These are a set of useful Delphi snippets to handle the Windows Firewall using the Advanced Security scripting.
Note : Some of the below samples requires elevation.
- Adding a LAN Rule
- Adding a Per Interface Rule
- Adding a Protocol Rule
- Adding a Rule with Edge Traversal
- Adding a Service Rule
- Adding an ICMP Rule
- Adding an Application Rule
- Adding an Outbound Rule
- Checking if a Rule is Enabled
- Disabling the Firewall per Interface
- Enabling Rule Groups
- Enumerating Firewall Rules
- Enumerating Firewall Rules with a Matching Group String
- Restricting Service
- Retrieving Firewall Settings
- Turning the Firewall Off
Adding a LAN Rule
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code adds a LAN rule using the Microsoft Windows Firewall APIs.
Procedure AddLANRule;
Const
NET_FW_IP_PROTOCOL_TCP = 6;
NET_FW_ACTION_ALLOW = 1;
var
CurrentProfiles : OleVariant;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
NewRule : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
//Create a Rule Object.
NewRule := CreateOleObject('HNetCfg.FWRule');
NewRule.Name := 'Per_InterfaceType_Rule';
NewRule.Description := 'Allow incoming network traffic over port 2400 coming from LAN interface type';
NewRule.Protocol := NET_FW_IP_PROTOCOL_TCP;
NewRule.LocalPorts := 2300;
NewRule.Interfacetypes := 'LAN';
NewRule.Enabled := True;
NewRule.Grouping := 'My Group';
NewRule.Profiles := CurrentProfiles;
NewRule.Action := NET_FW_ACTION_ALLOW;
//Add a new rule
RulesObject.Add(NewRule);
end;
begin
try
CoInitialize(nil);
try
AddLANRule;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Adding a Per Interface Rule
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
Variants,
ComObj;
//This code that adds a per interface rule using the Microsoft Windows Firewall APIs.
Procedure AddPerInterfaceRule;
Const
NET_FW_IP_PROTOCOL_TCP = 6;
NET_FW_IP_PROTOCOL_UDP = 17;
NET_FW_ACTION_ALLOW = 1;
var
CurrentProfiles : OleVariant;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
NewRule : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
//Create a Rule Object.
NewRule := CreateOleObject('HNetCfg.FWRule');
NewRule.Name := 'Per_Interface_Rule';
NewRule.Description := 'Add a Per Interface Rule';
NewRule.Protocol := NET_FW_IP_PROTOCOL_TCP;
NewRule.LocalPorts := 2300;
NewRule.Interfacetypes := 'LAN';
NewRule.Enabled := True;
NewRule.Grouping := 'My Group';
NewRule.Profiles := CurrentProfiles;
NewRule.Interfaces := VarArrayOf(['Local Area Connection']);
NewRule.Action := NET_FW_ACTION_ALLOW;
//Add a new rule
RulesObject.Add(NewRule);
end;
begin
try
CoInitialize(nil);
try
AddPerInterfaceRule;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Adding a Protocol Rule
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code adds a Generic Routing Encapsulation (GRE) protocol rule
//using the Microsoft Windows Firewall APIs.
Procedure AddProtocolRule;
Const
NET_FW_ACTION_ALLOW = 1;
var
CurrentProfiles : OleVariant;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
NewRule : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
//Create a Rule Object.
NewRule := CreateOleObject('HNetCfg.FWRule');
NewRule.Name := 'GRE_RULE';
NewRule.Description := 'Allow GRE Traffic';
NewRule.Protocol := 47;
NewRule.Enabled := True;
NewRule.Profiles := CurrentProfiles;
NewRule.Action := NET_FW_ACTION_ALLOW;
//Add a new rule
RulesObject.Add(NewRule);
end;
begin
try
CoInitialize(nil);
try
AddProtocolRule;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Adding a Rule with Edge Traversal
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code adds an application rule with Edge Traversal using the Microsoft Windows Firewall APIs.
