/////////////////////////////////////////////////////////////////////////////// // // Copyright (c) Microsoft Corporation. // // SYNOPSIS // // Interfaces for managing the firewall. // /////////////////////////////////////////////////////////////////////////////// import "icftypes.idl"; import "oaidl.idl"; // Provides access to the settings controlling Remote Administration. An // instance of this interface is retrieved through the RemoteAdminSettings // property of the INetFwProfile interface. All configuration changes take // effect immediately. [ object, uuid(D4BECDDF-6F73-4A83-B832-9C66874CD20E), dual ] interface INetFwRemoteAdminSettings : IDispatch { // IP version for which remote admin is authorized. Only // NET_FW_IP_VERSION_ANY is supported. [id(1), propget] HRESULT IpVersion( [out, retval] NET_FW_IP_VERSION* ipVersion ); [id(1), propput] HRESULT IpVersion( [in] NET_FW_IP_VERSION ipVersion ); // Network scope from which remote admin is allowed. When setting the // property, only NET_FW_SCOPE_ALL and NET_FW_SCOPE_LOCAL_SUBNET are valid. // To create a custom scope, use the RemoteAddresses property. [id(2), propget] HRESULT Scope( [out, retval] NET_FW_SCOPE* scope ); [id(2), propput] HRESULT Scope( [in] NET_FW_SCOPE scope ); // Remote addresses from which remote administration is allowed. [id(3), propget] HRESULT RemoteAddresses( [out, retval] BSTR* remoteAddrs ); [id(3), propput] HRESULT RemoteAddresses( [in] BSTR remoteAddrs ); // True if Remote Administration is enabled. [id(4), propget] HRESULT Enabled( [out, retval] VARIANT_BOOL* enabled ); [id(4), propput] HRESULT Enabled( [in] VARIANT_BOOL enabled ); } // Provides access to the settings controlling ICMP packets. An instance of // this interface is retrieved through the IcmpSettings property of the // INetFwProfile interface. All configuration changes take effect // immediately. [ object, uuid(A6207B2E-7CDD-426A-951E-5E1CBC5AFEAD), dual ] interface INetFwIcmpSettings : IDispatch { ////////// // Types common to IPv4 and IPv6 ////////// [id(1), propget] HRESULT AllowOutboundDestinationUnreachable( [out, retval] VARIANT_BOOL* allow ); [id(1), propput] HRESULT AllowOutboundDestinationUnreachable( [in] VARIANT_BOOL allow ); [id(2), propget] HRESULT AllowRedirect( [out, retval] VARIANT_BOOL* allow ); [id(2), propput] HRESULT AllowRedirect( [in] VARIANT_BOOL allow ); [id(3), propget] HRESULT AllowInboundEchoRequest( [out, retval] VARIANT_BOOL* allow ); [id(3), propput] HRESULT AllowInboundEchoRequest( [in] VARIANT_BOOL allow ); [id(4), propget] HRESULT AllowOutboundTimeExceeded( [out, retval] VARIANT_BOOL* allow ); [id(4), propput] HRESULT AllowOutboundTimeExceeded( [in] VARIANT_BOOL allow ); [id(5), propget] HRESULT AllowOutboundParameterProblem( [out, retval] VARIANT_BOOL* allow ); [id(5), propput] HRESULT AllowOutboundParameterProblem( [in] VARIANT_BOOL allow ); ////////// // IPv4 only types ////////// [id(6), propget] HRESULT AllowOutboundSourceQuench( [out, retval] VARIANT_BOOL* allow ); [id(6), propput] HRESULT AllowOutboundSourceQuench( [in] VARIANT_BOOL allow ); [id(7), propget] HRESULT AllowInboundRouterRequest( [out, retval] VARIANT_BOOL* allow ); [id(7), propput] HRESULT AllowInboundRouterRequest( [in] VARIANT_BOOL allow ); [id(8), propget] HRESULT AllowInboundTimestampRequest( [out, retval] VARIANT_BOOL* allow ); [id(8), propput] HRESULT AllowInboundTimestampRequest( [in] VARIANT_BOOL allow ); [id(9), propget] HRESULT AllowInboundMaskRequest( [out, retval] VARIANT_BOOL* allow ); [id(9), propput] HRESULT AllowInboundMaskRequest( [in] VARIANT_BOOL allow ); ////////// // IPv6 only types ////////// [id(10), propget] HRESULT AllowOutboundPacketTooBig( [out, retval] VARIANT_BOOL* allow ); [id(10), propput] HRESULT AllowOutboundPacketTooBig( [in] VARIANT_BOOL allow ); } // Provides access to the properties of a port that has been opened in the // firewall. When creating new ports, this interface is supported by the // HNetCfg.FwOpenPort COM object. For reading or modifying existing ports, // instances of this interface are retrieved through the INetFwOpenPorts // collection. All configuration changes take effect immediately. [ object, uuid(E0483BA0-47FF-4D9C-A6D6-7741D0B195F7), dual ] interface INetFwOpenPort : IDispatch { // Friendly name of the port. Mandatory. [id(1), propget] HRESULT Name( [out, retval] BSTR* name ); [id(1), propput] HRESULT