Deny access to 50,000 specific IP addresses using Windows Firewall

Question

I need to deny access to about 50,000 IP addresses in Windows Firewall; netsh advfirewall only allows me to add about 700. How can this be implemented?

Answer 1

Windows Firewall currently allows up to 1000 addresses per rule. Using WindowsFirewallHelper (https://github.com/falahati/WindowsFirewallHelper) in a .Net app makes this easier to do.

Answer 2

Powershell does not have the same 8000 character restriction. If you use Server 2022/Windows 11 you can add 10000 addresses in one rule, older OS's have a 1000 addresses limit.

New-NetFirewallRule -DisplayName "Blocked IP address" -Direction Inbound -Action Block -RemoteAddress 101.100.146.147,101.53.147.11...

Answer 3

I had a similar issue to this. At first, via commandline, I was limited to just 346 IP addresses (in the specific list I had here). And that was:

netsh advfirewall firewall set rule name="My Rule" remoteip=<growing_list_of_IPs>

To this point, the list of IPs read like x.x.x.x/32,y.y.y.y/32,z.z.z.z/32, 346 times. Over that, the command silently failed, adding no IP address.

The next step was to "scriptize" this, using a netsh script. I thus created a text file (netsh-script.txt) containing:

advfirewall firewall set rule name="My Rule" remoteip=<growing_list_of_IPs>

Then run it:

netsh exec netsh-script.txt

To my surprise, I could only grow the list up to 462 IPs. The dear script started to break the line and say

The following command was not found: /32,x.x.x.x/32,y.y.y.y/32.

These were the last two IPs plus part of the 462th IP that went in (just because it cut -right- by its /32 part). Very unreliable!..

Now, I could just remove the /32 piece of each IPs (that are added by the firewall when we list the rule from netsh), but that would just give me so many more IP addresses. I had to move on.

C# was not really a choice as I wanted to avoid compiled code, and further runtime install/maintenance. The choice was then to envelop the logic to the simplest powershell script I could.

Then the following netsh-update.ps1 script came to life:

Set-NetFirewallRule -DisplayName "HTTP/HTTPS Filter" -RemoteAddress (
"x.x.x.x/32", "y.y.y.y/32", ..., "z.z.z.z/32"
)

...and then from my script I can dynamically "generate" this powershell script and call it with:

powershell netsh-update.ps1

I am still to see to how much I would be able to grow this list, but it at least seems promising!..

In the end, I needed to transform the result I get from netsh from:

x.x.x.x/32,y.y.y.y/32,...,z.z.z.z/32

into

( "x.x.x.x./32", "y.y.y.y/32", ..., "z.z.z.z/32" )

Dump that to the temporary script, run, and I could make my growing list of filtered IPs!

Answer 4

Unfortunately due to the limitation of console,netsh advfirewall command can only do around 8192 characters per line (approx 550-1k IP's per rule).

To add an unlimited number of IP Blocks using this method, you have to break up the comma separated IP list into chunks of no more than 8k characters or add them as individual IP blocks (which is possibly undesirable, since it'll flood-list your Firewall Rules!)

I've done this in TCL, but if someone knows how to split a txt file into DOS variable chunks of no more than 8k characters, or add IP's to a variable of no more than 8k characters long - post here too :)

Here is the TCL coding...comma seperated IP list found in file: comma_seperated_iplist.txt

set readfile [open "comma_seperated_iplist.txt" r]; # Open the comma seperated IP list file
set ip_list [read $out]; # read the whole file into 1 variable 
close $readfile; # close the file, no longer needed

catch {exec netsh advfirewall firewall delete rule name=IPBlocks}; # remove any old entries

if {[string length $ip_list] < 8000} {
    # if under 8000 characters, just add them directly to 1 firewall entry
    catch {exec netsh advfirewall firewall add rule name="IPBlocks" protocol=any dir=in action=block remoteip=$ip_list}

} else {
    # if over 8000 characters, break up into 8000 components and add each firewall rule
    set startpos 0; # set the search starting position (begining)
    set add_ip_range "1"; # set the start range IP list to anything

    while {$add_ip_range !=""} {; # loop until the start range IP list is empty
        # set the IP range contents to check up to
        set compare_ip_range [string range $ip_list 0 [expr $startpos + 8000]]
        # set the end position with the last character as comma * remove last comma
        set endpos [expr [string last "," $compare_ip_range]-1]
        # get the actual text range/chunk from the start position to the end position of the whole list
        set add_ip_range [string range $ip_list $startpos $endpos]

        # ensure the IP range (chunk) has something in it first
        if {$add_ip_range !=""} {
            # add the range of IP's (chunk) to a Windows Firewall Rule
            if {![catch {exec netsh advfirewall firewall add rule name="IPBlocks" protocol=any dir=in action=block remoteip=$add_ip_range} err]} {
        }
        set startpos [expr $endpos+2]; # Update new start position for more chunks +2 characters to skip over removed comma from endpos
    }
}

Answer 5

Looks like you could use a c# app to programmatically add the rules to the windows firewall. You'll need to add a reference to FirewallAPI.dll, which is located in c:\windows\system32

Do something like this:

using NetFwTypeLib; // Located in FirewallAPI.dll
...
INetFwRule firewallRule = (INetFwRule)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FWRule"));
firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK;
firewallRule.Description = "Block this!";
firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN;
firewallRule.Enabled = true;
firewallRule.InterfaceTypes = "All";
firewallRule.RemoteAddresses = "x.x.x.x" //or x.x.x.x,x.x.x.x,... See Note 1
firewallRule.Name = "Block IP x.x.x.x";

INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(
    Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
firewallPolicy.Rules.Add(firewallRule);

Note 1: You can either try making 50,000 seperate rules (this code adds 1 rule) or add 50,000 remote IPs to 1 rule.

This is for inbound blocking, if you want outbound blocking as well change the direction.

Refs: Adapted from Any way to turn the "internet off" in windows using c#? and https://msdn.microsoft.com/en-us/library/aa366458(VS.85).aspx