Block\Allow a program through the firewall depending on NSM profile / Feature Requests / NetSetMan Support

NetSetMan Support

Search for already answered questions about NetSetMan (Pro) or ask new ones

You are not logged in.

Pages: 1

#1 2014-11-17 08:02

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Block\Allow a program through the firewall depending on NSM profile

Hello,
I'm a home user, and I have a feature\help request.

I want block\allow a specific software program from accessing the Internet depending on the network. My main example is that I want Skype (desktop version) to be allowed Internet access while I'm on my home WiFi, but blocked from accessing the Internet while I'm in the coffee place down the street.
But I don't want to completely deactivate the windows firewall when I'm at home or anywhere else for that matter.

The only way I could think to do this would be to unmark\remark skype in the "Allow an app or feature thorough the firewall" section of the windows firewall. Every time I switch a network.

Is there a way to do this using a script maybe? Can you please offer me such a script?
Or is there a different way to do this within NSM?
if not, can this feature be implemented please?

Eagerly awaiting a response,
-TripleEYE

Offline

#2 2014-11-17 10:46

NetSetMan Support
Administrator
Registered: 2005-08-06
Posts: 1,878

Re: Block\Allow a program through the firewall depending on NSM profile

In addition to my reply here:
https://www.netsetman.com/support/viewtopic.php?id=842

It's impossible to have a firewall settings management for all available firewalls because there's no standardized interface for that. At the same time the effort for creating such a feature only for the Windows firewall is simply to high having in mind that it's not a very secure firewall anyway.

I'm afraid, I can't provide a customized script for you. I'd recommend searching for command line control of Windows firewall settings and include those commands into a bat-script in NetSetMan.

If you've found a suitable script solution you're welcome to post it here.

Online

#3 2014-11-17 18:44

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

Thank you for the quick reply.
I will look for command line options.
If, and only if, I find such a solution... I'll post it here.

Offline

#4 2014-11-18 15:59

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

So... Until today I didn't know how to create a .bat or .cmd file.
But thanks to the words "Command Line" in your response, I've learned online and ended up spending my whole day on this (alongside some IT work I was doing on another PC, hehe. Mainly scans so it gave me time to learn about batch scripts & firewall functions via CMD).

I devised a way in which what I was looking for is totally achievable using NSM, and I will indeed share it here. All I ask is that if and when you incorporate it into your site and/or into the NSM software itself, you mention me directly as TripleEYE and give credit for seeking this solution and creating the batch files ^_^

Other than that, I would love for anyone in need to be able to do this.
In my following post I will upload the .cmd files I made along with instructions on how to use them with NSM.

Last edited by TripleEYE (2014-11-18 16:00)

Offline

#5 2014-11-18 17:44

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

Umm...
So I've got it all ready. It's 5 .cmd files and one txt instruction file.
However I suddenly notice I can't upload them here (even if I change the .zip to .jpg to try and upload the 10.1K it takes.

I've made detailed instructions and it works real well ^_^
I can even give a checksum of the zip file: 18E1037FADC9472F006AA5115EE34294

Is there a way I can upload it here so users (And you) can see and use my solution?
Thanks'
TripleEYE

Offline

#6 2014-11-19 12:35

NetSetMan Support
Administrator
Registered: 2005-08-06
Posts: 1,878

Re: Block\Allow a program through the firewall depending on NSM profile

For security reasons only images can be uploaded here. Instead of uploading the cmd file simply post it's content here as it's pure text. Remember to enclose the code in a [ code ]...[/ code ] block (without the spaces) for proper formatting.

It'll look like this.

Your content will remain only here. So if somebody else is interested in it he'll find it here.

Online

#7 2014-11-19 14:19

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

Ok. I can see how that helps security smile
Then is there a proper place in the forum where I can post this not as a feature request, but rather as an added feature?
(Also, it's five cmd files and they're each a bit long. So I hope it's ok that I'll post them each as it's own post-reply ^_^)


And on another matter... I was just trying my scripts with NSM, and even though they work on their own when I open the batch file itself, they don't seem to work when activated by NSM. Any idea why this might happen? Am I missing something I should do in NSM other than put the script in?
The CMD window seems to open and auto-close real fast, even when I purposely add 

@echo on

at the beginning of the script and 

pause

at the end of it...

