How do I disable the firewall on a single interface in Windows 7?

windows-7 windows-firewall netsh

We're using openvpn to provide access back from XP to work. We use AD policies to ensure the XP firewall is up when off the domain and down when on the domain. With openvpn, you end up with a new network interface, and when you're off the domain and vpn back to work, XP goes "domain found but I'm also on a non-domain network, so firewall up".

However, I discovered we could use netsh to disable the firewall entirely on the openvpn interface:

echo firewall set opmode mode = DISABLE interface = "name of openvpn interface" | netsh

This is great: it means when our users are at home/hotels, their firewall is up - but remote access over the vpn works bi-directionally.

And then along came Win7 (let's pretend Vista doesn't exist - not too hard!). Gone is the concept of "domain" and "other", now it's "domain", "home/work" and "public" - and you cannot disable the firewall per interface. It's a lot more complicated than XP and as a side note I'm seeing lots of home users totally disabling Win7 firewalls due to it - grrr!

Anyway, my question is, how can I duplicate the functionality we have under XP? How can I script Win7 to totally disable firewall on the openvpn interface, but carry on as normal on the others? End result I'm after is that we (IS group, AV servers, vuln scanners) can access the box remotely when they're in hotels/at home/etc - just as if they were on the corporate LAN. I need a script as my experience with the GUI implies we'll otherwise need a 10page document of screensnaps for our helpdesk guys!


You can control the firewall on a per-NIC (including virtual NIC) basis, with different settings by profile.

In "Windows Firewall" from the Control panel select properties on the root node of the tree. In each of the profile tab the "Protected Network Connections" button allows you to select which NICs are protected.

So disable the NIC only in the private profile, and validate the network detection picks up public when outside the LAN.


I know it's an old question, but I'll post this for reference. You can use Powershell:

Set-NetFirewallProfile -Name Private -DisabledInterfaceAliases 'Connection Name'

Source


As "Richard" says You can disable the firewall per interface in windows 7 through the GUI it's just rather hidden.

Unfortunately automating that setting on windows 7 is rather harder. Netsh doesn't provide access to that functionality (according to microsoft) and the powershell command that ProGTX suggests seems to be windows 8 only. The only method i've found that works for automating it on windows 7 is to use the COM API http://msdn.microsoft.com/en-us/library/windows/desktop/aa366418%28v=vs.85%29.aspx

Related

Mistakenly configured advanced audit policies; return to basic?
Finding out if an IP address is static or dynamic?
ssh_exchange_identification: Connection closed by remote host
How to use nginx PAM module?
DNSBLs for IPv6
Mac OS X VPN Encryption Defaults
Mount an ISO Image on Windows 2008 Server
FileZilla Server 425 Can't open data connection for transfer of "/"
Insufficient suitable allocatable extents when extending lvm
nginx - Can I configure a global error document?
Power series square root for negative x
generalization of Euler's challenge of finding four integers every pair of which sum to a square