3

I've heard that you can, during installation, add an exception for your app to give permission for it to access the internet through the firewall.

Anyone know how to do this?

Clay Nichols
  • 11,848
  • 30
  • 109
  • 170
  • Seems hazardous if true. +1 for curiosity. – Chris Thornton May 22 '10 at 01:46
  • Wouldn't that defeat the purpose of the firewall? I know, I'll just write my trojan to give itself an exception in the firewall! QED! – Dan McGrath May 22 '10 at 01:51
  • I agree, seems like it defeats the purpose of a FW, but like I said "I heard it" from someone else here on SO. I actually posted here so they'd have a chance to earn some points (rather than answering in comments of another question) – Clay Nichols May 22 '10 at 01:55
  • @all previous: The consensus seems to be that it would be bad if an install application (probably running with admin privileges) can make changes to the firewall? If the install application is a trojan/virus/malware, then you have already lost the battle. – Mark Wilkins May 22 '10 at 02:42
  • The post http://stackoverflow.com/questions/113755/programmatically-add-an-application-to-windows-firewall seems to be asking the same question. Some of the answers might help. – Mark Wilkins May 22 '10 at 02:51

1 Answers1

2

The alternative in many cases is to suggest that users disable the firewall entirely or ok the prompt Windows raises when your server ports begin to listen. Both of these are bad options: one risks leaving the machine open to anything and the other trains them to approve security prompts uncritically.

You could easily have your applications add and remove themselves as firewall exceptions. They could even disable/enable the firewall, a really bad idea. But it's usually a better idea to add and remove exceptions as part of install/uninstall operations.

One place where Microsoft describes the process is Windows Firewall for Game Developers.

If your security is so poor you rely on a software firewall alone for protection you can always set "no exceptions" mode on the firewall. Of course this reduces your users to passive consumers of Internet services, à la broadcast television reception.

Bob77
  • 13,167
  • 1
  • 29
  • 37