Windows firewall exception works only when app is run with elevated rights

Question

My application uses Python socket so I had to to add a firewall exception to be able to receive data through sockets. I've frozen the app using PyInstaller to be able to distribute it for Windows computers. To add the firewall exception, I use below code:

command1 = f'netsh advfirewall firewall add rule name="{rule_name}" profile=any protocol=any enable=yes DIR=In program="{app_path}" Action=Allow'
command2 = f'netsh advfirewall firewall add rule name="{rule_name}" profile=any protocol=any enable=yes DIR=Out program="{app_path}" Action=Allow'
subprocess.run(command1, shell=False, stdout=DEVNULL, stderr=DEVNULL)
subprocess.run(command2, shell=False, stdout=DEVNULL, stderr=DEVNULL)

In order to add this exception, I use this code to get elevated permissions:

try:
    isAdmin = ctypes.windll.shell32.IsUserAnAdmin()
except AttributeError:
    isAdmin = False
if not isAdmin:
    ctypes.windll.shell32.ShellExecuteW(None, "runas", sys.executable, __file__, None, 1)

The user is prompted an elevation confirmation Window and if he accepts it, the firewall exception is created correctly and the application is working fine. However, if the application is closed and runned again, I check if the firewall rules exists and if so I don't ask for elevated permissions again.

My problem is that without elevated rights, the application is not able to open a socket to a remote host and on the opposite, if the user runs the application with elevated rights or if the application asks for it, it will work.

What should I do to get the app working without elevated rights (except for the first time when the firewall exception is created) ?

EDIT

I use these parameters to create and connect the socket:

self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.socket.connect((192.168.x.x, 80xx))

EDIT 2

I just noticed that I'm able to accept incoming connections and send data (server mode) but I can't establish external connection and receive data (client mode).

How do you create the socket? [This answer](https://stackoverflow.com/a/28838175/2116625) suggests that for SOCK_RAW sockets you need admin rights, and for the others you don't. Also see the [docs](https://learn.microsoft.com/en-us/windows/win32/winsock/tcp-ip-raw-sockets-2). — gukoff, Jun 14 '21 at 13:52
I use this code : `self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.socket.connect((self.host, self.port))`. I'm new to network programming but according to the answer you linked I guess it's not a `SOCK_RAW`. — May.D, Jun 14 '21 at 13:54
It does not actually fail and does not raise any exception, it just hangs up indefinitly when the app is run without elevated rights. — May.D, Jun 14 '21 at 14:01
What port is it running on? Not sure on Windows but I know for sure that ports <=1024 need root on Linux.. — JeffUK, Jun 14 '21 at 14:44
It's running on an user defined port, usually something like 80xx (that's what I use for my tests). I've edited my question with these informations. Also I've just tested my code in an unelevated Python shell and the connection is established without troubles. — May.D, Jun 14 '21 at 14:52

score 0 · Answer 1 · answered Jun 30 '21 at 07:51

0

The Windows Firewall rule may define a user that has administrator rights, so you should also check the "Local Principals" defined for the firewall rule.

answered Jun 30 '21 at 07:51

riskRewarded

99
8

It's defined to "all". – May.D Jun 30 '21 at 08:42
Just to be clear, you do not set this value in your call to netsh. Are you confirming that when you re-run the program and the rules already exist, that there are no limitations on Local Principals? – riskRewarded Jun 30 '21 at 08:54
Also, which version of python are you using? – riskRewarded Jun 30 '21 at 08:59
Yes 100% sure there is no restriction in Local Principals. I'm running Python 3.6.8 – May.D Jun 30 '21 at 09:48

Windows firewall exception works only when app is run with elevated rights

1 Answers1