Also, it closes in less than one second, whereas when I use the .cmd file on it's own, it takes 6 or 7 seconds to run through...
I'm not sure NSM really manages to run the script through...
Any suggestions?

Offline

#8 2014-11-24 07:24

NetSetMan Support
Administrator
Registered: 2005-08-06
Posts: 1,878

Re: Block\Allow a program through the firewall depending on NSM profile

TripleEYE wrote:

Then is there a proper place in the forum where I can post this not as a feature request, but rather as an added feature?
(Also, it's five cmd files and they're each a bit long. So I hope it's ok that I'll post them each as it's own post-reply ^_^)

Just post it here in this topic as it perfectly belongs to this request.

TripleEYE wrote:

And on another matter... I was just trying my scripts with NSM, and even though they work on their own when I open the batch file itself, they don't seem to work when activated by NSM. Any idea why this might happen? Am I missing something I should do in NSM other than put the script in?

The only possible difference is that NSM executes the scripts in x86 (32 bit context). This is of no relevance in most cases, but can be in special driver related situations. For this there's the possibility to redirect the call by using "Sysnative" instead of "System32" in paths where this is relevant.
C:\Windows\Sysnative\something.exe

But you shouldn't experience any issues with the "pause" command. Maybe the problem is somewhere else. I can have a look at it in the complete script if you like.

Online

#9 2014-12-02 13:53

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

Alright, following are the contents of the files needed, and at the end I'll post the instructions as well.
The only part I didn't directly write mysellf is the 

Checking for Administrative permissions

Is there anything there that could be the cause of it not working properly under NSM?

Offline

#10 2014-12-02 13:55

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

File contents #1:
Filename: “Create Firewall Rules for Program Blocker by TripleEYE.cmd”


@echo off

SET variable=_ProgramName
SET variable=_ProgramPath


REM -----------------------------------------------------------------------------
REM   Written by TripleEYE, November, 2014
REM   All rights reserved. Provided as is with no guarantees, express or implied.
REM   User assumes all responsibility.
REM   TripleEYE has no connection to NetSetMan, or to Skype, other than being a happy user that needed this function and decided to create it for the benefit of all NetSetMan users.
REM -----------------------------------------------------------------------------


REM -----------------------------------------------------------------------------
REM Description: This script creates four rules in Windows Advanced Firewall Settings.
REM              There should be four other `.cmd` files (aka scripts) grouped with this file.
REM              These rules & scripts are meant for use with the NetSetMan freeware (or manually at your own risk) by utilizing the other four `.cmd` files that should come with this file.
REM              Three of the other files just mentioned, together with this file, are intended as a switch to block\allow a program of your choosing through Windows Firewall. 
REM              So the user (you) can block\allow internet connection for said software at your own will.
REM              These rules are created disabled and do nothing until enabled by one of the other `.cmd` files grouped with this file (or manually through the Advanced Windows Firewall Settings).
REM              The other file in this group, named `Remove Firewall Rules for Program Blocker by TripleEYE.cmd`, is intended to remove said rules from Windows Firewall's Advanced Settings; thus reversing what this current file does.
REM              By default, this script uses the Desktop version of Skype as an example, However...
REM              The script requires the user (you) to fill in the name & path of the program you wish to use these Firewall rules for. To do so, follow the instructions in your part (below).
REM -----------------------------------------------------------------------------


REM -------------------<<<<< HERE COMES YOUR PART: >>>>>-------------------------

REM  --> Enter the name of the program after the following "_ProgramName=":
REM  -->   (Make sure this name is the same throughout the batch files!)  
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SET _ProgramName=Skype


