Adding many IP addresses to Windows Firewall using CLI fails partially
As an alternative method of doing (Since already in PowerShell):
This will give you more information per IP: This is not tested, but should give you better output / formatting and at worst a good head start and theoretically work.
$IPs = @("123.123.123.111", "123.123.123.112", "123.123.123.113") |`
Foreach-object {
netsh advfirewall firewall set rule name="*" new remoteip="$_"
write-host "$_ Added $?"
}
If it works as expect, it will loop through the initial array of $IPs and attempt the netsh command. $? is the status of the last command run, so on a successful netsh command it should print to the PowerShell Windows something like 123.123.123.111 Added True or 123.123.123.111 Added False.
Related videos on Youtube
03 : 15
03 : 34
08 : 38
03 : 43
02 : 27
Thomas
Updated on September 18, 2022Comments
-
Thomas over 1 year
I have a PowerShell script which adds IP addresses to Windows Firewall using the "netsh advfirewall" command. (As described in this question: How to append netsh firewall rules, not just replace).
The problem is that when adding a lot of IP addresses (currently over 700) the string of IP addresses seems to be 'cut off' at some point. Only an X amount of the total amount of IP addresses are actually added to the firewall, the rest... not.
The script is very simple, and looks something like this:
$ip = "123.123.123.123,124.124.124.124,125.125.125.125 and so on" netsh advfirewall firewall set rule name="*" new remoteip="$ip"I tried to echo the string to see if it's cut off;
echo $ipBut the complete string is correctly echo'ed.
Is there some kind of string length limit for the netsh command? Or anything else that could be causing this issue?
Edit
I've done some more research and it appears that the string is not 'cut off'. I've rearranged the IP string in ascending order, and the last IP address of the string was added to the firewall. So I suppose I can conclude that there is not some kind of string limit.
However, random IP's are being omitted. I've written several 'debug' scripts to figure out what is going on, one of those scripts generates a list of IP addresses that are in the IP string (and thus supposed to be in the firewall), but are not present in the firewall. It turns out that it's simply omitting random IP addresses... and I have no clue why...
The IP addresses that are being omitted are perfectly fine IP addresses though (not ranges or anything, just plain normal IP addresses).
Any ideas?
-
Austin T French over 10 yearspossible duplicate of How to append netsh firewall rules, not just replace
-
-
Thomas over 10 yearsSorry for my late response. I executed your script with all IP addresses, and they were all added correctly. Although they replaced each other in the firewall rule (as expected). So it seems the IP addresses are not the problem. There must be some kind of limit somewhere, I just can't figure it out. Perhaps I should ask this on the Microsoft forums instead as this issue is probably too rare.
-
Austin T French over 10 yearsReplaced eachother? As in .111 replaced .112 ? Actually, I may see the Problem: Change
name="*"to `name="$_" in the script. -
Thomas over 10 yearsYes, unfortunately the CLI of Windows Firewall does not allow you to add IP addresses, but rather to replace the IP addresses in an entire rule. So when you execute the 'netsh ...' command, they are not added to the rule, but replaced. Odd, I know. I have no idea why they decided to do this, adding a feature to add IP addresses instead of replacing them probably isn't too hard... but yeah... Microsoft.
-
Austin T French over 10 years@Did you see my edit of the last comment? I may have found the problem...
-
Thomas over 10 yearsHmm, okay, I will try it now. I'll post the result in a few minutes.
-
Thomas over 10 yearsA question though, if I change the
rule nameto$_, how will it know what rule to add the IP addresses to? -
Austin T French over 10 years$_ is the current value of the index of the array we are looping for. $_ is the current pipeline object, and since we looping the array it would be much like using MyArrayOfIps[i] in a C like syntax language.
-
Thomas over 10 yearsI think there's a bit of a misunderstanding. The rule I'm trying to add the IP addresses to is currently called "test". So
rule namewould have to betest(rule name="test"). Otherwise the firewall would have no idea where to add the IP addresses, correct? -
Austin T French over 10 yearsThats fine, use
rule name="Test $_"PowerShell should auto expand the vairable in quotes and change the rule name to Test 123.123.123.111 for example -
Thomas over 10 yearsI think I found where the misunderstanding is coming from. What I actually meant with 'the IP addresses are being replaced' is not that the rule itself is overwritten, but the IP addresses within the rule are overwritten everytime a new IP address is added. This is by design. See my other question, here, for more details about this. ;-)
-
Austin T French over 10 yearsI see, you wanted the array of IPs added to one rule as your other question eventually described at superuser.com/questions/457324/…
-
Thomas over 10 yearsCorrect. However, this is not a duplicate of that particular question. My problem is that when I'm adding more than 500 IP addresses, random IP addresses are simply being omitted, they are just not added to the firewall for no apparent reason. While those IP addresses are perfectly fine IP's. That's why I'm starting to think that there is some kind of limit somewhere. It does allow me to add additional IP addresses via the GUI, so it seems there's no limit on how many IP addresses can be in one rule, but there must be some limit elsewhere, I suppose.
-
Seth over 7 yearsSorry but if you're adding more than 700 IP addresses there probably is something strange going on. This does look like a good opportunity to use subnet notation. In addition there is a limit of 1000 IPs according to this other question.
