You are here: Sysadmins of the North » Windows Server » How to add, list and remove IP addresses in Windows Firewall

How to add, list and remove IP addresses in Windows Firewall

Windows Server / By /

Yesterday, I showed you how to block IP addresses in Windows Firewall using PowerShell. This comes in handy when blocking IP addresses that are brute-force attacking your servers. In this short post I’ll show you how to bulk add IP addresses in Windows Firewall, list an IP address and how to remove all IP addresses from Windows Defender Firewall with Advanced Security.

Table of Contents show

For this post, I assume you have the same firewall data available as in my previous post Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell. Read that article first if you’re unsure. Let’s assume you have not yet created your firewall rule “IP Block SQL Server”, but you have your unique_ips.txt input file ready.

The cmdlets I’ll be using are:

Learn how to setup an IIS 10.0 FTP IP Security allow list

Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell

Add IP addresses to Windows Firewall in bulk

The Set-NetFirewallRule and New-NetFirewallAddressFilter cmdlets both accept an array as an input for the RemoteAddress attribute. And that’s great, because now you can add a lot of IP’s in bulk to your firewall:

# How to Bulk Add IP Addresses in Windows Firewall:
$ips = @()
foreach ($ip in Get-Content .\unique_ips.txt) {
	# Check for the existense of the firewall rule
	if(!(Get-NetFirewallRule -DisplayName "IP Block SQL Server" -ErrorAction SilentlyContinue)) {
		# if the rule does not exist, create it silently and keep it disabled
		New-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -Enabled False
	}
	# compare IP addresses in the firewall rule (if any) with those in ann PowerShell array $ip
	if ((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
		# debug:
		# Write-Host "IP ${ip} already blocked"
		continue
	}
	else {
		# IP address not found in the firewall rule, add it to the array
		$ips += $ip
	}
}

# Add IP addresses from the array to your firewall rule
Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $ips

# Does the firewall rule contain one IP address or more?
if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress.count -ge 1) {
	# debug:
	# Write-Host "Found more than one IP address, enable the rule"
	if((Get-NetFirewallRule -DisplayName "IP Block SQL Server").Enabled -eq "False") {
		# debug:
		# Write-Host "Firewall rule is disabled, enable it now"
		Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Enabled True
	}
}
Code language: PHP (php)

Add one (1) IP address in Windows Firewall

Here is how you can add one (1) IP address to block in Windows Firewall. This involves having to add that one IP address to an array of currently blocked IP’s.

$ip = "233.252.0.12"
$all_ips = (Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress
$all_ips += $ip
Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $all_ips
Code language: PHP (php)

Look up an IP address

Looking up an IP address in your firewall -using PowerShell- is quite easy:

# Lookup an IP address:
$ip = "233.252.0.12"
if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
	write-host "${ip} is blocked"
}
Code language: PHP (php)

You may even use an array of IP addresses to look up:

$ips = @("233.252.0.12","233.252.0.15")
foreach($ip in $ips) {
	if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
		write-host "${ip} is blocked"
	}
}Code language: PHP (php)

List active firewall rules

Use the following to neatly display active firewall rules. Adjust to your needs.

Get-NetFirewallRule -Enabled True -Direction Inbound | 
Format-Table -Property DisplayName,Action,
@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},
@{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction
Code language: PHP (php)

Remove an IP address from your blocklist

Sometimes, or perhaps even often, you need to remove an IP address from your brute-force block list. Removing an IP address from your firewall involves the same steps as adding one; you must manipulate the array of currently blocked IP’s. And except of adding one, you remove one and putt the array back.

$ip = "233.252.0.12"
$all_ips = (Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress
$filteredAddr = $all_ips | Where-Object{ $_ -notin $ip }
Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $filteredAddr
Code language: PHP (php)

Remove firewall rule completely

If you need to remove the firewall rule completely, use Remove-NetfirewallRule:

Remove-NetFirewallRule -DisplayName "IP Block SQL Server"Code language: JavaScript (javascript)

Or use Disable-NetFirewallRule -DisplayName "IP Block SQL Server" to disable this rule.

Show Your Support

donate with Paypal

If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ☕($10 USD or €10 EUR for example). And please share the love and help others make use of this website. Thank you very much! <3 ❤️

Tweet
Share
Share
Pin
0 Shares

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top