Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Windows Firewall Rules

Created: 06 Oct 2012 • Updated: 31 Dec 2012 | 5 comments
This issue has been solved. See solution.

Is it possible to virtualize Windows Firewall rules or do they have to be netsh'ed to the base?

Windows 7
SWV 6.1 SP 6

Comments 5 CommentsJump to latest comment

EdT's picture

Do you want these rules to apply to the base as well as other layers, or just to the layer where the rules are defined?

If your issue has been solved, please use the "Mark as Solution" link on the most relevant thread.

Cavaldi's picture

Though I need to do this for two applications, they have no relation to each other and reside in their own layers. The rules would be specific to each, and unblock its incoming and outgoing traffic.

EdT's picture

Not something I have tried, but from memory, the firewall settings are basically registry keys, so you could try setting the keys in your base, first of all, to see if this works, then remove them from the base and put them in your layer, and retest.

My suspicion, however, is that since the Firewall is running in the base, it may not be able to "see" the changes in the layer, especially if the settings are cached and not checked after the machine has booted.

If your issue has been solved, please use the "Mark as Solution" link on the most relevant thread.

Cavaldi's picture

Thank you for puzzling along. Capturing or otherwise spiriting the rules into the layers would have been nice, but even a global capture of nothing but Windows Firewall doesn't leave a trace either in registry or files.

Doing a little research, it seems that HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules is the location of the rules.

Suspecting that the cryptic mess may be the tip of of an iceberg, the easiest option seems to be adding several netsh lines to a GPO startup script, as the rules are intended for a steady-state environment in which all changes to the system drive are discarded upon shutdown.

SOLUTION
EdT's picture

Depending on what tool you are using for the capture process, you may find that some areas of the registry are excluded from being captured. The hardware and services areas are typical excludes, which is why the SWV capture process may not be picking things up.  A full capture engine such as provided by Wise Package Studio or the Installshield equivalent, allows you to edit the exclusion list so that all areas get captured.

However, that's for a future requirement - for the moment your solution appears to be both workable and simple to implement, so a good choice in my opinion.

If your issue has been solved, please use the "Mark as Solution" link on the most relevant thread.