REM  --> Enter the Path of the Program executable (in Windows), after the "_ProgramPath=":
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SET _ProgramPath=C:\Program Files (x86)\Skype\Phone\Skype.exe



REM -------------------<<<<< DON'T TOUCH ANYTHING ELSE >>>>>---------------------

REM  --> Checking for Administrative permissions:
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"


REM -------------------<<<<< STILL NO NEED TO TOUCH >>>>>------------------------

REM  --> Now to create those Firewall Rules:
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
netsh advfirewall firewall add rule name="Block Out %_ProgramName% by NetSetMan & TripleEYE" dir=out action=block program="%_ProgramPath%" description="Rule to Block Outbound internet communication of %_ProgramName%. Created by NetSetMan with a special thanks to the user TripleEYE." enable=no profile=any

netsh advfirewall firewall add rule name="Block In %_ProgramName% by NetSetMan & TripleEYE" dir=in action=block program="%_ProgramPath%" description="Rule to Block Inbound internet communication of %_ProgramName%. Created by NetSetMan with a special thanks to the user TripleEYE." enable=no profile=any

netsh advfirewall firewall add rule name="Allow Out %_ProgramName% by NetSetMan & TripleEYE" dir=out action=allow program="%_ProgramPath%" description="Rule to Allow Outbound internet communication of %_ProgramName%. Created by NetSetMan with a special thanks to the user TripleEYE." enable=no profile=private

netsh advfirewall firewall add rule name="Allow In %_ProgramName% by NetSetMan & TripleEYE" dir=in action=allow program="%_ProgramPath%" description="Rule to Allow Inbound internet communication of %_ProgramName%. Created by NetSetMan with a special thanks to the user TripleEYE." enable=no profile=private

Offline

#11 2014-12-02 13:58

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

File contents #2:
Filename: “Program Blocker by TripleEYE.cmd”

@echo off

SET variable=_ProgramName



REM -----------------------------------------------------------------------------
REM   Written by TripleEYE, November, 2014
REM   All rights reserved. Provided as is with no guarantees, express or implied.
REM   User assumes all responsibility.
REM   TripleEYE has no connection to NetSetMan, or to Skype, other than being a happy user that needed this function and decided to create it for the benefit of all NetSetMan users.
REM -----------------------------------------------------------------------------


REM -----------------------------------------------------------------------------
REM Description: This script blocks a program of your choosing from being able to go through the Windows Firewall. In public, as well as private networks (Anywhere).
REM              It does so by utilizing four rules in Windows Advanced Firewall Settings, created by the file `Create Firewall Rules for Program Blocker by TripleEYE.cmd` that should be grouped with this file.
REM              These rules & scripts are meant for use with the NetSetMan freeware (or manually at your own risk) by utilizing the other four `.cmd` files that should come with this file.
REM              Two of the other files just mentioned, are intended as a switch to allow a program of your choosing through Windows Firewall. 
REM              So the user (you) can block\allow internet connection for said software at your own will.
REM              The other two files in this group, are intended to create\remove said rules from Windows Firewall's Advanced Settings.
REM              These rules are created disabled and do nothing until enabled by one of the other `.cmd` files grouped with this file, or by this current file (or manually through the Advanced Windows Firewall Settings).
REM              By default, this script uses the Desktop version of Skype as an example, However...
REM              The script requires the user (you) to fill in the name & path of the program you wish to use these Firewall rules for. To do so, follow the instructions in your part (below).
REM -----------------------------------------------------------------------------


REM -------------------<<<<< HERE COMES YOUR PART: >>>>>-------------------------

REM  --> Enter the name of the program after the following "_ProgramName=":
REM  -->   (Make sure this name is the same throughout the batch files!)  
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SET _ProgramName=Skype



REM ----------------DON'T TOUCH ANYTHING ELSE--------------------------------

REM  --> Checking for Administrative permissions:
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"