Name( [in] BSTR name ); // IP version for which the port is opened. Only NET_FW_IP_VERSION_ANY is // supported, and this is the default for new ports. [id(2), propget] HRESULT IpVersion( [out, retval] NET_FW_IP_VERSION* ipVersion ); [id(2), propput] HRESULT IpVersion( [in] NET_FW_IP_VERSION ipVersion ); // IP protocol. Default is TCP for new ports. [id(3), propget] HRESULT Protocol( [out, retval] NET_FW_IP_PROTOCOL* ipProtocol ); [id(3), propput] HRESULT Protocol( [in] NET_FW_IP_PROTOCOL ipProtocol ); // Port number in host order. Mandatory. [id(4), propget] HRESULT Port( [out, retval] LONG* portNumber ); [id(4), propput] HRESULT Port( [in] LONG portNumber ); // Network scope from which the port can listen. When setting the property, // only NET_FW_SCOPE_ALL and NET_FW_SCOPE_LOCAL_SUBNET are valid. To create // a custom scope, use the RemoteAddresses property. Default is // NET_FW_SCOPE_ALL for new ports. [id(5), propget] HRESULT Scope( [out, retval] NET_FW_SCOPE* scope ); [id(5), propput] HRESULT Scope( [in] NET_FW_SCOPE scope ); // Remote addresses from which the port can listen for traffic. [id(6), propget] HRESULT RemoteAddresses( [out, retval] BSTR* remoteAddrs ); [id(6), propput] HRESULT RemoteAddresses( [in] BSTR remoteAddrs ); // True if the settings for this port are currently enabled. This can be set // to False to allow port settings to be stored in the open ports collection // without actually opening the port. Default is True for new ports. [id(7), propget] HRESULT Enabled( [out, retval] VARIANT_BOOL* enabled ); [id(7), propput] HRESULT Enabled( [in] VARIANT_BOOL enabled ); // True if this is a built-in port defined by the system. Built-in ports can // not be removed and only the LocalSubnetOnly and Enabled properties can be // modified. [id(8), propget] HRESULT BuiltIn( [out, retval] VARIANT_BOOL* builtIn ); } // Provides access to a collection of ports opened in the firewall. An instance // of this interface is retrieved through the GloballyOpenPorts property of the // INetFwProfile interface. All configuration changes take effect // immediately. [ object, uuid(C0E9D7FA-E07E-430A-B19A-090CE82D92E2), dual ] interface INetFwOpenPorts : IDispatch { // Returns the number of ports in the collection. [id(1), propget] HRESULT Count( [out, retval] long* count ); // Opens a new port and adds it to the collection. If the port is already // open, the existing settings are overwritten. [id(2)] HRESULT Add( [in] INetFwOpenPort* port ); // Closes a port and remove it from the collection. If the port is already // closed, it has no effect. [id(3)] HRESULT Remove( [in] LONG portNumber, [in] NET_FW_IP_PROTOCOL ipProtocol ); // Return the specified port if present. [id(4)] HRESULT Item( [in] LONG portNumber, [in] NET_FW_IP_PROTOCOL ipProtocol, [out, retval] INetFwOpenPort** openPort ); // Returns an object supporting IEnumVARIANT that can be used to iterate // through all the ports in the collection. [id(DISPID_NEWENUM), propget, restricted] HRESULT _NewEnum( [out, retval] IUnknown** newEnum ); } // Provides access to the properties of a service that may be authorized to // listen through the firewall. Instances of this interface are retrieved // through the INetFwServices collection. All configuration changes take // effect immediately. [ object, uuid(79FD57C8-908E-4A36-9888-D5B3F0A444CF), dual ] interface INetFwService : IDispatch { // Friendly name of the service. [id(1), propget] HRESULT Name( [out, retval] BSTR* name ); // Enumerator that uniquely identifies the service. [id(2), propget] HRESULT Type( [out, retval] NET_FW_SERVICE_TYPE* type ); // Indicates whether at least one of the ports associated with the service // has been customized. If a service has been customized, the values // returned by the service properties do not reflect the configuration of // all the ports associated with the service. [id(3), propget] HRESULT Customized( [out, retval] VARIANT_BOOL* customized ); // IP version for which the service is authorized. Only // NET_FW_IP_VERSION_ANY is supported. [id(4), propget] HRESULT IpVersion( [out, retval] NET_FW_IP_VERSION* ipVersion ); [id(4), propput] HRESULT IpVersion( [in] NET_FW_IP_VERSION ipVersion ); // Network scope from which the service can listen. When setting the // property, only NET_FW_SCOPE_ALL and NET_FW_SCOPE_LOCAL_SUBNET are valid. // To create a custom