Procedure AddRuleEdgeTraversal;
Const
NET_FW_ACTION_ALLOW = 1;
NET_FW_IP_PROTOCOL_TCP = 6;
var
CurrentProfiles : OleVariant;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
NewRule : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
//Create a Rule Object.
NewRule := CreateOleObject('HNetCfg.FWRule');
NewRule.Name := 'My Application Name with Edge Traversal';
NewRule.Description := 'Allow GRE TrafficAllow my application network traffic with Edge Traversal';
NewRule.Applicationname := 'MyApplication.exe';
NewRule.Protocol := NET_FW_IP_PROTOCOL_TCP;
NewRule.LocalPorts := 5000;
NewRule.Enabled := True;
NewRule.Grouping := 'My Group';
NewRule.Profiles := CurrentProfiles;
NewRule.Action := NET_FW_ACTION_ALLOW;
NewRule.EdgeTraversal := True;
//Add a new rule
RulesObject.Add(NewRule);
end;
begin
try
CoInitialize(nil);
try
AddRuleEdgeTraversal;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Adding a Service Rule
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code adds a service rule in the local public store using the Microsoft Windows Firewall APIs.
Procedure AddServiceRule;
Const
NET_FW_ACTION_ALLOW = 1;
NET_FW_IP_PROTOCOL_TCP = 6;
var
CurrentProfiles : OleVariant;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
NewRule : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
//Create a Rule Object.
NewRule := CreateOleObject('HNetCfg.FWRule');
NewRule.Name := 'Service_Rule';
NewRule.Description := 'Allow incoming network traffic to myservice';
NewRule.Applicationname := 'MyService.exe';
NewRule.ServiceName := 'myservicename';
NewRule.Protocol := NET_FW_IP_PROTOCOL_TCP;
NewRule.LocalPorts := 135;
NewRule.Enabled := True;
NewRule.Grouping := 'My Group';
NewRule.Profiles := CurrentProfiles;
NewRule.Action := NET_FW_ACTION_ALLOW;
//Add a new rule
RulesObject.Add(NewRule);
end;
begin
try
CoInitialize(nil);
try
AddServiceRule;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Adding an ICMP Rule
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code adds an ICMP rule using the Microsoft Windows Firewall APIs.
Procedure AddICMPRule;
Const
NET_FW_ACTION_ALLOW = 1;
NET_FW_IP_PROTOCOL_ICMPv4 = 1;
NET_FW_IP_PROTOCOL_ICMPv6 = 58;
var
CurrentProfiles : OleVariant;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
NewRule : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
//Create a Rule Object.
NewRule := CreateOleObject('HNetCfg.FWRule');
NewRule.Name := 'ICMP_Rule';
NewRule.Description := 'Allow ICMP network traffic';
NewRule.Protocol := NET_FW_IP_PROTOCOL_ICMPv4;
NewRule.IcmpTypesAndCodes := '1:1';
NewRule.Enabled := True;
NewRule.Grouping := 'My Group';
NewRule.Profiles := CurrentProfiles;
NewRule.Action := NET_FW_ACTION_ALLOW;
//Add a new rule
RulesObject.Add(NewRule);
end;
begin
try
CoInitialize(nil);
try
AddICMPRule;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Adding an Application Rule
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
// This code adds an application rule using the Microsoft Windows Firewall APIs.
Procedure AddApplicationRule;
Const
NET_FW_ACTION_ALLOW = 1;
NET_FW_IP_PROTOCOL_TCP = 6;
var
CurrentProfiles : OleVariant;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
NewRule : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
//Create a Rule Object.
