Automating addition of firewall rule

[HCHTech]

I've been playing around with scripting firewall rules in my RMM. In today's exercise, I'm trying to add a rule to allow traffic from a different subnet (for example, when the wifi is on a different subnet than the LAN, the Windows firewall will block traffic between the two subnets by default.) The following will create a rule to allow traffic (and backup the settings both before and after):

netsh advfirewall export "c:\temp\beforenewrule.wfw"
netsh advfirewall firewall add rule name="TestScopeRule" dir=in action=allow profile=private localip=192.168.0.0/24
netsh advfirewall export "c:\temp\afternewrule.wfw"

Since this would allow all traffic, I'm wondering if I'm being too flexible here and should be limiting my rule to ports 139 & 445, for example. OTOH, we always create a guest wifi network that is separated from the "private" wifi, so maybe I need to be less concerned. This would obviously be in a non-server environment, where a GPO would be a more efficient solution.

What do you think?

 

[mattsnoddy]

I think I'm following what you're asking.. What's the network look like? Is there a hardware firewall appliance in play that allows bridging/routing between the subnets or any VLANing? I'm not a huge fan of the Windows firewall since it can be affected by silly things like when the network switch gets replaced and all of a sudden every Windows endpoint decides it's a new network and reverts to the Public profile.

So if you had a scenario like:
Wired LAN: 192.168.0.0/24
Wifi LAN: 192.168.100.0/24
Guest Wifi: 10.0.0.0/24

At your firewall, guest wifi is obviously only routed out to the internet. Wifi LAN and wired LAN are bridged or routed. So on the Windows software firewall, it's configured on a private network, but is unable to communicate between 192.168.0.0 and 192.168.100.0, and that's what you're wanting to reconfigure?

 

[HCHTech]

Yep that's it. Even with a hardware firewall in place, this needs to be done with the Windows firewall (or, it needs to be disabled) to allow the traffic.