REM -------------------<<<<< STILL NO NEED TO TOUCH >>>>>------------------------

REM  --> Now to enable the Blocker rule in the Firewall:
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

netsh advfirewall firewall set rule name="Block Out %_ProgramName% by NetSetMan & TripleEYE" new enable=yes profile=any

netsh advfirewall firewall set rule name="Block In %_ProgramName% by NetSetMan & TripleEYE" new enable=yes profile=any

netsh advfirewall firewall set rule name="Allow Out %_ProgramName% by NetSetMan & TripleEYE" new enable=no

netsh advfirewall firewall set rule name="Allow In %_ProgramName% by NetSetMan & TripleEYE" new enable=no

Offline

#12 2014-12-02 14:00

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

File contents #3:
Filename: “Program Allower(Private) by TripleEYE.cmd”

@echo off

SET variable=_ProgramName



REM -----------------------------------------------------------------------------
REM   Written by TripleEYE, November, 2014
REM   All rights reserved. Provided as is with no guarantees, express or implied.
REM   User assumes all responsibility.
REM   TripleEYE has no connection to NetSetMan, or to Skype, other than being a happy user that needed this function and decided to create it for the benefit of all NetSetMan users.
REM -----------------------------------------------------------------------------


REM -----------------------------------------------------------------------------
REM Description: This script allows a program of your choosing through the Windows Firewall.
REM              It does so by utilizing four rules in Windows Advanced Firewall Settings, created by the file `Create Firewall Rules for Program Blocker by TripleEYE.cmd` that should be grouped with this file.
REM              These rules & scripts are meant for use with the NetSetMan freeware (or manually at your own risk) by utilizing the other four `.cmd` files that should come with this file.
REM              Two of the other files just mentioned, together with this file, are intended as a switch to block\allow a program of your choosing through Windows Firewall. 
REM              So the user (you) can block\allow internet connection for said software at your own will.
REM              The other two files in this group, are intended to create\remove said rules from Windows Firewall's Advanced Settings.
REM              These rules are created disabled and do nothing until enabled by one of the other `.cmd` files grouped with this file, or by this current file (or manually through the Advanced Windows Firewall Settings).
REM              By default, this script uses the Desktop version of Skype as an example, However...
REM              The script requires the user (you) to fill in the name & path of the program you wish to use these Firewall rules for. To do so, follow the instructions in your part (below).
REM -----------------------------------------------------------------------------


REM -------------------<<<<< HERE COMES YOUR PART: >>>>>-------------------------

REM  --> Enter the name of the program after the following "_ProgramName=":
REM  -->   (Make sure this name is the same throughout the batch files!)  
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SET _ProgramName=Skype



REM ----------------DON'T TOUCH ANYTHING ELSE--------------------------------

REM  --> Checking for Administrative permissions:
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"

REM -------------------<<<<< STILL NO NEED TO TOUCH >>>>>------------------------

REM  --> Now to enable the Allower(Private) rule in the Firewall:
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
netsh advfirewall firewall set rule name="Block Out %_ProgramName% by NetSetMan & TripleEYE" new enable=no

netsh advfirewall firewall set rule name="Block In %_ProgramName% by NetSetMan & TripleEYE" new enable=no

netsh advfirewall firewall set rule name="Allow Out %_ProgramName% by NetSetMan & TripleEYE" new enable=yes profile=private

netsh advfirewall firewall set rule name="Allow In %_ProgramName% by NetSetMan & TripleEYE" new enable=yes profile=private

Offline

#13 2014-12-02 14:02

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

File contents #4:
Filename: “Program Allower(Public) by TripleEYE.cmd”

@echo off

SET variable=_ProgramName



REM -----------------------------------------------------------------------------
REM   Written by TripleEYE, November, 2014
REM   All rights reserved. Provided as is with no guarantees, express or implied.
REM   User assumes all responsibility.
REM   TripleEYE has no connection to NetSetMan, or to Skype, other than being a happy user that needed this function and decided to create it for the benefit of all NetSetMan users.
REM -----------------------------------------------------------------------------