NewRule := CreateOleObject('HNetCfg.FWRule');
NewRule.Name := 'My Application Name';
NewRule.Description := 'Allow my application network traffic';
NewRule.Applicationname := 'C:\Foo\MyApplication.exe';
NewRule.Protocol := NET_FW_IP_PROTOCOL_TCP;
NewRule.LocalPorts := 4000;
NewRule.Enabled := True;
NewRule.Grouping := 'My Group';
NewRule.Profiles := CurrentProfiles;
NewRule.Action := NET_FW_ACTION_ALLOW;
//Add a new rule
RulesObject.Add(NewRule);
end;
begin
try
CoInitialize(nil);
try
AddApplicationRule;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Adding an Outbound Rule
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code adds an outbound rule using the Microsoft Windows Firewall APIs.
Procedure AddOutboundRule;
Const
NET_FW_ACTION_ALLOW = 1;
NET_FW_IP_PROTOCOL_TCP = 6;
NET_FW_RULE_DIR_OUT = 2;
var
CurrentProfiles : OleVariant;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
NewRule : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
//Create a Rule Object.
NewRule := CreateOleObject('HNetCfg.FWRule');
NewRule.Name := 'Outbound_Rule';
NewRule.Description := 'Allow outbound network traffic from my Application over TCP port 4000';
NewRule.Applicationname := 'C:\Foo\MyApplication.exe';
NewRule.Protocol := NET_FW_IP_PROTOCOL_TCP;
NewRule.LocalPorts := 4000;
NewRule.Direction := NET_FW_RULE_DIR_OUT;
NewRule.Enabled := True;
NewRule.Grouping := 'My Group';
NewRule.Profiles := CurrentProfiles;
NewRule.Action := NET_FW_ACTION_ALLOW;
//Add a new rule
RulesObject.Add(NewRule);
end;
begin
try
CoInitialize(nil);
try
AddOutboundRule;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Checking if a Rule is Enabled
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code checks if the rule group is enabled in the current profile using the Microsoft Windows Firewall APIs.
Procedure CheckingRuleEnabled;
Const
NET_FW_MODIFY_STATE_OK = 0;
NET_FW_MODIFY_STATE_GP_OVERRIDE = 1;
NET_FW_MODIFY_STATE_INBOUND_BLOCKED = 2;
var
fwPolicy2 : OleVariant;
PolicyModifyState : Integer;
bIsEnabled : Boolean;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
bIsEnabled := fwPolicy2.IsRuleGroupCurrentlyEnabled('File and Printer Sharing');
if bIsEnabled then
Writeln('File and Printer Sharing is currently enabled on at least one of the current profiles')
else
Writeln('File and Printer Sharing is currently not enabled on any of the current profiles');
PolicyModifyState := fwPolicy2.LocalPolicyModifyState;
case PolicyModifyState of
NET_FW_MODIFY_STATE_OK : Writeln('Changing or adding a firewall rule (or group) will take effect on at least one of the current profiles.');
NET_FW_MODIFY_STATE_GP_OVERRIDE : Writeln('Changing or adding a firewall rule (or group) to the current profiles will not take effect because group policy overrides it on at least one of the current profiles.');
NET_FW_MODIFY_STATE_INBOUND_BLOCKED: Writeln('Changing or adding an inbound firewall rule (or group) to the current profiles will not take effect because inbound rules are not allowed on at least one of the current profiles.')
else Writeln('Invalid Modify State returned by LocalPolicyModifyState.');
End;
end;
begin
try
CoInitialize(nil);
try
CheckingRuleEnabled;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Disabling the Firewall per Interface
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
Variants,
ComObj;
//This code disables the firewall on a per interface basis using the Microsoft Windows Firewall APIs.
