I am new to Wix installer. I am trying to add firewall exception for my program.
My code is as follow:
<Component Id="_VIEW.EXE" Guid="*" Transitive="yes">
<File Id="view.exe"
Name="view.exe"
KeyPath="yes"
Source="$(var.INSTALLSOURCE)\view.exe">
<fire:FirewallException Id="view_firewall_domain_tcp"
Name="View"
Protocol="tcp"
Scope="any"
IgnoreFailure="yes"
Profile="domain" />
<fire:FirewallException Id="view_firewall_domain_udp"
Name="View"
Protocol="udp"
Scope="any"
IgnoreFailure="yes"
Profile="domain" />
<fire:FirewallException Id="view_firewall_private_tcp"
Name="View"
Protocol="tcp"
Scope="any"
IgnoreFailure="yes"
Profile="private" />
<fire:FirewallException Id="view_firewall_private_udp"
Name="View"
Protocol="udp"
Scope="any"
IgnoreFailure="yes"
Profile="private" />
</File>
</Component>
In my code, I add 4 firewall exception and each exception has different value for "Profile" and "Protocol" attributes. My expected result is 4 exceptions created:
NAME GROUP Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Allowed Users Allowed Computers
view Domain Yes Allow No c:\test\view.exe Any Any TCP Any Any Any Any
view Domain Yes Allow No c:\test\view.exe Any Any UDP Any Any Any Any
view Private Yes Allow No c:\test\view.exe Any Any TCP Any Any Any Any
view Private Yes Allow No c:\test\view.exe Any Any UDP Any Any Any Any
But the actual result is only one exception is created and the value of "Protocol" attribute is "any" instead of "TCP" or "UDP":
NAME GROUP Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Allowed Users Allowed Computers
view Domain Yes Allow No c:\test\view.exe Any Any Any Any Any Any Any
So, I have two questions:
- Why is only one exception created? Must the name of the exception be unique?
- Why does the value of the "Protocol" attribute not take effect?
I refer an official document about firewall extension:
http://wixtoolset.org/documentation/manual/v3/xsd/firewall/firewallexception.html
In the document, I saw some description about "File" attribute:
Identifier of a file to be granted access to all incoming ports and protocols. If you use File, you cannot also use Program.
If you use File and also Port or Protocol in the same FirewallException element, the exception will fail to install on Windows XP and Windows Server 2003. IgnoreFailure="yes" can be used to ignore the resulting failure, but the exception will not be added.
Does it mean that if I set firewall rule for a program, the "Protocol" and "Port" attributes will be "Any" automatically even I set "Protocol"?
Best Answer
The existing wix FirewallException custom actions make use of the XP/Server2003 windows firewall API. In this API, setting a firewall exception for a particular executable implies that all ports and all protocols will be opened to the exception.
For reference, the XP/Server2003 firewall API interfaces. Notice that INetFwOpenPort has the ability to get/set the port, while INetFwAuthorizedApplication does not.
If you want to create a firewall exception on a program and explicitly limit the port, protocol, and domain you'll need to make use of the windows 'advanced' firewall API that came with Vista. Check out these references: Highlevel overview
Reference guide
Command-line reference guide
Sadly, nobody has yet implemented an AdvancedFirewallException extension for wix that makes use of these updated APIs. Maybe I'll run a kickstarter campaign to see if there interest in funding the development ;P