scope, use the RemoteAddresses property. [id(5), propget] HRESULT Scope( [out, retval] NET_FW_SCOPE* scope ); [id(5), propput] HRESULT Scope( [in] NET_FW_SCOPE scope ); // Remote addresses from which the service ports can listen for traffic. If // the service has been customized, get returns the union of the remote // addresses for all the service ports. [id(6), propget] HRESULT RemoteAddresses( [out, retval] BSTR* remoteAddrs ); [id(6), propput] HRESULT RemoteAddresses( [in] BSTR remoteAddrs ); // True if all the ports associated with the service are enabled. [id(7), propget] HRESULT Enabled( [out, retval] VARIANT_BOOL* enabled ); [id(7), propput] HRESULT Enabled( [in] VARIANT_BOOL enabled ); // The collection of globally open ports associated with the service. [id(8), propget] HRESULT GloballyOpenPorts( [out, retval] INetFwOpenPorts** openPorts ); } // Provides access to a collection of services that may be authorized to listen // through the firewall. An instance of this interface is retrieved through the // Services property of the INetFwProfile interface. All configuration // changes take effect immediately. [ object, uuid(79649BB4-903E-421B-94C9-79848E79F6EE), dual ] interface INetFwServices : IDispatch { // Returns the number of services in the collection. [id(1), propget] HRESULT Count( [out, retval] long* count ); // Return the specified service. [id(2)] HRESULT Item( [in] NET_FW_SERVICE_TYPE svcType, [out, retval] INetFwService** service ); // Returns an object supporting IEnumVARIANT that can be used to iterate // through all the services in the collection. [id(DISPID_NEWENUM), propget, restricted] HRESULT _NewEnum( [out, retval] IUnknown** newEnum ); } // Provides access to the properties of an app that has been authorized to open // holes in the firewall. When creating new apps, this interface is supported // by the HNetCfg.FwAuthorizedApplication COM object. For reading or // modifying existing apps, instances of this interface are retrieved through // the INetFwAuthorizedApplications collection. All configuration changes // take effect immediately. [ object, uuid(B5E64FFA-C2C5-444E-A301-FB5E00018050), dual ] interface INetFwAuthorizedApplication : IDispatch { // Friendly name of the app. Mandatory. [id(1), propget] HRESULT Name( [out, retval] BSTR* name ); [id(1), propput] HRESULT Name( [in] BSTR name ); // Process image file name. This must be a fully-qualified path, but it may // contain environment variables. Mandatory. [id(2), propget] HRESULT ProcessImageFileName( [out, retval] BSTR* imageFileName ); [id(2), propput] HRESULT ProcessImageFileName( [in] BSTR imageFileName ); // IP version for which the app is authorized. Only NET_FW_IP_VERSION_ANY is // supported, and this is the default for new apps. [id(3), propget] HRESULT IpVersion( [out, retval] NET_FW_IP_VERSION* ipVersion ); [id(3), propput] HRESULT IpVersion( [in] NET_FW_IP_VERSION ipVersion ); // Network scope from which the app can listen. When setting the property, // only NET_FW_SCOPE_ALL and NET_FW_SCOPE_LOCAL_SUBNET are valid. To create // a custom scope, use the RemoteAddresses property. Default is // NET_FW_SCOPE_ALL for new apps. [id(4), propget] HRESULT Scope( [out, retval] NET_FW_SCOPE* scope ); [id(4), propput] HRESULT Scope( [in] NET_FW_SCOPE scope ); // Remote addresses from which the app can listen for traffic. [id(5), propget] HRESULT RemoteAddresses( [out, retval] BSTR* remoteAddrs ); [id(5), propput] HRESULT RemoteAddresses( [in] BSTR remoteAddrs ); // True if the settings for this app are currently enabled. This can be set // to False to allow app settings to be stored in the authorized apps // collection without actually authorizing the app. Default is True for new // apps. [id(6), propget] HRESULT Enabled( [out, retval] VARIANT_BOOL* enabled ); [id(6), propput] HRESULT Enabled( [in] VARIANT_BOOL enabled ); } // Provides access to a collection of apps authorized to open ports in the // firewall. An instance of this interface is retrieved through the // AuthorizedApplications property of the INetFwProfile interface. All // configuration changes take effect immediately. [ object, uuid(644EFD52-CCF9-486C-97A2-39F352570B30), dual ] interface INetFwAuthorizedApplications : IDispatch { // Returns the number of apps in the collection. [id(1), propget] HRESULT Count( [out, retval] long* count ); // Adds a new app