Procedure DisableFirewallPerInterface;
Const
NET_FW_PROFILE2_DOMAIN = 1;
NET_FW_PROFILE2_PRIVATE = 2;
NET_FW_PROFILE2_PUBLIC = 4;
var
CurrentProfiles : Integer;
fwPolicy2 : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
//Disable Firewall on interface in the Domain profile
if (CurrentProfiles and NET_FW_PROFILE2_DOMAIN)<>0 then
begin
if not fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_DOMAIN] then
fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_DOMAIN]:= True;
fwPolicy2.ExcludedInterfaces(NET_FW_PROFILE2_DOMAIN, VarArrayOf(['Local Area Connection']));
end;
//Disable Firewall on interface in the Private profile
if (CurrentProfiles and NET_FW_PROFILE2_PRIVATE)<>0 then
begin
if not fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_PRIVATE] then
fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_PRIVATE]:= True;
fwPolicy2.ExcludedInterfaces(NET_FW_PROFILE2_PRIVATE, VarArrayOf(['Local Area Connection']));
end;
//Disable Firewall on interface in the Public profile
if (CurrentProfiles and NET_FW_PROFILE2_PUBLIC)<>0 then
begin
if not fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_PUBLIC] then
fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_PUBLIC]:= True;
fwPolicy2.ExcludedInterfaces(NET_FW_PROFILE2_PUBLIC, VarArrayOf(['Local Area Connection']));
end;
end;
begin
try
CoInitialize(nil);
try
DisableFirewallPerInterface;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Enabling Rule Groups
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code enables the Windows Firewall rule groups using the Microsoft Windows Firewall APIs.
Procedure EnableRuleGroups;
var
CurrentProfiles : Integer;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
fwPolicy2.EnableRuleGroup(CurrentProfiles, 'File and Printer Sharing', True);
end;
begin
try
CoInitialize(nil);
try
EnableRuleGroups;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Enumerating Firewall Rules
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
Variants,
ComObj;
//This code enumerates Windows Firewall rules using the Microsoft Windows Firewall APIs.
Procedure EnumerateFirewallRules;
Const
NET_FW_PROFILE2_DOMAIN = 1;
NET_FW_PROFILE2_PRIVATE = 2;
NET_FW_PROFILE2_PUBLIC = 4;
NET_FW_IP_PROTOCOL_TCP = 6;
NET_FW_IP_PROTOCOL_UDP = 17;
NET_FW_IP_PROTOCOL_ICMPv4 = 1;
NET_FW_IP_PROTOCOL_ICMPv6 = 58;
NET_FW_RULE_DIR_IN = 1;
NET_FW_RULE_DIR_OUT = 2;
NET_FW_ACTION_BLOCK = 0;
NET_FW_ACTION_ALLOW = 1;
var
CurrentProfiles : Integer;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
rule : OleVariant;
oEnum : IEnumvariant;
iValue : LongWord;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
if (CurrentProfiles AND NET_FW_PROFILE2_DOMAIN)<>0 then
Writeln('Domain Firewall Profile is active');
if ( CurrentProfiles AND NET_FW_PROFILE2_PRIVATE )<>0 then
Writeln('Private Firewall Profile is active');
if ( CurrentProfiles AND NET_FW_PROFILE2_PUBLIC )<>0 then
Writeln('Public Firewall Profile is active');
Writeln('Rules:');
oEnum := IUnknown(Rulesobject._NewEnum) as IEnumVariant;
while oEnum.Next(1, rule, iValue) = 0 do
begin
if (rule.Profiles And CurrentProfiles)<>0 then
begin
Writeln(' Rule Name: ' + rule.Name);
Writeln(' ----------------------------------------------');
Writeln(' Description: ' + rule.Description);
Writeln(' Application Name: ' + rule.ApplicationName);
Writeln(' Service Name: ' + rule.ServiceName);
Case rule.Protocol of
