show config" ^| findstr /i 8194') Do echo %i
In a batch file use this: (you actually don't need the else goto but it's easier to read for some folks)
@echo off
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
:fw-settings
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
:end
http://www.xinn.org/logonscripting101.html http://xinn.org/logonscripting102.html Examples to text tiles are in the pages
-rich
Oh yes, and using AD will make it much easier, no need to check or use a batch file a group policy will do the trick nicely.
(one more note, notice the difference in the variables %i and %%i, the double % sign is for batch files, and single is for cmd windows or interactive use)
-rich
(one more note, notice the difference in the variables %i and %%i, the double % sign is for batch files, and single is for cmd windows or interactive use)
-rich
ASKER
Hi richrumble thanks, Is there a way to check if the OS is a Windows XP? I need to condition to check if the machine is an XP then run the code, cos the batch file is used by win2k/98/95 machines too. I'm afraid there will be complications.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The "Ver" script was at the bottom of this page: http://xinn.org/misc-scripts/examples102.txt
These scripts can be useful also http://www.xinn.org/wmic.html
http://xinn.org/misc-scripts/wmic.txt
http://xinn.org/misc-scripts/wmi-inventory.txt (output from this script: http://xinn.org/misc-scripts/inventory-out.txt)
-rich
These scripts can be useful also http://www.xinn.org/wmic.html
http://xinn.org/misc-scripts/wmic.txt
http://xinn.org/misc-scripts/wmi-inventory.txt (output from this script: http://xinn.org/misc-scripts/inventory-out.txt)
-rich
ASKER
Hi Richrumble,
This condition is just checking against one condition right? Its just checking to see if a port 8194 is opened right? Can we try with 2 conditions?
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
This condition is just checking against one condition right? Its just checking to see if a port 8194 is opened right? Can we try with 2 conditions?
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
Sure:
Rem figure out if the pc is win2k or xp
FOR /F "tokens=3 delims= " %%h IN ('ver') DO if %%h==XP goto :xp_fw_en
:skip_fw
goto win2k
Rem Check to see if Firewall is enabled
:xp_fw_en
for /f "tokens=4 delims= " %%g IN ('"netsh firewall show state" ^| findstr /i Operational')do if %%g NEQ Enable goto fw-settings
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
:fw-settings
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
:win2k
:end
That should do it...
-rich
Rem figure out if the pc is win2k or xp
FOR /F "tokens=3 delims= " %%h IN ('ver') DO if %%h==XP goto :xp_fw_en
:skip_fw
goto win2k
Rem Check to see if Firewall is enabled
:xp_fw_en
for /f "tokens=4 delims= " %%g IN ('"netsh firewall show state" ^| findstr /i Operational')do if %%g NEQ Enable goto fw-settings
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
:fw-settings
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
:win2k
:end
That should do it...
-rich
ASKER
How do i hide the MS-DOS Prompt?
I tried SETCONSOLE ("Hide"), its says invalid command
I tried SETCONSOLE ("Hide"), its says invalid command
I beieve all you can do is minimize the window, I've never hidden them... If at the very top of your script you use the
@echo off
All commands will be hidden, unless there is a REM statement or an Echo, or @echo
REM This is a comment line
echo This is an echo'd line
@echo This is an echo'd line
@echo off
start /min
Rem figure out if the pc is win2k or xp
FOR /F "tokens=3 delims= " %%h IN ('ver') DO if %%h==XP goto :xp_fw_en
:skip_fw
goto win2k
Rem Check to see if Firewall is enabled
:xp_fw_en
for /f "tokens=4 delims= " %%g IN ('"netsh firewall show state" ^| findstr /i Operational')do if %%g NEQ Enable goto fw-settings
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
:fw-settings
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
:win2k
:end
-rich
@echo off
All commands will be hidden, unless there is a REM statement or an Echo, or @echo
REM This is a comment line
echo This is an echo'd line
@echo This is an echo'd line
@echo off
start /min
Rem figure out if the pc is win2k or xp
FOR /F "tokens=3 delims= " %%h IN ('ver') DO if %%h==XP goto :xp_fw_en
:skip_fw
goto win2k
Rem Check to see if Firewall is enabled
:xp_fw_en
for /f "tokens=4 delims= " %%g IN ('"netsh firewall show state" ^| findstr /i Operational')do if %%g NEQ Enable goto fw-settings
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
:fw-settings
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
:win2k
:end
-rich
ASKER
Thanks rich. I think i am beginning to ask too much questions...because i have just been asked to test if we can copy a shortcut file from the batch file to al user's desktop.
Sure you can... but if you've got an AD environment, it sure is easier to administer the xp firewall via GroupPolices. A GP will also know to look at XP/2003 machines only as win2k and prior don't have the firewall.
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2wgp.mspx
If not using AD and your still using NT style domains try these: (in addition or in place of netsh)
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2ngp.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2apc.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2ape.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2apf.mspx
http://www.google.com/search?hl=en&q=site%3Amicrosoft.com+group+policy+xp+firewall&btnG=Google+Search
-rich
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2wgp.mspx
If not using AD and your still using NT style domains try these: (in addition or in place of netsh)
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2ngp.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2apc.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2ape.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2apf.mspx
http://www.google.com/search?hl=en&q=site%3Amicrosoft.com+group+policy+xp+firewall&btnG=Google+Search
-rich
http://download.microsoft.com/download/6/8/a/68a81446-cd73-4a61-8665-8a67781ac4e8/wf_xpsp2.doc#_Toc85246672