REM -----------------------------------------------------------------------------
REM Description: This script allows a program of your choosing through the Windows Firewall. Even in Public networks! (Only use in Public Networks you trust!).
REM              It does so by utilizing four rules in Windows Advanced Firewall Settings, created by the file `Create Firewall Rules for Program Blocker by TripleEYE.cmd` that should be grouped with this file.
REM              These rules & scripts are meant for use with the NetSetMan freeware (or manually at your own risk) by utilizing the other four `.cmd` files that should come with this file.
REM              Two of the other files just mentioned, together with this file, are intended as a switch to block\allow a program of your choosing through Windows Firewall. 
REM              So the user (you) can block\allow internet connection for said software at your own will.
REM              The other two files in this group, are intended to create\remove said rules from Windows Firewall's Advanced Settings.
REM              These rules are created disabled and do nothing until enabled by one of the other `.cmd` files grouped with this file, or by this current file (or manually through the Advanced Windows Firewall Settings).
REM              By default, this script uses the Desktop version of Skype as an example, However...
REM              The script requires the user (you) to fill in the name & path of the program you wish to use these Firewall rules for. To do so, follow the instructions in your part (below).
REM -----------------------------------------------------------------------------


REM -------------------<<<<< HERE COMES YOUR PART: >>>>>-------------------------

REM  --> Enter the name of the program after the following "_ProgramName=":
REM  -->   (Make sure this name is the same throughout the batch files!)  
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SET _ProgramName=Skype



REM ----------------DON'T TOUCH ANYTHING ELSE--------------------------------

REM  --> Checking for Administrative permissions:
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"

REM -------------------<<<<< STILL NO NEED TO TOUCH >>>>>------------------------

REM  --> Now to enable the Allower(Public) rule in the Firewall:
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
netsh advfirewall firewall set rule name="Block Out %_ProgramName% by NetSetMan & TripleEYE" new enable=no

netsh advfirewall firewall set rule name="Block In %_ProgramName% by NetSetMan & TripleEYE" new enable=no

netsh advfirewall firewall set rule name="Allow Out %_ProgramName% by NetSetMan & TripleEYE" new enable=yes profile=any

netsh advfirewall firewall set rule name="Allow In %_ProgramName% by NetSetMan & TripleEYE" new enable=yes profile=any

Offline

#14 2014-12-02 14:04

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

File contents #5:
Filename: “Remove Firewall Rules for Program Blocker by TripleEYE.cmd”

@echo off

SET variable=_ProgramName
SET variable=_ProgramPath


REM -----------------------------------------------------------------------------
REM   Written by TripleEYE, November, 2014
REM   All rights reserved. Provided as is with no guarantees, express or implied.
REM   User assumes all responsibility.
REM   TripleEYE has no connection to NetSetMan, or to Skype, other than being a happy user that needed this function and decided to create it for the benefit of all NetSetMan users.
REM -----------------------------------------------------------------------------


REM -----------------------------------------------------------------------------
REM Description: This script removes the four rules in Windows Advanced Firewall Settings, created by the file `Create Firewall Rules for Program Blocker by TripleEYE.cmd` that should be grouped with this file.
REM              There should be four other `.cmd` files (aka scripts) grouped with this file.
REM              These rules & scripts are meant for use with the NetSetMan freeware (or manually at your own risk) by utilizing the other four `.cmd` files that should come with this file.
REM              Three of the other files just mentioned, are intended as a switch to block\allow a program of your choosing through Windows Firewall. 
REM              So the user (you) can block\allow internet connection for said software at your own will.
REM              These rules are created disabled and do nothing until enabled by one of the other `.cmd` files grouped with this file (or manually through the Advanced Windows Firewall Settings).
REM              The other file in this group, named `Create Firewall Rules for Program Blocker by TripleEYE.cmd`, is intended to create said rules in Windows Firewall's Advanced Settings; this current file reverses it's effect.
REM              By default, this script uses the Desktop version of Skype as an example, However...
REM              The script requires the user (you) to fill in the name & path of the program you wish to use these Firewall rules for. To do so, follow the instructions in your part (below).
REM -----------------------------------------------------------------------------


