Questions about add firewall exception in wix installer by firewall extension

exceptionfirewallinstallationwindows 7wix

I am new to Wix installer. I am trying to add firewall exception for my program.

My code is as follow:

<Component Id="_VIEW.EXE" Guid="*" Transitive="yes">
     <File Id="view.exe"
           Name="view.exe"
           KeyPath="yes"
           Source="$(var.INSTALLSOURCE)\view.exe">
       <fire:FirewallException Id="view_firewall_domain_tcp"
                               Name="View"
                               Protocol="tcp"
                               Scope="any"
                               IgnoreFailure="yes"
                               Profile="domain" />
       <fire:FirewallException Id="view_firewall_domain_udp"
                               Name="View"
                               Protocol="udp"
                               Scope="any"
                               IgnoreFailure="yes"
                               Profile="domain" />
       <fire:FirewallException Id="view_firewall_private_tcp"
                               Name="View"
                               Protocol="tcp"
                               Scope="any"
                               IgnoreFailure="yes"
                               Profile="private" />
       <fire:FirewallException Id="view_firewall_private_udp"
                               Name="View"
                               Protocol="udp"
                               Scope="any"
                               IgnoreFailure="yes"
                               Profile="private" />
     </File>
  </Component>

In my code, I add 4 firewall exception and each exception has different value for "Profile" and "Protocol" attributes. My expected result is 4 exceptions created:

NAME  GROUP   Profile   Enabled  Action  Override  Program           Local Address   Remote Address   Protocol   Local Port   Remote Port   Allowed Users  Allowed Computers
view          Domain     Yes     Allow    No       c:\test\view.exe    Any               Any            TCP         Any         Any             Any            Any
view          Domain     Yes     Allow    No       c:\test\view.exe    Any               Any            UDP         Any         Any             Any            Any
view          Private    Yes     Allow    No       c:\test\view.exe    Any               Any            TCP         Any         Any             Any            Any
view          Private    Yes     Allow    No       c:\test\view.exe    Any               Any            UDP         Any         Any             Any            Any

But the actual result is only one exception is created and the value of "Protocol" attribute is "any" instead of "TCP" or "UDP":

NAME  GROUP   Profile   Enabled  Action  Override  Program           Local Address   Remote Address   Protocol   Local Port   Remote Port   Allowed Users  Allowed Computers
view          Domain     Yes     Allow    No       c:\test\view.exe    Any               Any            Any         Any         Any             Any            Any

So, I have two questions:

  1. Why is only one exception created? Must the name of the exception be unique?
  2. Why does the value of the "Protocol" attribute not take effect?

I refer an official document about firewall extension:
http://wixtoolset.org/documentation/manual/v3/xsd/firewall/firewallexception.html
In the document, I saw some description about "File" attribute:

Identifier of a file to be granted access to all incoming ports and protocols. If you use File, you cannot also use Program.
If you use File and also Port or Protocol in the same FirewallException element, the exception will fail to install on Windows XP and Windows Server 2003. IgnoreFailure="yes" can be used to ignore the resulting failure, but the exception will not be added.

Does it mean that if I set firewall rule for a program, the "Protocol" and "Port" attributes will be "Any" automatically even I set "Protocol"?

Best Answer

The existing wix FirewallException custom actions make use of the XP/Server2003 windows firewall API. In this API, setting a firewall exception for a particular executable implies that all ports and all protocols will be opened to the exception.

For reference, the XP/Server2003 firewall API interfaces. Notice that INetFwOpenPort has the ability to get/set the port, while INetFwAuthorizedApplication does not.

If you want to create a firewall exception on a program and explicitly limit the port, protocol, and domain you'll need to make use of the windows 'advanced' firewall API that came with Vista. Check out these references: Highlevel overview
Reference guide
Command-line reference guide

Sadly, nobody has yet implemented an AdvancedFirewallException extension for wix that makes use of these updated APIs. Maybe I'll run a kickstarter campaign to see if there interest in funding the development ;P

Related Topic