You are here: Saotn.org » Windows Server » How to add, list and remove IP addresses in Windows Firewall

How to add, list and remove IP addresses in Windows Firewall

Yesterday, I showed you how to block IP addresses in Windows Firewall using PowerShell. This comes in handy when blocking IP addresses that are brute-force attacking your servers. In this short post I’ll show you how to bulk add IP addresses in Windows Firewall, list an IP address and how to remove all IP addresses from Windows Defender Firewall with Advanced Security.

For this post, I assume to have the same firewall data available as in my previous post Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell. Read that article first if you’re unsure. Let’s assume you have not yet created your firewall rule “IP Block SQL Server”, but you have your unique_ips.txt input file ready.

Add IP addresses to Windows Firewall in bulk

The Set-NetFirewallRule and New-NetFirewallAddressFilter cmdlets both accept an array as an input for the RemoteAddress attribute. And that’s great, because now you can add a lot of IP’s in bulk to your firewall:

# How to Bulk Add IP Addresses in Windows Firewall: $ips = @() foreach ($ip in Get-Content .\unique_ips.txt) { # Check for the existense of the firewall rule if(!(Get-NetFirewallRule -DisplayName "IP Block SQL Server" -ErrorAction SilentlyContinue)) { # if the rule does not exist, create it silently and keep it disabled New-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -Enabled False } # compare IP addresses in the firewall rule (if any) with those in ann PowerShell array $ip if ((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) { # debug: # Write-Host "IP ${ip} already blocked" continue } else { # IP address not found in the firewall rule, add it to the array $ips += $ip } } # Add IP addresses from the array to your firewall rule Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $ips # Does the firewall rule contain one IP address or more? if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress.count -ge 1) { # debug: # Write-Host "Found more than one IP address, enable the rule" if((Get-NetFirewallRule -DisplayName "IP Block SQL Server").Enabled -eq "False") { # debug: # Write-Host "Firewall rule is disabled, enable it now" Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Enabled True } }
Code language: PowerShell (powershell)

Add one (1) IP address in Windows Firewall

Here is how you can add one (1) IP address to your firewall. This involves having to add that one IP address to an array of currently blocked IP’s.

$ip = "233.252.0.12" $all_ips = (Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress $all_ips += $ip Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $all_ips
Code language: PowerShell (powershell)

Look up an IP address

Looking up an IP address in your firewall -using PowerShell- is quite easy:

# Lookup an IP address: $ip = "233.252.0.12" if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) { write-host "${ip} is blocked" }
Code language: PowerShell (powershell)

You may even use an array of IP addresses to look up:

$ips = @("233.252.0.12","233.252.0.15") foreach($ip in $ips) { if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) { write-host "${ip} is blocked" } }
Code language: PowerShell (powershell)

List active firewall rules

Use the following to neatly display active firewall rules. Adjust to your needs.

Get-NetFirewallRule -Enabled True -Direction Inbound | Format-Table -Property DisplayName,Action, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}}, @{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}}, @{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction
Code language: PowerShell (powershell)

Remove an IP address from your blocklist

Sometimes, or perhaps even often, you need to remove an IP address from your brute-force block list. Removing an IP address from your firewall involves the same steps as adding one; you must manipulate the array of currently blocked IP’s. And except of adding one, you remove one and putt the array back.

$ip = "233.252.0.12" $all_ips = (Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress $filteredAddr = $all_ips | Where-Object{ $_ -notin $ip } Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $filteredAddr
Code language: PowerShell (powershell)

Remove firewall rule completely

If you need to remove the firewall rule completely, use Remove-NetfirewallRule:

Remove-NetFirewallRule -DisplayName "IP Block SQL Server"
Code language: PowerShell (powershell)

Or use Disable-NetFirewallRule -DisplayName "IP Block SQL Server" to disable this rule.

Leave a Comment

Your email address will not be published. Required fields are marked *