Deny access to 50,000 specific IP addresses using Windows Firewall

Question

I need to deny access to about 50,000 IP addresses in Windows Firewall; netsh advfirewall only allows me to add about 700. How can this be implemented?

Answer 1

Looks like you could use a c# app to programmatically add the rules to the windows firewall. You'll need to add a reference to FirewallAPI.dll, which is located in c:\windows\system32

Do something like this:

using NetFwTypeLib; // Located in FirewallAPI.dll
...
INetFwRule firewallRule = (INetFwRule)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FWRule"));
firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK;
firewallRule.Description = "Block this!";
firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN;
firewallRule.Enabled = true;
firewallRule.InterfaceTypes = "All";
firewallRule.RemoteAddresses = "x.x.x.x" //or x.x.x.x,x.x.x.x,... See Note 1
firewallRule.Name = "Block IP x.x.x.x";

INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(
    Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
firewallPolicy.Rules.Add(firewallRule);

Note 1: You can either try making 50,000 seperate rules (this code adds 1 rule) or add 50,000 remote IPs to 1 rule.

This is for inbound blocking, if you want outbound blocking as well change the direction.

Refs: Adapted from Any way to turn the "internet off" in windows using c#? and https://msdn.microsoft.com/en-us/library/aa366458(VS.85).aspx

Answer 2

Unfortunately due to the limitation of console,netsh advfirewall command can only do around 8192 characters per line (approx 550-1k IP's per rule).

To add an unlimited number of IP Blocks using this method, you have to break up the comma separated IP list into chunks of no more than 8k characters or add them as individual IP blocks (which is possibly undesirable, since it'll flood-list your Firewall Rules!)

I've done this in TCL, but if someone knows how to split a txt file into DOS variable chunks of no more than 8k characters, or add IP's to a variable of no more than 8k characters long - post here too :)

Here is the TCL coding...comma seperated IP list found in file: comma_seperated_iplist.txt

set readfile [open "comma_seperated_iplist.txt" r]; # Open the comma seperated IP list file
set ip_list [read $out]; # read the whole file into 1 variable 
close $readfile; # close the file, no longer needed

catch {exec netsh advfirewall firewall delete rule name=IPBlocks}; # remove any old entries

if {[string length $ip_list] < 8000} {
    # if under 8000 characters, just add them directly to 1 firewall entry
    catch {exec netsh advfirewall firewall add rule name="IPBlocks" protocol=any dir=in action=block remoteip=$ip_list}

} else {
    # if over 8000 characters, break up into 8000 components and add each firewall rule
    set startpos 0; # set the search starting position (begining)
    set add_ip_range "1"; # set the start range IP list to anything

    while {$add_ip_range !=""} {; # loop until the start range IP list is empty
        # set the IP range contents to check up to
        set compare_ip_range [string range $ip_list 0 [expr $startpos + 8000]]
        # set the end position with the last character as comma * remove last comma
        set endpos [expr [string last "," $compare_ip_range]-1]
        # get the actual text range/chunk from the start position to the end position of the whole list
        set add_ip_range [string range $ip_list $startpos $endpos]

        # ensure the IP range (chunk) has something in it first
        if {$add_ip_range !=""} {
            # add the range of IP's (chunk) to a Windows Firewall Rule
            if {![catch {exec netsh advfirewall firewall add rule name="IPBlocks" protocol=any dir=in action=block remoteip=$add_ip_range} err]} {
        }
        set startpos [expr $endpos+2]; # Update new start position for more chunks +2 characters to skip over removed comma from endpos
    }
}