REM -------------------<<<<< HERE COMES YOUR PART: >>>>>-------------------------

REM  --> Enter the name of the program after the following "_ProgramName=":
REM  -->   (Make sure this name is the same throughout the batch files!)  
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SET _ProgramName=Skype


REM  --> Enter the Path of the Program executable (in Windows), after the "_ProgramPath=":
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SET _ProgramPath=C:\Program Files (x86)\Skype\Phone\Skype.exe



REM ----------------DON'T TOUCH ANYTHING ELSE--------------------------------

REM  --> Checking for Administrative permissions:
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"

REM -------------------<<<<< STILL NO NEED TO TOUCH >>>>>------------------------

REM  --> Now to remove those Firewall Rules:
REM  --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

netsh advfirewall firewall delete rule name="Block Out %_ProgramName% by NetSetMan & TripleEYE"

netsh advfirewall firewall delete rule name="Block In %_ProgramName% by NetSetMan & TripleEYE"

netsh advfirewall firewall delete rule name="Allow Out %_ProgramName% by NetSetMan & TripleEYE"

netsh advfirewall firewall delete rule name="Allow In %_ProgramName% by NetSetMan & TripleEYE"

Offline

#15 2014-12-02 14:06

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

Instructions for Firewall Rules by TripleEYE:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~


-----------------------------------------------------------------------------
  Written by TripleEYE, November, 2014
  All rights reserved. Provided as is with no guarantees, express or implied.
  User assumes all responsibility.
  TripleEYE has no connection to NetSetMan, or to Skype, other than being a happy user that needed this function and decided to create it for the benefit of all NetSetMan users.
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
Description:

These script files create four rules in Windows Advanced Firewall Settings, and by utilizing these rules, can be used as a switch to block\allow a program of your choosing through Windows Firewall, so the user (you) can block\allow internet connection for said software at your own will.

These rules are created disabled and do nothing until enabled by one of the three `.cmd` files grouped with this file that are intended to do so (or manually through the Advanced Windows Firewall Settings).
These three scripts can more easily be activated using the NetSetMan software.
These rules & scripts are meant for use with the NetSetMan freeware (or manually at your own risk).

There should be five `.cmd` files (aka scripts) grouped with this instruction file, named as follows:
* Create Firewall Rules for Program Blocker by TripleEYE.cmd
* Program Blocker by TripleEYE.bat
* Program Allower(Private) by TripleEYE.bat
* Program Allower(Public) by TripleEYE.bat
* Remove Firewall Rules for Program Blocker by TripleEYE.cmd
-----------------------------------------------------------------------------

-----------------------------------------------------------------------------
Instructions:

Preperations Outside of NetSetMan:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
First this you need to do, is edit a small part of each of the `.cmd` files.
There are instructions inside each file, but here's the sum of it:
Right click on the file, choose EDIT, and then...

On the two files named `Create Firewall Rules for Program Blocker by TripleEYE.cmd` & `Remove Firewall Rules for Program Blocker by TripleEYE.cmd`, you'll find the following text:

SET _ProgramPath=C:\Program Files (x86)\Skype\Phone\Skype.exe

Simply replace the "C:\Program Files (x86)\Skype\Phone\Skype.exe" (after the equal sign) with the path of the program you want to block\allow (no need for the quorte makrs... just like the above).



Then on all five of the `.cmd` files (including the above two), you'll also find the following text:

SET _ProgramName=Skype

Simply replace the word "Skype" with the name of the program you want to allow\block (again, no need for the quotation marks).

Save each of the files after the editing of course.


What to do inside NetSetMan:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Create two profiles (or if you'd like, use the ones you already have. Depending on what you want to acheive).
You can set them as you'd like. I, for example, set one for my home with my private in-LAN IP, where I want to allow Skype to connect to the internet, and the other for the coffee shop's WiFi Network with it's DHCP, where I want Skype to be blocked from connecting the internet.
Make sure they are both set to activate the firewall if you ever deactivate it, or the scripts won't help at all.
Note: Only the Blocking script *truly* needs the firewall, as with the firewall down, any program is allowed access to the internet regardless.