NET_FW_IP_PROTOCOL_TCP : Writeln(' IP Protocol: TCP.');
NET_FW_IP_PROTOCOL_UDP : Writeln(' IP Protocol: UDP.');
NET_FW_IP_PROTOCOL_ICMPv4 : Writeln(' IP Protocol: UDP.');
NET_FW_IP_PROTOCOL_ICMPv6 : Writeln(' IP Protocol: UDP.');
Else Writeln(' IP Protocol: ' + VarToStr(rule.Protocol));
End;
if (rule.Protocol = NET_FW_IP_PROTOCOL_TCP) or (rule.Protocol = NET_FW_IP_PROTOCOL_UDP) then
begin
Writeln(' Local Ports: ' + rule.LocalPorts);
Writeln(' Remote Ports: ' + rule.RemotePorts);
Writeln(' LocalAddresses: ' + rule.LocalAddresses);
Writeln(' RemoteAddresses: ' + rule.RemoteAddresses);
end;
if (rule.Protocol = NET_FW_IP_PROTOCOL_ICMPv4) or (rule.Protocol = NET_FW_IP_PROTOCOL_ICMPv6) then
Writeln(' ICMP Type and Code: ' + rule.IcmpTypesAndCodes);
Case rule.Direction of
NET_FW_RULE_DIR_IN : Writeln(' Direction: In');
NET_FW_RULE_DIR_OUT: Writeln(' Direction: Out');
End;
Writeln(' Enabled: ' + VarToStr(rule.Enabled));
Writeln(' Edge: ' + VarToStr(rule.EdgeTraversal));
Case rule.Action of
NET_FW_ACTION_ALLOW : Writeln(' Action: Allow');
NET_FW_ACTION_BLOCk : Writeln(' Action: Block');
End;
Writeln(' Grouping: ' + rule.Grouping);
Writeln(' Edge: ' + VarToStr(rule.EdgeTraversal));
Writeln(' Interface Types: ' + rule.InterfaceTypes);
Writeln;
end;
rule:=Unassigned;
end;
end;
begin
try
CoInitialize(nil);
try
EnumerateFirewallRules;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Enumerating Firewall Rules with a Matching Group String
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
Variants,
ComObj;
//This code enumerates Windows Firewall rules with a matching grouping string
Procedure EnumerateFirewallRules;
Const
NET_FW_PROFILE2_DOMAIN = 1;
NET_FW_PROFILE2_PRIVATE = 2;
NET_FW_PROFILE2_PUBLIC = 4;
NET_FW_IP_PROTOCOL_TCP = 6;
NET_FW_IP_PROTOCOL_UDP = 17;
NET_FW_IP_PROTOCOL_ICMPv4 = 1;
NET_FW_IP_PROTOCOL_ICMPv6 = 58;
NET_FW_RULE_DIR_IN = 1;
NET_FW_RULE_DIR_OUT = 2;
NET_FW_ACTION_BLOCK = 0;
NET_FW_ACTION_ALLOW = 1;
var
CurrentProfiles : Integer;
fwPolicy2 : OleVariant;
RulesObject : OleVariant;
rule : OleVariant;
oEnum : IEnumvariant;
iValue : LongWord;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
if (CurrentProfiles AND NET_FW_PROFILE2_DOMAIN)<>0 then
Writeln('Domain Firewall Profile is active');
if ( CurrentProfiles AND NET_FW_PROFILE2_PRIVATE )<>0 then
Writeln('Private Firewall Profile is active');
if ( CurrentProfiles AND NET_FW_PROFILE2_PUBLIC )<>0 then
Writeln('Public Firewall Profile is active');
Writeln('Rules:');
oEnum := IUnknown(Rulesobject._NewEnum) as IEnumVariant;
while oEnum.Next(1, rule, iValue) = 0 do
begin
if (rule.Grouping = 'My Group') then
begin
Writeln(' Rule Name: ' + rule.Name);
Writeln(' ----------------------------------------------');
Writeln(' Description: ' + rule.Description);
Writeln(' Application Name: ' + rule.ApplicationName);
Writeln(' Service Name: ' + rule.ServiceName);
Case rule.Protocol of
NET_FW_IP_PROTOCOL_TCP : Writeln(' IP Protocol: TCP.');
NET_FW_IP_PROTOCOL_UDP : Writeln(' IP Protocol: UDP.');
NET_FW_IP_PROTOCOL_ICMPv4 : Writeln(' IP Protocol: UDP.');
NET_FW_IP_PROTOCOL_ICMPv6 : Writeln(' IP Protocol: UDP.');
Else Writeln(' IP Protocol: ' + VarToStr(rule.Protocol));
End;
if (rule.Protocol = NET_FW_IP_PROTOCOL_TCP) or (rule.Protocol = NET_FW_IP_PROTOCOL_UDP) then
begin
Writeln(' Local Ports: ' + rule.LocalPorts);
Writeln(' Remote Ports: ' + rule.RemotePorts);
