Skip to content

Create Firewall Rules from netstat

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
<#
    Create FW rules for TCP and UDP Listening Ports
    netstat -an -p tcp | Select-String "Listening"
    netstat -an -p udp | Select-String "Listening"
    for each entry in netstat create firewall rule
    name = -p tcp|udp port port #
    description = automatic allow rule generated by powershell on get-date
    Perhaps as part of this also create a dsc configuration document
#>

$netstat = NETSTAT.EXE -a -n -o -p TCP
$netstat += NETSTAT.EXE -a -n -o -p UDP
[regex]$regexTCP = '(?<Protocol>\S+)\s+((?<LAddress>(2[0-4]\d|25[0-5]|[01]?\d\d?)\.(2[0-4]\d|25[0-5]|[01]?\d\d?)\.(2[0-4]\d|25[0-5]|[01]?\d\d?)\.(2[0-4]\d|25[0-5]|[01]?\d\d?))|(?<LAddress>\[?[0-9a-fA-f]{0,4}(\:([0-9a-fA-f]{0,4})){1,7}\%?\d?\]))\:(?<Lport>\d+)\s+((?<Raddress>(2[0-4]\d|25[0-5]|[01]?\d\d?)\.(2[0-4]\d|25[0-5]|[01]?\d\d?)\.(2[0-4]\d|25[0-5]|[01]?\d\d?)\.(2[0-4]\d|25[0-5]|[01]?\d\d?))|(?<RAddress>\[?[0-9a-fA-f]{0,4}(\:([0-9a-fA-f]{0,4})){1,7}\%?\d?\]))\:(?<RPort>\d+)\s+(?<State>\w+)\s+(?<PID>\d+$)'
[regex]$regexUDP = '(?<Protocol>\S+)\s+((?<LAddress>(2[0-4]\d|25[0-5]|[01]?\d\d?)\.(2[0-4]\d|25[0-5]|[01]?\d\d?)\.(2[0-4]\d|25[0-5]|[01]?\d\d?)\.(2[0-4]\d|25[0-5]|[01]?\d\d?))|(?<LAddress>\[?[0-9a-fA-f]{0,4}(\:([0-9a-fA-f]{0,4})){1,7}\%?\d?\]))\:(?<Lport>\d+)\s+(?<RAddress>\*)\:(?<RPort>\*)\s+(?<PID>\d+)'
$Listening = @()
foreach ($Line in $netstat)
{
  switch -regex ($Line.Trim())
  {
    $regexTCP
    {
      $MyProtocol = $Matches.Protocol
      $MyLocalAddress = $Matches.LAddress
      $MyLocalPort = $Matches.LPort
      $MyRemoteAddress = $Matches.Raddress
      $MyRemotePort = $Matches.RPort
      $MyState = $Matches.State
      $MyPID = $Matches.PID
      $MyProcessName = (Get-Process -Id $Matches.PID -ErrorAction SilentlyContinue).ProcessName
      $MyProcessPath = (Get-Process -Id $Matches.PID -ErrorAction SilentlyContinue).Path
      $MyUser = (Get-WmiObject -Class Win32_Process -Filter ('ProcessId = '+$Matches.PID)).GetOwner().User
    }
    $regexUDP
    {
      $MyProtocol = $Matches.Protocol
      $MyLocalAddress = $Matches.LAddress
      $MyLocalPort = $Matches.LPort
      $MyRemoteAddress = $Matches.Raddress
      $MyRemotePort = $Matches.RPort
      $MyState = $Matches.State
      $MyPID = $Matches.PID
      $MyProcessName = (Get-Process -Id $Matches.PID -ErrorAction SilentlyContinue).ProcessName
      $MyProcessPath = (Get-Process -Id $Matches.PID -ErrorAction SilentlyContinue).Path
      $MyUser = (Get-WmiObject -Class Win32_Process -Filter ('ProcessId = '+$Matches.PID)).GetOwner().User
    }
  }
  $LineItem = New-Object -TypeName PSobject -Property @{
    Protocol      = $MyProtocol
    LocalAddress  = $MyLocalAddress
    LocalPort     = $MyLocalPort
    RemoteAddress = $MyRemoteAddress
    RemotePort    = $MyRemotePort
    State         = $MyState
    PID           = $MyPID
    ProcessName   = $MyProcessName
    ProcessPath   = $MyProcessPath
    User          = $MyUser
  }
  if ($LineItem.LocalAddress = '0.0.0.0')
  {
    if (($LineItem.State) -and ($LineItem.State.ToUpper() -eq 'LISTENING'))
    {
      if ($LineItem.User)
      {
        $User = $LineItem.User.ToLower()
      }
      else
      {
        $User = 'system'
      }
      if (($User -ne 'system') -and ($User -ne 'updatususer') -and ($User -notlike 'network*') -and ($User -notlike 'local s*'))
      {
        if ($LineItem.ProcessName.ToLower() -ne 'system')
        {
          $Listening += $LineItem
        }
      }
    }
  }
}
#
# $Listening contains a list of services/applications listening on a given port + protocol
#
foreach ($Listener in $Listening)
{
  $Protocol = $Listener.Protocol.ToUpper()
  $Port = $Listener.LocalPort
  New-NetFirewallRule `
  -DisplayName "Allow $($Protocol) traffic over port $($Port)" `
  -Name "AUTOGEN_$($Protocol)_$($Port)" `
  -Action Allow `
  -Description $Listener `
  -Direction Inbound `
  -Enabled True `
  -LocalPort $Listener.LocalPort `
  -Protocol $Listener.Protocol
}