How to add, list and remove IP addresses in Windows Firewall

Yesterday, I showed you how to block IP addresses in Windows Firewall using PowerShell. This comes in handy when blocking IP addresses that are brute-force attacking your servers. In this short post I’ll show you how to bulk add IP addresses in Windows Firewall, list an IP address and how to remove all IP addresses from Windows Defender Firewall with Advanced Security.

Table of Contents show

For this post, I assume to have the same firewall data available as in my previous post Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell. Read that article first if you’re unsure. Let’s assume you have not yet created your firewall rule “IP Block SQL Server”, but you have your unique_ips.txt input file ready.

The cmdlets I’ll be using are:

Add IP addresses to Windows Firewall in bulk

The Set-NetFirewallRule and New-NetFirewallAddressFilter cmdlets both accept an array as an input for the RemoteAddress attribute. And that’s great, because now you can add a lot of IP’s in bulk to your firewall:

# How to Bulk Add IP Addresses in Windows Firewall:
$ips = @()
foreach ($ip in Get-Content .\unique_ips.txt) {
	# Check for the existense of the firewall rule
	if(!(Get-NetFirewallRule -DisplayName "IP Block SQL Server" -ErrorAction SilentlyContinue)) {
		# if the rule does not exist, create it silently and keep it disabled
		New-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -Enabled False
	}
	# compare IP addresses in the firewall rule (if any) with those in ann PowerShell array $ip
	if ((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
		# debug:
		# Write-Host "IP ${ip} already blocked"
		continue
	}
	else {
		# IP address not found in the firewall rule, add it to the array
		$ips += $ip
	}
}

# Add IP addresses from the array to your firewall rule
Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $ips

# Does the firewall rule contain one IP address or more?
if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress.count -ge 1) {
	# debug:
	# Write-Host "Found more than one IP address, enable the rule"
	if((Get-NetFirewallRule -DisplayName "IP Block SQL Server").Enabled -eq "False") {
		# debug:
		# Write-Host "Firewall rule is disabled, enable it now"
		Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Enabled True
	}
}
Code language: PHP (php)

Add one (1) IP address in Windows Firewall

Here is how you can add one (1) IP address to your firewall. This involves having to add that one IP address to an array of currently blocked IP’s.

$ip = "233.252.0.12"
$all_ips = (Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress
$all_ips += $ip
Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $all_ips
Code language: PHP (php)

Look up an IP address

Looking up an IP address in your firewall -using PowerShell- is quite easy:

# Lookup an IP address:
$ip = "233.252.0.12"
if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
	write-host "${ip} is blocked"
}
Code language: PHP (php)

You may even use an array of IP addresses to look up:

$ips = @("233.252.0.12","233.252.0.15")
foreach($ip in $ips) {
	if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
		write-host "${ip} is blocked"
	}
}Code language: PHP (php)

List active firewall rules

Use the following to neatly display active firewall rules. Adjust to your needs.

Get-NetFirewallRule -Enabled True -Direction Inbound | 
Format-Table -Property DisplayName,Action,
@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},
@{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction
Code language: PHP (php)

Remove an IP address from your blocklist

Sometimes, or perhaps even often, you need to remove an IP address from your brute-force block list. Removing an IP address from your firewall involves the same steps as adding one; you must manipulate the array of currently blocked IP’s. And except of adding one, you remove one and putt the array back.

$ip = "233.252.0.12"
$all_ips = (Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress
$filteredAddr = $all_ips | Where-Object{ $_ -notin $ip }
Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $filteredAddr
Code language: PHP (php)

Remove firewall rule completely

If you need to remove the firewall rule completely, use Remove-NetfirewallRule:

Remove-NetFirewallRule -DisplayName "IP Block SQL Server"Code language: JavaScript (javascript)

Or use Disable-NetFirewallRule -DisplayName "IP Block SQL Server" to disable this rule.

Monitor SQL Server and databases in depth using Zabbix Windows Server
How to install Microsoft's SQL Server Driver for PHP Windows Server
Block brute force attacks on SQL Server, block IP addresses… Windows Server
Windows Defender: Turn off routine remediation Windows Server
Simple PowerShell introduction for Windows Server… Windows Server
Convert .htaccess to web.config Windows Server

Share this post

Twitter Facebook LinkedIn Email Reddit

0 0 votes

Article Rating

Name*

Email*

Website

1 Comment

Newest

Oldest Most Voted

Inline Feedbacks

View all comments

Install and setup IIS Manager for Remote Administration in Windows Server IIS - Windows Server - Sysadmins of the North

1 month ago

[…] How to add, list and remove IP addresses in Windows Firewall […]