Writeln(' LocalAddresses: ' + rule.LocalAddresses);
Writeln(' RemoteAddresses: ' + rule.RemoteAddresses);
end;
if (rule.Protocol = NET_FW_IP_PROTOCOL_ICMPv4) or (rule.Protocol = NET_FW_IP_PROTOCOL_ICMPv6) then
Writeln(' ICMP Type and Code: ' + rule.IcmpTypesAndCodes);
Case rule.Direction of
NET_FW_RULE_DIR_IN : Writeln(' Direction: In');
NET_FW_RULE_DIR_OUT: Writeln(' Direction: Out');
End;
Writeln(' Enabled: ' + VarToStr(rule.Enabled));
Writeln(' Edge: ' + VarToStr(rule.EdgeTraversal));
Case rule.Action of
NET_FW_ACTION_ALLOW : Writeln(' Action: Allow');
NET_FW_ACTION_BLOCk : Writeln(' Action: Block');
End;
Writeln(' Grouping: ' + rule.Grouping);
Writeln(' Edge: ' + VarToStr(rule.EdgeTraversal));
Writeln(' Interface Types: ' + rule.InterfaceTypes);
Writeln;
end;
rule:=Unassigned;
end;
end;
begin
try
CoInitialize(nil);
try
EnumerateFirewallRules;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Restricting Service
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code restricts a service using the Microsoft Windows Firewall APIs.
Procedure RestrictService;
Const
NET_FW_PROFILE2_DOMAIN = 1;
NET_FW_PROFILE2_PRIVATE = 2;
NET_FW_PROFILE2_PUBLIC = 4;
NET_FW_IP_PROTOCOL_TCP = 6;
NET_FW_RULE_DIR_IN = 1;
NET_FW_RULE_DIR_OUT = 2;
NET_FW_ACTION_BLOCK = 0;
NET_FW_ACTION_ALLOW = 1;
var
fwPolicy2 : OleVariant;
RulesObject, wshRules : OleVariant;
ServiceRestriction, NewInboundRule, NewOutboundRule : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
RulesObject := fwPolicy2.Rules;
// Get the Service Restriction object for the local firewall policy.
ServiceRestriction := fwPolicy2.ServiceRestriction;
// Put in block-all inbound and block-all outbound Windows Service Hardening (WSH) networking rules for the service
ServiceRestriction.RestrictService('TermService', '%systemDrive%\WINDOWS\system32\svchost.exe', True, False);
//If the service requires sending/receiving certain type of traffic, then add "allow" WSH rules as follows
//Get the collection of Windows Service Hardening networking rules
wshRules := ServiceRestriction.Rules;
//Add inbound WSH allow rules
NewInboundRule := CreateOleObject('HNetCfg.FWRule');
NewInboundRule.Name := 'Allow only TCP 3389 inbound to service';
NewInboundRule.ApplicationName := '%systemDrive%\WINDOWS\system32\svchost.exe';
NewInboundRule.ServiceName := 'TermService';
NewInboundRule.Protocol := NET_FW_IP_PROTOCOL_TCP;
NewInboundRule.LocalPorts := 3389;
NewInboundRule.Action := NET_FW_ACTION_ALLOW;
NewInboundRule.Direction := NET_FW_RULE_DIR_IN;
NewInboundRule.Enabled := True;
wshRules.Add(NewInboundRule);
//Add outbound WSH allow rules
NewOutboundRule := CreateOleObject('HNetCfg.FWRule');
NewOutboundRule.Name := 'Allow outbound traffic from service only from TCP 3389';
NewOutboundRule.ApplicationName := '%systemDrive%\WINDOWS\system32\svchost.exe';
NewOutboundRule.ServiceName := 'TermService';
NewOutboundRule.Protocol := NET_FW_IP_PROTOCOL_TCP;
NewOutboundRule.LocalPorts := 3389;
NewOutboundRule.Action := NET_FW_ACTION_ALLOW;
NewOutboundRule.Direction := NET_FW_RULE_DIR_OUT;
NewOutboundRule.Enabled := True;
wshRules.Add(NewOutboundRule);
end;
begin
try
CoInitialize(nil);
try
RestrictService;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Retrieving Firewall Settings
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code reads the Windows Firewall settings per profile using the Microsoft Windows Firewall APIs.
