I use testing firewall using ps cmds; after they run successfully; but when I open browser, I am still open to visit websites; do I miss anything and how to debug this? or is it because other exiting firewall rules overwrite mine?
New-NetFirewallRule -DisplayName "Block Inbound Port 80, 443" -Direction Inbound -LocalPort 80,443 -Protocol TCP -Action Block -Profile Domain, Private, Public -Enabled :True
New-NetFirewallRule -DisplayName "Block Outbound Port 80, 443" -Direction Outbound -LocalPort 80,443 -Protocol TCP -Action Block -Profile Domain, Private, Public -Enabled :True
You want to specify -RemotePort instead of -LocalPort for outbound traffic. Some other notes:
There's no reason to explicitly block inbound 80/443 traffic - the windows firewall doesn't block traffic from established sessions
Block rules apply before other rules with few exceptions. Your rule as it is in your question should work fine after fixing the port direction, but double-check that it did actually get created, and that it's enabled:
Get-NetFirewallRule -DisplayName 'Block Outbound Port 80, 443'
Best practice is to set the firewall to block all outbound connections by enabling the setting "Outbound connections that do not match a rule are blocked". Then create only exception/allow rules.
Related
Problem Description
We used to set up an Ubuntu Azure VM (consider Private IP as 109.11.23.11) for sending some simulated data. We need to set up multiple azure VM's for each one for every simulator.
For that simulator to send data outside we specify an inbound rule for the specific port as below
Here for data receiver we specify the connection details as below
:
Ex: 109.11.23.11:50000
Instead of doing that I want to try out having one Azure Windows Server VM which contains multiple Ubuntu Hyper-V machines
Then I set up that Windows server machine and then enabled Hyper-V. And then setup a virtual network to be used by Hyper V using the below Powershell script
New-VMSwitch -Name VmNAT -SwitchType Internal
New-NetNat -Name LocalNAT -InternalIPInterfaceAddressPrefix "192.168.49.0/24"
Get-NetAdapter "vEthernet (VmNat)" | New-NetIPAddress -IPAddress 192.168.49.1 -AddressFamily IPv4 -PrefixLength 24
Install-WindowsFeature -Name 'DHCP' –IncludeManagementTools
Add-DhcpServerV4Scope -Name "DHCP Scope" -StartRange 192.168.49.50 -EndRange 192.168.49.250 -SubnetMask 255.255.255.0
Set-DhcpServerV4OptionValue -DnsServer 168.63.129.16 -Router 192.168.49.1
Now I am a bit confused about how to open up port 50000 as in the earlier method for this Hyper-V.
What I tried
I created an inbound rule in the host VM as we have done in the Ubuntu VM earlier. And in the receiver tried giving the public IP of the host machine/Ubuntu Hyper V separately. Both of these things failed. The receiver is not getting connected to this simulator VM as earlier. I did not try with the host machine's private IP yet. Any suggestions?
• Since, you have created a ‘NAT’ subnet and attached an additional NIC (Network Interface Card) to the Azure VM in this subnet which communicates and manages the IP addresses for the nested VMs on the Azure VM, and a regular LAN (Local Area Network) subnet on which the host Azure VM is placed, please ensure that an inbound rule exists for Port 50000 in the NSG (Network Security Group) for the ‘NAT’ subnet NIC. Also, ensure that the network architecture of the nested VMs hosted on Azure VM is as below: -
• Then, also ensure that a virtual switch is created on the Azure VM to forward traffic from the nested VMs via host Azure VM to the internet and vice versa. Execute the below powershell command to add NAT static mapping with the external IP address used by the Azure VM: -
Add-NetNatStaticMapping -NatName "NestedSwitch" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 10.4.2.2 -InternalPort 5000 -ExternalPort 5000
Also, create an inbound firewall rule on the Azure host VM by executing the below powershell command for internal switch created on Hyper-V: -
New-NetFirewallRule -RemoteAddress 192.168.217.0/24 -DisplayName "Allow217net" -Profile Any -Action Allow
Also, ensure that port forwarding is enabled for inbound access to happen from the RDP port to the nested VMs on the nested VMs subnet. So, execute the below command on the host Azure VM to forward the traffic to the concerned ports: -
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 50004 -Protocol TCP -InternalIPAddress "192.168.0.4" -InternalPort 3389 -NatName NATNetwork
Also, ensure that the below command is executed on the Azure VM to map the listening port to the required NIC on the nested VMs: -
netsh interface portproxy add v4tov4 listenaddress=<nat address> listenport=<random port> connectaddress=<nested vm address> connectport=<nested vm service port>
The above solutions should help you to resolve your issue for inbound rules on the nested VMs.
I have a VM that i am manipulating using an azure devops pipeline. Previously, using WinRM to transfer files to the VM worked fine. However the vm's ram was not suitable for our needs, so i re-sized the VM to add more ram. Since resizing the VM, the VM's ip address has changed. This has caused WinRM to stop working. I tried to use winrm quickconfig -force in the console, and get this error:
Unable to enable the firewall for WinRM.
