firewall scripting

[yoda291]

I posted earlier asking if anyone knew of a good windows based firewall that ran from the command line, but can't seem to find it. Having looked for close to a month, still no dice, so like a true nutcase, I decided to code my own...

I was wondering if anyone in here has any pointers or warnings to give me before I start this...even suggestions. I kind of want to do the whole thing in vbscript or, if even possible, a batch file. I have activeperl installed, but I'd like something that has a fair chance of working on other systems that don't happen to have perl installed. If push comes to shove, I suppose I could just whip out my c compiler tho.

Also, I am wondering if this is even possible under windows. On my unix systems, I can control my access levels from shell scripts easily. On windows....I haven't really the foggiest notion of where to start, but I suspect I'll have to browse microsoft's site an awful lot ... ugh.

Just to refresh tho, I basically want to do the following from the command line

myscript /stop 111.111.111.111
//this blocks access to/from 111.111.111.111 for the system

myscript /go 111.111.111.111
//this re-enables access to/from 111.111.111.111 for the system

I'm tired of going through windows and menus just to get something this simple done. and yes, I alter my firewall rules many times a day as part of my job.

PS - If you can think of a command line based firewall or a better way of doing this for windows, I'm still interested.

PPS - Windows is a requirement. Unix is not an option in this case.

Thanks in advance

 

[n0cmonkey]

Scripting languages will probably be too slow. Use C. Port PF or IPF to Windows. It would be increadibly hard, and maybe not worth the effort, but you could possibly do it.

Making a firewall is not an easy task, just knowing the ins and outs of tcp (let alone udp, icmp, etc!) is pretty rough.

*Windows zealots and others that do not like to hear criticism of Windows ignore the following*
Requiring Windows is a joke in my opinion (which is very anti-windows on critical machines). It does not have the facilities to really handle this type of work easily.

Because of the problems you will be occuring on this, I would *REALL* consider changing your requirements for this project. Linux can handle this easily, as could OpenBSD.

 

[alrox]

Check out CHX-I. I believe it has all the features you want if you read the docs.

 

[yoda291]

Originally posted by: n0cmonkey
Scripting languages will probably be too slow. Use C. Port PF or IPF to Windows. It would be increadibly hard, and maybe not worth the effort, but you could possibly do it.

Making a firewall is not an easy task, just knowing the ins and outs of tcp (let alone udp, icmp, etc!) is pretty rough.

*Windows zealots and others that do not like to hear criticism of Windows ignore the following*
Requiring Windows is a joke in my opinion (which is very anti-windows on critical machines). It does not have the facilities to really handle this type of work easily.

Because of the problems you will be occuring on this, I would *REALL* consider changing your requirements for this project. Linux can handle this easily, as could OpenBSD.

As I stated earlier, Windows is a requirement. This isn't negotiable at all. The reason I need this kind of functionality is because I am testing windows software under different sets of filtering rules. It is not for my personal use or any project of my own. If it were up to me, I'd just ssh into my gateway, alter my iptables, and be done in under 30 seconds. The problem is, the software being developed is windows only and part of the testing regimen includes different filtering scenarios. As far as being anti-windows...my opinion lies that it is a better OS for workstations than a unix environment. As near as I can tell, there really isn't an industry redefining killer-app for any of the *nixes that would be sufficient to convert people away from it while you have million dollar investments by most corporations into workstation level apps for windows. I suppose that's why all my servers run freebsd or linux, but all my workstations have always been windows.

I'll look into CHX alrox. Thanks.

 

[n0cmonkey]

Originally posted by: yoda291

Originally posted by: n0cmonkey
Scripting languages will probably be too slow. Use C. Port PF or IPF to Windows. It would be increadibly hard, and maybe not worth the effort, but you could possibly do it.

Making a firewall is not an easy task, just knowing the ins and outs of tcp (let alone udp, icmp, etc!) is pretty rough.

*Windows zealots and others that do not like to hear criticism of Windows ignore the following*
Requiring Windows is a joke in my opinion (which is very anti-windows on critical machines). It does not have the facilities to really handle this type of work easily.

Because of the problems you will be occuring on this, I would *REALL* consider changing your requirements for this project. Linux can handle this easily, as could OpenBSD.

As I stated earlier, Windows is a requirement. This isn't negotiable at all. The reason I need this kind of functionality is because I am testing windows software under different sets of filtering rules. It is not for my personal use or any project of my own. If it were up to me, I'd just ssh into my gateway, alter my iptables, and be done in under 30 seconds. The problem is, the software being developed is windows only and part of the testing regimen includes different filtering scenarios. As far as being anti-windows...my opinion lies that it is a better OS for workstations than a unix environment. As near as I can tell, there really isn't an industry redefining killer-app for any of the *nixes that would be sufficient to convert people away from it while you have million dollar investments by most corporations into workstation level apps for windows. I suppose that's why all my servers run freebsd or linux, but all my workstations have always been windows.

I'll look into CHX alrox. Thanks.

I said ignore it if you cannot handle criticism of Window's long list of short comings. Hope CHX works for you.

 

[yoda291]

I actually agree with you n0c in that windows is lacking in many areas and I wholly believe MS should stay the hell away from server side solutions. (You'll note my servers and gateway run bsd/linux), but MS, in my opinion, has a better workstation implementation and environment than unix..barring some specialized system like a SPICE system.

Update: CHX seems to work, I'm going to fill out the purchase proposal tomorrow. Thx guys.

 

[n0cmonkey]

Originally posted by: yoda291
I actually agree with you n0c in that windows is lacking in many areas and I wholly believe MS should stay the hell away from server side solutions. (You'll note my servers and gateway run bsd/linux), but MS, in my opinion, has a better workstation implementation and environment than unix..barring some specialized system like a SPICE system.

Windows takes too long to get it to a usable point for me.


(Glad the problem is solved, so I can continue to post offtopic posts in your thread )

 

[mobly99]

Yoda,

you could use the native IPSec policies on 2k or XP to do packet filtering.

on 2K there is a resource kit command line utility IPSECPOL.exe on the 2K resource kit.
on XP the command line utility ipseccmd.exe is included on the CD in the support tools.

-Dave

 

[yoda291]

Originally posted by: n0cmonkey

Originally posted by: yoda291
I actually agree with you n0c in that windows is lacking in many areas and I wholly believe MS should stay the hell away from server side solutions. (You'll note my servers and gateway run bsd/linux), but MS, in my opinion, has a better workstation implementation and environment than unix..barring some specialized system like a SPICE system.

Windows takes too long to get it to a usable point for me.


(Glad the problem is solved, so I can continue to post offtopic posts in your thread )

Windows used to take too long for me too....then I got my copy of drive image...hehe.

You are more than welcome to post ot.

Thanks for the info mobly. We do testing on NT4 and win9x systems so it's not really an option if it's 2k/xp specific, but I'm going to file this under toys to play with and maybe try and do something time consuming and strangely entertaining with it.