On the profile where you'd like to block the program from accessing the network (for me it's the coffee shop), add the script named `Program Blocker by TripleEYE.bat` to the NetSetMan profile.

On the profile where you'd like to allow the program to access the (private) network (for me it's my home LAN), add the script named `Program Allower(Private) by TripleEYE.bat` to the NetSetMan profile.


Note: If for some reason you want to allow the program to access the internet even via the public network... you can add the script named `Program Allower(Public) by TripleEYE.bat`, instead of the precious one mentioned (keep in mind you shouldn't usually need this, as the LAN\WiFi private network eventually allows the program to access the public network... just with the added security level of the router).

Enjoy the new awesome functionality.
Brought to you by uour frienly neighborhood network administrator,
TripleEYE

Last edited by TripleEYE (2014-12-02 14:10)

Offline

#16 2014-12-11 16:20

NetSetMan Support
Administrator
Registered: 2005-08-06
Posts: 1,878

Re: Block\Allow a program through the firewall depending on NSM profile

TripleEYE wrote:

Is there anything there that could be the cause of it not working properly under NSM?

I didn't try your scripts as this seems to become a quite extended task.
You asked about "pause" not stopping your script(s), but I didn't find any use of that command in any of your scripts?
So what exactly isn't working when executed in NetSetMan in contrast to when executed directly?

Online

#17 2014-12-13 20:19

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

I've been explaining the purpose of these scripts from the very beginning.
The Pause command was not the critical part of the scripts. It wasn't the point. The pause command was only added when I tried to test why the scripts don't work when called for by NSM, and I removed it when it didn't help my troubleshooting.

As per your question, it seems the scripts aren't even being inputted into the cmd prompt, or they just aren't being executed like they do when done directly through the scripts when used without NSM.
To clarify: The scripts work just fine when used manually without NSM. But when used via NSM, the cmd prompt appears and disappears very quickly, seemingly without showing any text in it at all. at least that's how it seems.
So when used with NSM they just don't do what they're supposed to do (they do nothing at all when used via NSM).

The scripts I want to use with NSM are files #2, 3 & 4 from scripts I posted before.
Here's what the scripts that I tried using with NSM do when they work:
- First it takes elevated permissions
- Then it enables some firewall rules that were previously set up (you can set these rules up with a one-time use of script #1)
- Then it disables some other firewall rules that were previously set up (the same way)

Those firewall rules are enabled & disabled using the 

netsh advfirewall firewall set rule

command as you can see in the scripts.
The admin elevated rights are taken with the following code which I found online:

>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"

I hope this info helps with the troubleshooting.
And thank you smile

Last edited by TripleEYE (2014-12-13 20:27)

Offline

#18 2014-12-16 14:56

NetSetMan Support
Administrator
Registered: 2005-08-06
Posts: 1,878

Re: Block\Allow a program through the firewall depending on NSM profile

When trying to get to the bottom of a problem please always first try to reduce the problem to a minimun. Right now I see lots of instruction text and lots of code that overcomplicate the main problem. If the main problem is that the code isn't executed at all then we need to analyze that instead of the huge project in total.

1. Check your file names! There are definitely some mix-ups. For example you write about "Program Blocker by TripleEYE.bat" where you probably mean "Program Blocker by TripleEYE.cmd".
2. Avoid spaces in file names! When working with script files (regardless with or without NetSetMan) you better not use spaces in the file names. Especially if you make calls from one script to another. In this case it's actually a tripple-call (NetSetMan -> script -> script ...). Remove all spaces/blanks/special characters and re-edit the scripts accordingly. Then re-add them to NetSetMan and try again.

