1

i am trying to get my application to be allowed through firewall, as I have to do ftp in active and passive mode is not an option as servers are not configured for that. so i tried the below code which compiles fine, I exexcute it using:

 MyApp.Classes.INetFwMgr mgr = new MyApp.Classes.INetFwMgr();
    mgr.AuthorizeApplication(Application.ProductName, Application.StartupPath,
        NET_FW_SCOPE_.NET_FW_SCOPE_ALL,
        NET_FW_IP_VERSION_.NET_FW_IP_VERSION_ANY);

And the class which does the job:

private const string CLSID_FIREWALL_MANAGER = 
"{304CE942-6E39-40D8-943A-B913C40C9CD4}"; 
private static NetFwTypeLib.INetFwMgr GetFirewallManager() 
{ 
Type objectType = Type.GetTypeFromCLSID( 
new Guid(CLSID_FIREWALL_MANAGER)); 
return Activator.CreateInstance(objectType) 
as NetFwTypeLib.INetFwMgr; 
} 


private const string PROGID_AUTHORIZED_APPLICATION = 
"HNetCfg.FwAuthorizedApplication"; 
public bool AuthorizeApplication(string title, string applicationPath, 
NET_FW_SCOPE_ scope, NET_FW_IP_VERSION_ ipVersion) 
{ 
// Create the type from prog id 
Type type = Type.GetTypeFromProgID(PROGID_AUTHORIZED_APPLICATION); 
INetFwAuthorizedApplication auth = Activator.CreateInstance(type) 
as INetFwAuthorizedApplication; 
auth.Name = title; 
auth.ProcessImageFileName = applicationPath; //Getting Access Denied Exception Here
auth.Scope = scope; 
auth.IpVersion = ipVersion; 
auth.Enabled = true; 
NetFwTypeLib.INetFwMgr manager = GetFirewallManager(); 
try 
{ 
manager.LocalPolicy.CurrentProfile.AuthorizedApplications.Add(auth); 
} 
catch (Exception ex) 
{ 
return false; 
} 
return true; 
}

using above code, but i get Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) c# exception on line

auth.ProcessImageFileName = applicationPath;

any ideas what to do ?

Edit1: How would i run this as an admin using code?

Edit2: I also tried Putting <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> in manifest did not make a difference

P.S.This programs execution context can be Win 7, vista, xp

PUG
  • 4,301
  • 13
  • 73
  • 115
  • FYI, there's no such thing as "C#.net". – John Saunders Dec 21 '11 at 19:58
  • 7
    What is the execution context of this code? A regular program can of course not just force the firewall open, that would defeat the point of having one. At least admin privileges would be required, the kind you'd normally only get in an installer. In a server scenario you *definitely* want to leave it up to the LAN admin to grant access explicitly. – Hans Passant Dec 22 '11 at 15:15

4 Answers4

1

Firewall management is a system level security feature and has to be done outside of user mode application code. Configuration must be done by an administrator.

It is bad practice to write the code that you wrote and assume that your application will be run as administrator. Even if it is run by an administrator, you now have an application that "does FTP stuff" and "does firewall stuff". No application has ever been written like this.

You can write code that interacts with the system firewall, and that code must be run with elevated permissions. Typically such "helper applications" are never even created however as Windows (and every other OS) has all the necessary management tools shipped with the OS (i.e. wf.msc).

mattypiper
  • 1,222
  • 8
  • 8
1

i have observed that if i change the order of ftp download statements to following windows dialog appears asking that do you want to allow this program access through firewall; if i click allow access the code works perfectly.

requestDownload = (FtpWebRequest)WebRequest.Create(uri);
                            requestDownload.UsePassive = false;
                            requestDownload.KeepAlive = false;
                            requestDownload.UseBinary = true;
                            requestDownload.Method = WebRequestMethods.Ftp.DownloadFile;


                            requestDownload.Credentials = new NetworkCredential(ftpInfoDownload[3], ftpInfoDownload[4]);

                            responseDownload = (FtpWebResponse)requestDownload.GetResponse();
                            Stream ftpStream = responseDownload.GetResponseStream();
PUG
  • 4,301
  • 13
  • 73
  • 115
0

Try opening the FTP ports in the firewall -- ports 20 and 21 -- and see if that solves your issue.

hypercode
  • 488
  • 2
  • 10
  • In Windows Firewall, you can manually add your program to the "Allow" list (look for _Allow a program or feature through Windows Firewall_) or you can manually override specific TCP/IP ports (usually an advanced setting). It will depend on the version of Windows you're running which option is the easiest to configure. – hypercode Dec 21 '11 at 20:24
  • I added rule to firewall to Allow connetions on 20, 21 and still the ftp request is timing out – PUG Dec 21 '11 at 21:23
  • but i allowed program through firewall it worked, do you have any suggestion on allowing my program through firewall using code, as i only publish the code and the program get installed on every client system by itself. how would i only do this so that it only adds it onece – PUG Dec 21 '11 at 21:34
  • Go look at Greg's answer to this question -- it should help you with doing what you want with the firewall: http://stackoverflow.com/questions/1242566/any-way-to-turn-the-internet-off-in-windows-using-c – hypercode Dec 21 '11 at 23:33
0

For running as a different user: Run Code as a different user (C#)

As for getting through the firewall, have you talked to the person/group responsible for the firewall security? They may have some rules in place that you could use.

Community
  • 1
  • 1
Wayne In Yak
  • 546
  • 1
  • 4
  • 21
  • i want to do it programatically, allow the .exe access through firewall – PUG Dec 22 '11 at 17:42
  • @jaminator - Obviously that is what you are after but is it really ethical to do so? – M.Babcock Dec 22 '11 at 19:33
  • 1
    You do know the purpose behind a firewall correct? To stop unauthorized access. You can run code as a different use, but doesn't matter if where you are trying to go is blocked at the port/ACL level. This is something the LAN admin could help you with. Is there a reason you don't want to talk to the LAN/Firewall admin? – Wayne In Yak Dec 22 '11 at 19:33