Procedure GetFirewallSettings;
Const
NET_FW_PROFILE2_DOMAIN = 1;
NET_FW_PROFILE2_PRIVATE = 2;
NET_FW_PROFILE2_PUBLIC = 4;
var
CurrentProfiles : Integer;
fwPolicy2 : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
CurrentProfiles := fwPolicy2.CurrentProfileTypes;
if (CurrentProfiles AND NET_FW_PROFILE2_DOMAIN)<>0 then
if fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_DOMAIN] then
Writeln('Firewall is ON on domain profile.')
else
Writeln('Firewall is OFF on domain profile.');
if (CurrentProfiles AND NET_FW_PROFILE2_PRIVATE)<>0 then
if fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_PRIVATE] then
Writeln('Firewall is ON on private profile.')
else
Writeln('Firewall is OFF on private profile.');
if (CurrentProfiles AND NET_FW_PROFILE2_PUBLIC)<>0 then
if fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_PUBLIC] then
Writeln('Firewall is ON on public profile.')
else
Writeln('Firewall is OFF on public profile.');
end;
begin
try
CoInitialize(nil);
try
GetFirewallSettings;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
Turning the Firewall Off
{$APPTYPE CONSOLE}
uses
SysUtils,
ActiveX,
ComObj;
//This code that disables the firewall using the Microsoft Windows Firewall APIs.
Procedure SetFirewallOff;
Const
NET_FW_PROFILE2_DOMAIN = 1;
NET_FW_PROFILE2_PRIVATE = 2;
NET_FW_PROFILE2_PUBLIC = 4;
var
fwPolicy2 : OleVariant;
begin
// Create the FwPolicy2 object.
fwPolicy2 := CreateOleObject('HNetCfg.FwPolicy2');
fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_DOMAIN]:= False;
fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_PRIVATE]:= False;
fwPolicy2.FirewallEnabled[NET_FW_PROFILE2_PUBLIC]:= False;
end;
begin
try
CoInitialize(nil);
try
SetFirewallOff;
finally
CoUninitialize;
end;
except
on E:EOleException do
Writeln(Format('EOleException %s %x', [E.Message,E.ErrorCode]));
on E:Exception do
Writeln(E.Classname, ':', E.Message);
end;
Writeln('Press Enter to exit');
Readln;
end.
This post is based in the MSDN entry Using Windows Firewall with Advanced Security
The Road to Delphi 
November 21, 2013 at 10:01 pm
Really interesting post Rodrigo – thanks for sharing this.
Rob
November 21, 2013 at 11:06 pm
You are welcome.
November 22, 2013 at 1:05 pm
This is very interesting post. It compiles with Delphi5 also ! I think you can make it into a EXE. Will it be like a mini version of Zonealaram ?
November 22, 2013 at 1:55 pm
Thanks. ZoneAlaram is a full security solution (antivirus+firewall) and this code is only to interact with the Windows Firewall.
November 22, 2013 at 8:58 pm
Ok I got it
August 29, 2014 at 4:21 am
This is really interresting but how can we “remove” any of these rules ?
September 11, 2014 at 8:29 pm
You must use the INetFwRules::Remove method.