How to add, list and remove IP addresses in Windows Firewall

You are here: Sysadmins of the North » Windows Server » How to add, list and remove IP addresses in Windows Firewall

Yesterday, I showed you how to block IP addresses in Windows Firewall using PowerShell. This comes in handy when blocking IP addresses that are brute-force attacking your servers. In this short post I'll show you how to bulk add IP addresses in Windows Firewall, list an IP address and how to remove all IP addresses from Windows Defender Firewall with Advanced Security.

Table of Contents show

For this post, I assume you have the same firewall data available as in my previous post Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell. Read that article first if you're unsure. Let's assume you have not yet created your firewall rule "IP Block SQL Server", but you have your unique_ips.txt input file ready.

The cmdlets I'll be using are:

Add IP addresses to Windows Firewall in bulk

The Set-NetFirewallRule and New-NetFirewallAddressFilter cmdlets both accept an array as an input for the RemoteAddress attribute. And that's great, because now you can add a lot of IP's in bulk to your firewall:

# How to Bulk Add IP Addresses in Windows Firewall:
$ips = @()
foreach ($ip in Get-Content .\unique_ips.txt) {
	# Check for the existense of the firewall rule
	if(!(Get-NetFirewallRule -DisplayName "IP Block SQL Server" -ErrorAction SilentlyContinue)) {
		# if the rule does not exist, create it silently and keep it disabled
		New-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -Enabled False
	}
	# compare IP addresses in the firewall rule (if any) with those in ann PowerShell array $ip
	if ((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
		# debug:
		# Write-Host "IP ${ip} already blocked"
		continue
	}
	else {
		# IP address not found in the firewall rule, add it to the array
		$ips += $ip
	}
}

# Add IP addresses from the array to your firewall rule
Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $ips

# Does the firewall rule contain one IP address or more?
if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress.count -ge 1) {
	# debug:
	# Write-Host "Found more than one IP address, enable the rule"
	if((Get-NetFirewallRule -DisplayName "IP Block SQL Server").Enabled -eq "False") {
		# debug:
		# Write-Host "Firewall rule is disabled, enable it now"
		Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Enabled True
	}
}

Add one (1) IP address in Windows Firewall

Here is how you can add one (1) IP address to block in Windows Firewall. This involves having to add that one IP address to an array of currently blocked IP's.

$ip = "233.252.0.12"
$all_ips = (Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress
$all_ips += $ip
Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $all_ips

Look up an IP address

Looking up an IP address in your firewall -using PowerShell- is quite easy:

# Lookup an IP address:
$ip = "233.252.0.12"
if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
	write-host "${ip} is blocked"
}

You may even use an array of IP addresses to look up:

$ips = @("233.252.0.12","233.252.0.15")
foreach($ip in $ips) {
	if((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
		write-host "${ip} is blocked"
	}
}

List active firewall rules

Use the following to neatly display active firewall rules. Adjust to your needs.

Get-NetFirewallRule -Enabled True -Direction Inbound | 
Format-Table -Property DisplayName,Action,
@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},
@{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction

Remove an IP address from your blocklist

Sometimes, or perhaps even often, you need to remove an IP address from your brute-force block list. Removing an IP address from your firewall involves the same steps as adding one; you must manipulate the array of currently blocked IP's. And except of adding one, you remove one and putt the array back.

$ip = "233.252.0.12"
$all_ips = (Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress
$filteredAddr = $all_ips | Where-Object{ $_ -notin $ip }
Set-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $filteredAddr

Remove firewall rule completely

If you need to remove the firewall rule completely, use Remove-NetfirewallRule:

Remove-NetFirewallRule -DisplayName "IP Block SQL Server"

Or use Disable-NetFirewallRule -DisplayName "IP Block SQL Server" to disable this rule.

Thank you very much! <3 ❤️

Jan Reilink

Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace – The Human Cloud. In the past I worked at CLDIN (CLouDINfra) and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.

Post Views: 1,359

PowerShell Windows Firewall

Last updated on 15/09/2023