asked on

Using netsh in batch file to turn on firewall with exceptions

I need urgent help on this, i need to turn on about a 100 user's XP's windows firewall. I am doing this through a .bat file. This batch file is used for mapping network drives.

I tested using this commands added into the batch file

netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE

Its works fine for the first login but in the second login my network drives fail to reconnect. After some tests i found out that if the firewall and exceptions are already in, the .bat file the netsh commands will somehow fail.

My question is How can i add in conditions to the netsh code to check if the settings are already there? maybe some if else statements i guess.

Thanks!

CoccoBill

If you're in an AD environment, I strongly suggest using group policy to deploy firewall settings. Information about this (and other methods to deploy XP firewall settings) see the following document:
http://download.microsoft.com/download/6/8/a/68a81446-cd73-4a61-8665-8a67781ac4e8/wf_xpsp2.doc#_Toc85246672

Aland Coons

When running things in a batch file that you only want to run once you need to include some kind of test to keep them from running again.

For example, if you copy a file in the %systemroot% directory called fwpatch1.dat while starting the firewall then when the batch runs it can look for the existance of that file and pass an error level back keeping the remaining portion of the file from executing.

example:
IF EXIST %2 GOTO END

Rich Rumble

alandc is correct, a simple file is all you need to create and check for:

@echo off
if exist %systemroot%\Firewall_set.txt goto exit
:set_fw
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
REM This will create the Firewall_set.txt file in the %systemroot% folder
echo "Firewall Settings are set" > %systemroot%\Firewall_set.txt
:exit

Or you can check the firewall itself...

From the cmd prompt... test the tokens/delimiters this way
for /f "tokens=1 delims= " %i IN ('"netsh firewall show config" ^| findstr /i 8194') Do echo %i

In a batch file use this: (you actually don't need the else goto but it's easier to read for some folks)

@echo off
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
:fw-settings
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
:end

http://www.xinn.org/logonscripting101.html http://xinn.org/logonscripting102.html Examples to text tiles are in the pages
-rich

Rich Rumble

Oh yes, and using AD will make it much easier, no need to check or use a batch file a group policy will do the trick nicely.
(one more note, notice the difference in the variables %i and %%i, the double % sign is for batch files, and single is for cmd windows or interactive use)
-rich

kuay23

ASKER

Hi richrumble thanks, Is there a way to check if the OS is a Windows XP? I need to condition to check if the machine is an XP then run the code, cos the batch file is used by win2k/98/95 machines too. I'm afraid there will be complications.

CoccoBill

http://www.ss64.com/nt/ver.html

ASKER CERTIFIED SOLUTION

Rich Rumble

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Rich Rumble

The "Ver" script was at the bottom of this page: http://xinn.org/misc-scripts/examples102.txt

These scripts can be useful also http://www.xinn.org/wmic.html
http://xinn.org/misc-scripts/wmic.txt
http://xinn.org/misc-scripts/wmi-inventory.txt (output from this script: http://xinn.org/misc-scripts/inventory-out.txt)
-rich

kuay23

ASKER

Hi Richrumble,

This condition is just checking against one condition right? Its just checking to see if a port 8194 is opened right? Can we try with 2 conditions?

for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings

Rich Rumble

Sure:

Rem figure out if the pc is win2k or xp
FOR /F "tokens=3 delims= " %%h IN ('ver') DO if %%h==XP goto :xp_fw_en
:skip_fw
goto win2k

Rem Check to see if Firewall is enabled
:xp_fw_en
for /f "tokens=4 delims= " %%g IN ('"netsh firewall show state" ^| findstr /i Operational')do if %%g NEQ Enable goto fw-settings
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
:fw-settings
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
:win2k
:end

That should do it...
-rich

kuay23

ASKER

How do i hide the MS-DOS Prompt?

I tried SETCONSOLE ("Hide"), its says invalid command

Rich Rumble

I beieve all you can do is minimize the window, I've never hidden them... If at the very top of your script you use the
@echo off
All commands will be hidden, unless there is a REM statement or an Echo, or @echo
REM This is a comment line
echo This is an echo'd line
@echo This is an echo'd line

@echo off
start /min

Rem figure out if the pc is win2k or xp
FOR /F "tokens=3 delims= " %%h IN ('ver') DO if %%h==XP goto :xp_fw_en
:skip_fw
goto win2k

Rem Check to see if Firewall is enabled
:xp_fw_en
for /f "tokens=4 delims= " %%g IN ('"netsh firewall show state" ^| findstr /i Operational')do if %%g NEQ Enable goto fw-settings
for /f "tokens=1 delims= " %%i IN ('"netsh firewall show config" ^| findstr /i 8194')do if %%i==8194 goto end else goto fw-settings
:fw-settings
netsh firewall set opmode mode=ENABLE
netsh firewall add portopening TCP 137 NetBios137
netsh firewall add portopening TCP 138 NetBios138
netsh firewall add portopening TCP 8193 Sophos8193
netsh firewall add portopening TCP 8194 Sophos8194
netsh firewall set service type=FILEANDPRINT mode=ENABLE
:win2k
:end
-rich

kuay23

ASKER

Thanks rich. I think i am beginning to ask too much questions...because i have just been asked to test if we can copy a shortcut file from the batch file to al user's desktop.

Rich Rumble

Sure you can... but if you've got an AD environment, it sure is easier to administer the xp firewall via GroupPolices. A GP will also know to look at XP/2003 machines only as win2k and prior don't have the firewall.
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2wgp.mspx

If not using AD and your still using NT style domains try these: (in addition or in place of netsh)
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2ngp.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2apc.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2ape.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2apf.mspx

http://www.google.com/search?hl=en&q=site%3Amicrosoft.com+group+policy+xp+firewall&btnG=Google+Search
-rich