I removed the HTTPS listener from 5986 who's host was the old IP address, however i cannot add a new listener that points at the correct IP.
Start-RemotePSSession does not fail, or if it does, then it does so silently
I have looked at the certs and only can see one for the old ip address:
How can i add a cert for my new ip address? Or is there a different/better way to accomplish what i am trying to do (get winrm working again)
Since you have an old cert issued to the old Public IP address, you can generate a new cert issued to the new public IP address.
For example,
1.
Go to the VM console and generate a self-signed cert for a test.
$certificateName = "51.x.x.x"
$thumbprint = (New-SelfSignedCertificate -DnsName $certificateName -CertStoreLocation Cert:\LocalMachine\My -KeySpec KeyExchange).Thumbprint
Delete the old https listener and bind a new cert for the https listener.
winrm delete winrm/config/listener?Address=*+Transport=HTTPS
$thumbprint="7AD714C2AA0EF690EEFxxxxxxD"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $thumbprint –Force
Enumerate the listeners.
winrm e winrm/config/listener
Note: the winrm quickconfig does not work for self-signed certs based on my validation. You could follow the above steps to manage it. If you have not allowed port 5986 in the windows firewall inside the Azure VM, you can enable it with PowerShell. If there is a network security group in your Azure VM subnet or associated NIC, you also need to enable it for HTTPS port. Read this blog for more details.
New-NetFirewallRule -DisplayName "winrmhttps" -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow -RemoteAddress Any
I have a dedicated server with hyper-v core 2019.
I installed Windows Admin Center on my windows 10 client.
It works fine except the transfer file function. i can read remote disks and create folder but when i try to upload file, the bar progress stay at 0% and nothing happens.
I have create a rule on firewall who accepts all traffic for my ip adress.
Someone could help me please?
thanks for advance
Daniel
It's a known issue with Windows Admin center. (assuming you are trying to upload a file of more than 100Mb)
See: https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/support/known-issues#files
Still very much a work in progress...
You have to open a specific port to make this work.
You can verify this by temporarily disabling the firewall with this powershell command:
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False // Disable firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True // Re-enable
I had once found this port (don't even ask how...), nagged to the people writing the documentation for MS, they pointed me to a corner on the internet that the port was mentioned, but now I still can't find it! This is outrageous...!
Update:
OK, I found it again! It is port 445!
And here is the documentation link: Port configuration on the target server
Turns out you need to know the port in advance to find it! (lol)
Here is a script to do this:
New-NetFirewallRule -DisplayName "__Allow_File_UploadDownload" -Direction Inbound -LocalPort 445 -Protocol TCP -Action Allow -RemoteAddress 192.168.1.5
(Note: Replace "192.168.1.5" with a whitelisted IP)
I can use Set-WebBinding to change the port of a given binding, but can I use it to change from http on port 80 to https on port 443 or vice versa?
I tried with this command but it fails because it doesn't recognize -PropertyName Protocol:
Set-WebBinding -Name 'Default Web Site' -BindingInformation '127.0.0.1:80:localhost' -PropertyName Port -Value 443 -PropertyName Protocol -Value 'https'
Or should I use Remove-WebBinding and then New-WebBinding to make such a change?
I think you will need to remove the existing binding with Remove-WebBinding and re-create it with New-WebBinding, which allows you to supply protocol, port, etc
The idea is to automate linking an SSL certificate to a website in IIS 7 or above.
All the websites in a server use same IP address and same default port. So they are all differentiated by their host header names.
I could achieve this manually without any issue. But while automating there is issue.
When done manually, the ssl configuation entries in http.sys are recorded as HostNameport TestName:443, not as ipport xx.yy.z.a:443.
So I wanted to mimic the same manual steps for automation to work. But it is not helping.
I tried below steps.
Create a new ssl configuration in http.sys for hostname port combination with below command.
netsh --% http add sslcert hostnameport=Testssl:443 certhash=d70930bb790f89c04c728d9285b64f5fb0258fc7 appid={01010101-0101-0101-0101-010101010101} certstorename=MY
Create a new web binding for the website using hostheader name.
New-ItemProperty IIS:\sites\TestSite -name bindings -value #{protocol="https";bindingInformation="192.168.1.108:443:Testssl"}
or
New-WebBinding -Name TestSite -Protocol https -Port 443 -HostHeader Testssl -IPAddress 192.168.1.108
With the above two steps the new binding is present, but the SSL certificate is not attached to the binding.
Is it not possible to set SSL certificate for a binding with a corresponding hostname port entry in http.sys ssl configuration?
With the help of comment from Lex Li, the below command WORKS.
New-WebBinding -Name TestSite -Protocol https -Port 443 -HostHeader Testssl -IPAddress 192.168.1.108 -SslFlags 1