1

I have a PowerShell script which adds IP addresses to Windows Firewall using the "netsh advfirewall" command. (As described in this question: How to append netsh firewall rules, not just replace).

The problem is that when adding a lot of IP addresses (currently over 700) the string of IP addresses seems to be 'cut off' at some point. Only an X amount of the total amount of IP addresses are actually added to the firewall, the rest... not.

The script is very simple, and looks something like this:

$ip = "123.123.123.123,124.124.124.124,125.125.125.125 and so on"

netsh advfirewall firewall set rule name="*" new remoteip="$ip"

I tried to echo the string to see if it's cut off;

echo $ip

But the complete string is correctly echo'ed.

Is there some kind of string length limit for the netsh command? Or anything else that could be causing this issue?

Edit

I've done some more research and it appears that the string is not 'cut off'. I've rearranged the IP string in ascending order, and the last IP address of the string was added to the firewall. So I suppose I can conclude that there is not some kind of string limit.

However, random IP's are being omitted. I've written several 'debug' scripts to figure out what is going on, one of those scripts generates a list of IP addresses that are in the IP string (and thus supposed to be in the firewall), but are not present in the firewall. It turns out that it's simply omitting random IP addresses... and I have no clue why...

The IP addresses that are being omitted are perfectly fine IP addresses though (not ranges or anything, just plain normal IP addresses).

Any ideas?

Improve this question
1

1 Answer 1

Reset to default
1

As an alternative method of doing (Since already in PowerShell):

This will give you more information per IP: This is not tested, but should give you better output / formatting and at worst a good head start and theoretically work.

$IPs = @("123.123.123.111", "123.123.123.112", "123.123.123.113") |`
   Foreach-object {
   netsh advfirewall firewall set rule name="*" new remoteip="$_"
   write-host "$_ Added $?"
}

If it works as expect, it will loop through the initial array of $IPs and attempt the netsh command. $? is the status of the last command run, so on a successful netsh command it should print to the PowerShell Windows something like 123.123.123.111 Added True or 123.123.123.111 Added False.

Improve this answer
13
  • Sorry for my late response. I executed your script with all IP addresses, and they were all added correctly. Although they replaced each other in the firewall rule (as expected). So it seems the IP addresses are not the problem. There must be some kind of limit somewhere, I just can't figure it out. Perhaps I should ask this on the Microsoft forums instead as this issue is probably too rare.
    – Thomas
    Commented Nov 14, 2013 at 12:41
  • Replaced eachother? As in .111 replaced .112 ? Actually, I may see the Problem: Change name="*" to `name="$_" in the script.
    – Austin T French
    Commented Nov 14, 2013 at 12:44
  • Yes, unfortunately the CLI of Windows Firewall does not allow you to add IP addresses, but rather to replace the IP addresses in an entire rule. So when you execute the 'netsh ...' command, they are not added to the rule, but replaced. Odd, I know. I have no idea why they decided to do this, adding a feature to add IP addresses instead of replacing them probably isn't too hard... but yeah... Microsoft.
    – Thomas
    Commented Nov 14, 2013 at 12:48
  • @Did you see my edit of the last comment? I may have found the problem...
    – Austin T French
    Commented Nov 14, 2013 at 12:49
  • 3
    Sorry but if you're adding more than 700 IP addresses there probably is something strange going on. This does look like a good opportunity to use subnet notation. In addition there is a limit of 1000 IPs according to this other question.
    – Seth
    Commented Oct 5, 2016 at 11:56

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .