XP SP2 default firewall change

[Mich]

I'm attempting to change the ports opened/closed in XP SP2. Right now I'm trying to get it work post install, but will push for pre-install later.

Here's what I've done,

1) Edited netfw.inf to add reg keys allowing certain ports be open (SMS, VNC, etc.). The syntax appears correct. Saved the file.

2) From command prompt - 'netsh firewall reset'. One document suggested I do this. Will revisit this in a second.

After those steps I checked the firewall config GUI and the ports added to the inf are not listed. I read another document that said 'netsh firewall reset' would restore default config, so I rebooted the machine, but the ports are still not listed in the GUI.

What am I doing wrong?

Thanks in advance.

-If it ain't broke, break it and make it better.

 

[bcastner]

I do not think you get a port only enumeration under the Gui for the firewall. You would have to make both the port entry as well as the program/service entry changes to the .inf in order to "see" the change in the gui.

 

[Mich]

OK, but I don't see the ports open under netsh either and I can't VNC. If I go into the GUI and add the port I can view it in netsh and I have the ability to VNC.

It's not just VNC, but I use that as an example.

I have to be doing something wrong. Do the steps look correct?

-If it ain't broke, break it and make it better.

 

[bcastner]

Here I will open TP 5901 for VNC:

[version]
Signature = "$Windows NT$"
DriverVer =07/01/2001,5.1.2600.2132

[DefaultInstall]
AddReg=ICF.AddReg.DomainProfile
AddReg=ICF.AddReg.StandardProfile

[ICF.AddReg.DomainProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPol
icy\DomainProfile\AuthorizedApplications\List","%windir%\system32
\sessmgr.exe",0x00000000,"%windir%\system32
\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPol
icy\DomainProfile\GloballyOpenPorts\List","5901:TCP",0x00000000,"5901:TCP:*
:enabled:VNC (TCP 5901)"

[ICF.AddReg.StandardProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPol
icy\StandardProfile\AuthorizedApplications\List","%windir%\system32
\sessmgr.exe",0x00000000,"%windir%\system32
\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPol
icy\StandardProfile\GloballyOpenPorts\List","5901:TCP",0x00000000,"5901:TCP
:*:enabled:VNC (TCP 5901)"

 

[k9dog]

Hi.

There is an API (typelib) for setting which ports and applications that one might want to add. However I can not see that the API provides any enumeration of the entries in the firewall only a count.
This forum mentions using the registry which is actually what I've done until now.
So my question is to whoever might read this: Do you know if it's nicer to use the API that M$ provides rather than the registry? I haven't found anything on msdn that mentions the use of the registry in the new firewall (except for certain DCOM settings). It could be that it's okay to use the registry and the API just gives a quicker way to manipulate certain entries.
P.S. I was very hesitant to install SP2 at home as I've used the beta from M$ in my work. Yesterday I installed it without too much trouble (= failing apps).

- K9 €9