0

I would like to be able to use c# to create a Whitelist (or remove from the list) IPs that are allowed to access a particular port, ranges of ports, or any port at all to a third party service on a Windows 2012 server.

Is there a way that I can programmatically control access to another service?

Ben Voigt
  • 277,958
  • 43
  • 419
  • 720
Andrew
  • 702
  • 7
  • 24
  • By third-party service, you mean another server program running on the same Windows computer, right? – Ben Voigt Jun 26 '14 at 21:18
  • 1
    Is your question already answered by http://stackoverflow.com/q/9712814/103167 ? – Ben Voigt Jun 26 '14 at 21:20
  • Yes to the first question. – Andrew Jun 26 '14 at 21:24
  • Regarding the other question, I'm not entirely sure - first of all thanks for pointing it out. There are two issues that I am unsure of: whether it is capable of handling individual ports (a necessity!) and if I can manage hundreds or thousands of ips in such a list (starting with a block rule and then allowing individual ips). Unfortunately I will have to review the solution in order to be sure (unless someone confirms this first). – Andrew Jun 26 '14 at 21:30
  • those questions sound more related to whether the built in firewall meets your needs than how to use C# to control it. Recommendations of other firewalls you could use would be off topic, but if you selected one and had trouble configuring it from code, you could ask about that. And you can't make a firewall from scratch using C#, you can only hope to control kernel components written in native code. – Ben Voigt Jun 26 '14 at 21:59
  • Fair enough.. the other question is more related to a specific detail related to programming Windows firewall, rather than, the fact that interacting with the Windows firewall is possible. Does this make this a different question or is it a duplicate? – Andrew Jun 28 '14 at 16:28
  • I think it's a duplicate. If you read this question narrowly "Is there a way, yes or no?" then it's a bad question. Broadly, "Is there a way, and what is that way?" then the other shows that as well. – Ben Voigt Jun 28 '14 at 19:03

2 Answers2

1

You can ban an IP by adding a rule on Windows Firewall via command prompt using this method:

void BanIP(string RuleName, string IPAddress, string Port, string Protocol)
{
    if (!string.IsNullOrEmpty(RuleName) && !string.IsNullOrEmpty(IPAddress) && !string.IsNullOrEmpty(Port) && !string.IsNullOrEmpty(Protocol) && new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator))
    {
        using (Process RunCmd = new Process())
        {
            RunCmd.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
            RunCmd.StartInfo.FileName = "cmd.exe";
            RunCmd.StartInfo.Arguments = "/C netsh advfirewall firewall add rule name=\"" + RuleName + "\" dir=in action=block remoteip=" + IPAddress + " remoteport=" + Port + " protocol=" + Protocol;
            RunCmd.Start();
        }
    }
}

Usage:

BanIP("Rule1", "151.21.1.1", "3389" "TCP") // Will ban the IP 151.21.1.1 (RDP).
BanIP("Rule2", "151.21.1.1", "Any" "TCP") // Will ban the IP 151.21.1.1 with any TCP ports.
BanIP("Rule3", "151.21.1.1", "3380-3390" "TCP") // Will ban the IP 151.21.1.1 with 3380-3390 TCP port range.

Note that this command will work starting with Windows Server 2012 R2 and that administrative privileges are required. Also remember that being a process external to your C# code, there is no guarantee that this will work, it is up to you to add checks to verify that everything is working correctly.

Marco Concas
  • 1,665
  • 20
  • 25
0

In Windows, it is possible to access network commands using powershell and the netsh executable.

Using C#, it is therefore possible to modify the firewall rules by using the System.Diagnostics.Process class and passing commands to this executable in the manners outlined in these two pages:

How to use the Process class to call netsh has already been answered in the following post: Command netsh using C#

Community
  • 1
  • 1
Andrew
  • 702
  • 7
  • 24