Before doing all that consider reducting the problem to a minimum as suggested. This could be creating a file called test.bat with the only content "@pause". Then run it with NetSetMan. Does it remain open?

Online

#19 2014-12-24 21:40

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

These scripts don't call for each other at all... so it's still a double call only (NSM -> script)
I will try changing the filenames so they won't have spaces and I will make sure the extensions are correct and cohesive and I'll come back with results.
Thank you.

I will also try the @pause file suggestion. It's a great and simple idea (I feel kinda stupid that I didn't think of it on my own ^_^).

There is no issue within the files themselves though. I know that because as I've already mentioned, they work just fine without NSM.
I must be the file names. But I'll update soon and we'll know better.

Offline

#20 2014-12-24 22:15

TripleEYE
Member
Registered: 2014-11-17
Posts: 21

Re: Block\Allow a program through the firewall depending on NSM profile

Thank you for you patience. We've come a bit further now.
Here's the steps I've made to troubleshoot per your guidance:

1. I made a .bat file with only 

@pause

in it and it had the same issue where it would open the CMD Prompt and immediately close it without pausing or doing anything in the script.

2. Then, I tried reading what it wrote in the CMD Promot while it appears for a fraction of a second and quickly closes and after a few trials I realized the issue was that the PATH to the bat file had a space in it.
So I erased any spaces on the path to the bat file and on the off-chance I also deleted any spaces in the file-names (all three scripts used with NSM are .bat on my computer - not .cmd). Then the 

@pause

file worked fine.

3. So I proceeded to try the 'ProgramBlockerByTripleEYE.bat' file. The result is that the CMD Prompt opens, and it trys to get administrator privileges and then the CDM Prompt closes really fast and another prompt opens and does the same and I'm then stuck in a loop until signing out of the windows user.

4. It seems that I have some sort of issue with the part that tried to get elevated prompt privileges. I don't know what the problem is exactly, since it doesn't echo anything other than "Trying to get administrator privileges" or something like that... And this part gets the elevated prompt privileges with no issue when used directly from the script so I don't see the problem.

Here's that part of the code... Any issue that you can see?

REM  --> Check for permissions
 >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
 if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
 ) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    exit /B

 :gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"

Offline

#21 2014-12-29 09:07

NetSetMan Support
Administrator
Registered: 2005-08-06
Posts: 1,878

Re: Block\Allow a program through the firewall depending on NSM profile

TripleEYE wrote:

after a few trials I realized the issue was that the PATH to the bat file had a space in it.

Actually that shouldn't be a problem. We took care that spaces in file paths are working as well. So either there is one certain constellation that we didn't think of or there's something completely different wrong.

Could you please post the following things:
1. The Script part of the activation log output (you can access it by opening it in the activation dialog). It should be something like this:
[0:00] Script (Before): Start
[0:00] Script (Before): C:\some test\some file.bat
[0:00] Script (Before): OK

2. The exact path where NetSetMan is installed on your machine.

3. Open the settings.ini file from your NetSetMan installation folder and search for the profile id as a section name, like "[5]" for id #5 (you see the profile ids by right-clicking a profile tab in the main UI).
There find the line starting with "ScriptPath" or "ScriptPath2" and copy the complete line.


TripleEYE wrote:

Here's that part of the code... Any issue that you can see?

I admit it's not easy to see but the reason to the problem is (as I've previously mentioned) the difference between x64 and x86 processes. When you launch the script directly on a x64 system it's working in x64 context.
NetSetMan is meant to be working for both x64 and x86 systems, therefore it's an x86 application running in a special x86 mode on x64 systems. This means your scripts will be executed in that context, too. So you have to take care you only use commands, files and paths that are available to x86 applications. In your case the file "SYSTEM" isn't available in the path "%SYSTEMROOT%\system32\config\" so your script fails because it can't test against this file. So instead of testing for the access privileges to this file you could simply test agains its folder.
So simply change
"%SYSTEMROOT%\system32\config\system"
to
"%SYSTEMROOT%\system32\config\"

Online

Pages: 1