New WiX feature: Firewall extension

WixFirewallExtension is a new WiX extension that lets you configure the Windows Firewall from your program’s installer. Windows has had a built-in firewall since Windows XP was released in 2001, though it was XP’s Service Pack 2 that introduced a firewall of sufficient power for most people to use it. (It helps that in SP2, the firewall is turned on by default. The same is true on Windows Vista, Server 2003 SP1, and Server 2008.)

Outgoing connections – from the local computer to a server – aren’t blocked. (In fact, the firewall on XP SP2 and Server 2003 SP1 doesn’t support blocking outbound connections. That feature was added to the firewall in Vista and Server 2008.) Incoming connections are blocked unless the firewall is configured to allow them. If your program is any kind of a server, it needs to add itself to the firewall’s exception list or it won’t receive any connections that originate from another machine.

There are two types of firewall exceptions:

Application: A particular program for an incoming connection on any port/protocol.
Port: A particular port for a particular IP protocol (TCP or UDP). Any program can accept incoming connections from that port/protocol.

For both types of exceptions, the scope of the exception controls which incoming connections are accepted:

Any network, including the Internet.
Only the local subnetwork.
Custom IP addresses.

You can configure your program’s firewall exceptions using the FirewallException element. To configure an application exception, nest the FirewallException element under the program’s File element or under a Component element and specify the program’s file id in the File attribute:

<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:fire="http://schemas.microsoft.com/wix/FirewallExtension">
  ...
  <Component Id="MyComponent1" Guid="PUT-GUID-HERE">
    <File KeyPath="yes" Source="program.exe">
      <fire:FirewallException Id="FWX1" Name="My Program" />
  ...

The Id and Name attributes are both required. You can adjust the scope of the exception using the Scope attribute, which takes values any or localSubnet or by using RemoteAddress child elements:

<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:fire="http://schemas.microsoft.com/wix/FirewallExtension">
  ...
  <Component Id="MyComponent2" Guid="PUT-GUID-HERE">
    <File KeyPath="yes" Source="program.exe">
      <fire:FirewallException Id="FWX2" Name="My Program">
      <fire:RemoteAddress>127.0.0.1</fire:RemoteAddress>
      <fire:RemoteAddress>127.0.0.2</fire:RemoteAddress>
      <fire:RemoteAddress>127.0.0.3</fire:RemoteAddress>
  ...

RemoteAddress is a direct line to the firewall API’s support for remote addresses.

There’s also a Program attribute that lets you specify a formatted string that identifies the program that should get the firewall exception. It’s useful if you want to specify an exception for a program installed by a different package.

To specify a port exception, use the Port and Protocol attributes. Port takes an integer value and Protocol takes tcp, udp, or any. Note that any requires Windows Vista and Server 2008; on XP SP2 and Server 2003 SP1, specify two port exceptions, one with Protocol=“tcp” and another with Protocol=“udp” as a workaround.

<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:fire="http://schemas.microsoft.com/wix/FirewallExtension">
  ...
  <Component Id="MyComponent3" Guid="PUT-GUID-HERE">
    <File KeyPath="yes" Source="program.exe">
      <fire:FirewallException Id="FWX3" Name="My Program" Port="1025" Protocol="udp" />
  ...

Both types of exceptions also support the IgnoreFailure attribute to specify whether firewall configuration failures should be ignored or cause the installation to roll back.

Joy of Setup

Tags

Sponsored by ACES