How do I open ports in the Windows Firewall, part 3


This is the 3rd and final article in my discussion of how the WMC product opened holes in the Windows firewall to enable the WMC clients to access the WMC HTTP server.

In my last article, I had found an INetConnection object, which had a “guidId” property that I thought might be useful when trying to associate an INetConnection object with an IP address.

I dug a bit deeper through the SDK, and I discovered that the IP_ADAPTER_ADDRESSES structure contained a string “AdapterName”.  It turns out that the “AdapterName” field is a string-ized representation of the GUID used in the INetConnection!  And, since the IP_ADAPTER_ADDRESSES structure contains the IP address of the connection, I can use that to see if the adapter is associated with the right API.

Once I’d found the right IP_ADAPTER_ADDRESSES entry, all I’d need to do is to call CLSIDFromString on the AdapterName field of the IP_ADAPTER_ADDRESSES field and I’d have the GUID I needed. 

Well, to get an IP_ADAPTER_ADDRESSES structure, I need to call the GetAdaptersAddresses API, which returns an array of IP_ADAPTER_ADDRESSES structures.  Now I had all the pieces I needed to pull all of this together.

For a given IP address, I called into a routine GetAdapterGuid which calls GetAdapterAddresses.  It then matched the FirstUnicastAddress field in the IP_ADAPTER_ADDRESSES structure with the IP address specified, and if they matched, returned the GUID in the “AdapterName” field of the IP_ADAPTER_ADDRESSES structure.

Now that I had the adapter GUID, I called into the INetSharingManager object to enumerate all the connections, and found the connection that corresponded to the adapter GUID I was looking for.

And once I had the INetConnection that matched my IP address, I asked the sharing manager for the INetSharingConfiguration that corresponded to that INetConnection object, and added the port mapping for my port to that IP address.

And I was done!  A whole lot of work, and a pretty squirrelly API but it got the job done.

Please note: If I were using the INetFW APIs that was added for XP SP2, this process would have been much easier.  The new firewall API is documented here.  Using the new API, I could just CoCreateInstance of an INetFwOpenPort, set the IP address for our local subnets (see the initial post for a list of the local subnets) as the remote addresses, set the port and service, and add the INetFwOpenPort to the INetFwOpenPorts collection.  And I’d be done.  The new API also lets you have significantly more control over opening ports in the firewall than the old one did, and it appears to be a far more pleasant API to use.  There’s even an example of opening ports in the “Exercising the firewall” C++ sample.  You can download the firewall SDK here.

 

Comments (12)

  1. Anonymous says:

    Is there a managed (.NET) version of this API?

  2. Anonymous says:

    Good question. I don’t believe so, but it should be simple to generate an interop DLL for it.

  3. Anonymous says:

    Where can I get the actual API (not just the docs) for the new SP2 firewall? The API you point to (http://msdn.microsoft.com/library/default.asp?url=/downloads/list/IPv6ICF.asp) is for the first XP firewall, not the newer API.

  4. Anonymous says:

    Bruce, go to http://msdn.microsoft.com

    and search for "firewall api"

    It’ll give you documentation for the new XP SP2 firewall APIs.

  5. Anonymous says:

    Oh, and for the lazy among us: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics/using_windows_firewall.asp

    This is the same link that’s in the "The new firewall API is documented here" link above.

  6. Anonymous says:

    Larry, thanks for the quick reply.

    I have been looking at these pages, but I don’t see where I can get the SDK with the netfw.h file and other assorted goodies I need to link into my C++ program. When I go to the download page, I get the V6 API you used, not the new SP2 API documented on these pages.

    Am I making sense here?

  7. Anonymous says:

    You are, I misunderstood. netfw.h should be in the april release of the platform SDK (available with the april msdn).

    I’m trying to download the most recent platform SDK to see if netfw.h is in that.

  8. Anonymous says:

    Btw, Tony Goodhew has this article on opening ports using the new API:

    http://blogs.tonygoodhew.com/xpsp2/archive/2004/05/19/269.aspx

    He points out that netfw.h is derived from netfw.idl, which should be in the XP SP2 platform SDK.

  9. Anonymous says:

    Larry,

    SCORE! I now have a working netfw.h Thanks for the help. Your site is the only one on the net that explains where to get the new Platform SDK for Windows XP SP 2.

    Your right, the new API looks a lot better than the old one.

  10. Anonymous says:

    No problem Bruce. That’s why I put it up as todays post too – I realized that it was NOT trivial to get this information (I had to ask an internal alias).

  11. Anonymous says:

    This is the second post in a series of posts that explain how the Windows Media Connect project opened