The scope of firewall rules is also affected. This also occurs if the rule already exists before the MSI package was installed. The Wix firewall extension does not work properly during modifications/repairs and is also likely to crash in some upgrade scenarios. The port and protocol are not updated when new values are passed to the custom action. Essentially, I have the problem described here: #5675 For example, if the only change in a firewall exception is the port, it will not be updated during the modification or repair. The old port remains open on the system. If you want to create a firewall exception for a program and explicitly restrict the port, protocol, and domain, you must use the extended Windows Firewall API provided with Vista. See these references: General Overview Reference Command Line Reference Guide Under the current implementation, when I perform a clean installation with MY_PORT=443, I get a firewall rule called “MyRule” for tcp/443. Then, when I run the repair with MY_PORT=5000, the component says it will be installed with the new port value, but the firewall rule is not changed. Port 443 remains open, 5000 is blocked.
So it seems that there is a general problem with msi packages that override existing rules. I don`t know if this is an issue with WiX or with the implementation in Windows. Does this mean that when I set a firewall rule for a program, the “Protocol” and “Port” attributes are automatically “Any” even though I set “Protocol”? WixFirewallExtension is a new WiX extension that allows you to configure Windows Firewall from your program`s installer. Windows has had a built-in firewall since the release of Windows XP in 2001, although it was XP Service Pack 2 that introduced a firewall with sufficient performance for most users. (It is useful that in SP2, the firewall is enabled by default. The same is true for Windows Vista, Server 2003 SP1, and Server 2008.) A more complicated case is when there are multiple rules with the same name, which is at least allowed with the netsh advfirewall command-line tool (if I copy and paste the same “add rule” command twice, I have two rules with the same name. I don`t know if or how these rules are uniquely identified by the INetFw API and what that means for WixFirewallExtension behavior. The underlying problem is that the firewall API only looks for the rule name. I understand that there are probably concerns about backward compatibility with what I am asking for here. If I understand the code correctly, it seems that nothing installs when there is a collision of names, even on a new installation. For reference, the XP/Server 2003 firewall APIs.
Note that INetFwOpenPort can get/set the port, unlike INetFwAuthorizedApplication. Hi, I use wix v 3.11.1.2318. But this problem still exists. Can anyone please update me on how to do this if I want the installer to add a new firewall rule and remove the last one in case of upgrade/update. Existing Wix-FirewallException custom actions use the Windows XP/Server 2003 Firewall API. In this API, defining a firewall exception for a specific executable means opening all ports and protocols in the exception. I`m trying to write a WiX script that uses the firewall extension for WiX, and it doesn`t seem to find the extension DLL (I think). I refer to an official document on firewall extension: wixtoolset.org/documentation/manual/v3/xsd/firewall/firewallexception.html In the document, I saw a description of the “File” attribute: The firewall extension is part of the work I do to convert ACES Studio products from our old scripted installer into a declarative installer built with WiX. The studio`s management was happy to contribute to the work of the WiX community. For example: Someone manually creates a “Rule A” firewall rule with remote scope/address 127.0.0.2 and installs an MSI package that must also create a “Rule A” firewall rule, but with remote scope/address 127.0.0.1.
Then, the rule retains 127.0.0.2. If you rename the existing rule to “Rule B” and start a repair installation of the MSI package, there are 2 rules: Rule B – 127.0.0.2 Rule A – 127.0.0.1 Outbound connections (from the local computer to a server) are not blocked. (In fact, the firewall on XP SP2 and Server 2003 SP1 does not support blocking outbound connections. This feature was added to the firewall in Vista and Server 2008.) Inbound connections are blocked unless the firewall is configured to allow them. If your program is a server, it must be added to the firewall exception list, otherwise it will not receive connections from another computer. There is also a Program attribute that allows you to specify a formatted string that identifies the program that should receive the firewall exception. This is useful if you want to specify an exception for a program installed by another package. RemoteAddress is a direct connection that supports remote addresses through the firewall API. In my code, I add 4 firewall exceptions and each exception has a different value for the Profiles and Protocol attributes.
My expected result is 4 exceptions created: Both types of exceptions also support the IgnoreFailure attribute to indicate whether to ignore firewall configuration errors or cancel the installation. You can configure the program`s firewall exceptions by using the FirewallException element. To configure an application exception, nest the FirewallException element under the program`s File element or under a Component element and specify the program`s file ID in the File attribute: I`m new to the Wix installer. I`m trying to add a firewall exception for my program. From now on, when I install the product, the previously installed versions have been removed. The ID of a file to which access to all incoming ports and protocols is to be granted. If you use File, you cannot also use Program. If you use File and also Port or Protocol in the same FirewallException element, the exception cannot be installed on Windows XP and Windows Server 2003. IgnoreFailure=”yes” can be used to ignore the resulting error, but the exception is not added.
Should he do it? I think it`s the job of the MSI author to implement a Remember Me property type pattern. I don`t expect other Windows Installer tables to automatically remember properties. Expected: The port is updated to match the number specified when the action is performed. In fact, the old port and protocol settings remain installed. Verify that C:Program Files (x86)Windows Installer XML v3.5binWixFirewallExtension.dll is a valid .dll or .ocx file, and then try again. You must add the WixFirewallExtension.dll reference in your WIX project to resolve the issue. Unfortunately, no one has yet implemented an AdvancedFirewallException extension for Wix that uses these updated APIs. Maybe I`ll launch a Kickstarter campaign to see if there`s any point in funding development. P When I try to save the WixFirewallExtension file.dll with regsrv32, I get this error: As you can see in the code, the current behavior is intentional.
