/build/static/layout/Breadcrumb_cap_w.png

How do I test for firewall exceptions in a KACE script?

I'm trying to create a script that enables ICMP echo (ping). I've found a command line that works:
netsh advfirewall firewall add rule name="All ICMP V4" protocol=icmpv4:any,any dir=in action=allow
And if I create a script and put that in:
On Success

  1. Launch “$(KACE_SYS_DIR)\netsh.exe” with params “advfirewall firewall add rule name=”All ICMP V4“protocol=icmpv4:any,any dir=in action=allow"
And that works. But I want to put in some verification before and after, and the trouble is I don't know where to look given the limitations of kace script options. I guess a "verify a Registry value is..." would do it, but I don't know where to look in the registry for firewall changes. I found something close:

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\CoreNet-ICMP4-DUFRAG-In

But the entries for that key on the machine where I ran the netsh command versus one I didn't are the same! There's some other keys for ICMP6 (IPv6 I guess) I couldn't find anything else labeled ICMP.

I guess I don't know how netsh and the registry interact well enough to know what to look for.

Maybe I'm barking up the wrong tree? Is there another way to test if this firewall setting has been made already or not?


Asked 9 years ago 2697 views
0 Comments   [ + ] Show comments

Answers (1)

Posted by: cblake 9 years ago
Red Belt
0
I'm not overly familiar with netsh either. I had ran across a Port Query tool from Microsoft a few years back. The following may be useful (not positive):
Knock Knock Is That Port Open?
By Mark Morowczynski [MSFT] 18 Apr 2011 3:22 PM
Quick tutorial about PortQry GUI version.
http://blogs.technet.com/b/markmoro/archive/2011/04/18/knock-knock-is-that-port-open.aspx
PortQryUI - User Interface for the PortQry Command Line Port Scanner (GUI version)
http://www.microsoft.com/download/en/details.aspx?id=24009
Download details: PortQry Command Line Port Scanner Version 2.0   
http://www.microsoft.com/downloads/en/details.aspx?familyid=89811747-c74b-4638-a2d5-ac828bdc6983&displaylang=en
How to use Portqry to troubleshoot Active Directory connectivity issues
http://support.microsoft.com/kb/816103
Understanding portqry and the command's output: New features and functionality in PortQry version 2.0 
http://support.microsoft.com/kb/832919
Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099

I might attempt to execute port query in a verify, dump it's output to a text file, and then examine the text? I'm sure there are multiple methods that would also work, but that's what came to mind for me. Another (similar) option might be using netstat to see what's open. For Example- 

See all open (listening):

 netstat -a | find "LISTENING"

Determine if a port is connected:

netstat -np TCP | find "80"


Comments:
  • Not being a network engineer, I decided to google what port ICMP uses. Turns out it doesn't since it's a network layer protocol, just like IPv4, IPv6 etc hence no TCP/UDP port number. So I don't think netstat will help there. Not that I know much about netstat either. :) - jtremblay 9 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