to the collection. If an app with the same image file name // already exists, the settings are overwritten. [id(2)] HRESULT Add( [in] INetFwAuthorizedApplication* app ); // Removes an app from the collection. If the app doesn't exist, it has no // effect. [id(3)] HRESULT Remove( [in] BSTR imageFileName ); // Return the specified app if present. [id(4)] HRESULT Item( [in] BSTR imageFileName, [out, retval] INetFwAuthorizedApplication** app ); // Returns an object supporting IEnumVARIANT that can be used to iterate // through all the apps in the collection. [id(DISPID_NEWENUM), propget, restricted] HRESULT _NewEnum( [out, retval] IUnknown** newEnum ); } // Provides access to a firewall settings profile. Instances of this interface // are retrieved through the CurrentProfile property or GetProfileByType method // of the INetFwPolicy interface. All configuration changes take effect // immediately. [ object, uuid(174A0DDA-E9F9-449D-993B-21AB667CA456), dual ] interface INetFwProfile : IDispatch { // Type of profile [id(1), propget] HRESULT Type( [out, retval] NET_FW_PROFILE_TYPE* type ); // True if firewall is enabled. [id(2), propget] HRESULT FirewallEnabled( [out, retval] VARIANT_BOOL* enabled ); [id(2), propput] HRESULT FirewallEnabled( [in] VARIANT_BOOL enabled ); // True if the firewall should not allow exceptions. In other words, all the // exceptions (e.g., GloballyOpenPorts) specified in the profile are ignored // and only locally initiated traffic is allowed. [id(3), propget] HRESULT ExceptionsNotAllowed( [out, retval] VARIANT_BOOL* notAllowed ); [id(3), propput] HRESULT ExceptionsNotAllowed( [in] VARIANT_BOOL notAllowed ); // True if interactive firewall notifications are disabled. [id(4), propget] HRESULT NotificationsDisabled( [out, retval] VARIANT_BOOL* disabled ); [id(4), propput] HRESULT NotificationsDisabled( [in] VARIANT_BOOL disabled ); // True if the firewall should not allow unicast responses to multicast and // broadcast traffic. [id(5), propget] HRESULT UnicastResponsesToMulticastBroadcastDisabled( [out, retval] VARIANT_BOOL* disabled ); [id(5), propput] HRESULT UnicastResponsesToMulticastBroadcastDisabled( [in] VARIANT_BOOL disabled ); // Settings governing remote administration. [id(6), propget] HRESULT RemoteAdminSettings( [out, retval] INetFwRemoteAdminSettings** remoteAdminSettings ); // Settings governing ICMP packets. [id(7), propget] HRESULT IcmpSettings( [out, retval] INetFwIcmpSettings** icmpSettings ); // Returns the collection of globally open ports. [id(8), propget] HRESULT GloballyOpenPorts( [out, retval] INetFwOpenPorts** openPorts ); // Returns the collection of services. [id(9), propget] HRESULT Services( [out, retval] INetFwServices** services ); // Returns the collection of authorized apps. [id(10), propget] HRESULT AuthorizedApplications( [out, retval] INetFwAuthorizedApplications** apps ); } // Provides access to a firewall policy. Instances of this interface are // retrieved through the LocalPolicy method of the INetFwMgr interface. All // configuration changes take effect immediately. [ object, uuid(D46D2478-9AC9-4008-9DC7-5563CE5536CC), dual ] interface INetFwPolicy : IDispatch { // Returns the profile currently in effect. [id(1), propget] HRESULT CurrentProfile( [out, retval] INetFwProfile** profile ); // Returns the profile of the requested type. [id(2)] HRESULT GetProfileByType( [in] NET_FW_PROFILE_TYPE profileType, [out, retval] INetFwProfile** profile ); } // Provides access to the firewall settings for a computer. This interface is // supported by the HNetCfg.FwMgr COM object. All configuration changes take // effect immediately. [ object, uuid(F7898AF5-CAC4-4632-A2EC-DA06E5111AF2), dual ] interface INetFwMgr : IDispatch { // Returns the local firewall policy. [id(1), propget] HRESULT LocalPolicy( [out, retval] INetFwPolicy** localPolicy ); // Returns the type of firewall profile currently in effect. [id(2), propget] HRESULT CurrentProfileType( [out, retval] NET_FW_PROFILE_TYPE* profileType ); // Restores the local configuration to its default state. [id(3)] HRESULT RestoreDefaults(); // Determines whether an application can listen for inbound traffic on the // specified port. // // Parameters: // // imageFileName - The image filename of the process listening on the // network. It must be a fully-qualified path, but it may contain // environment variables. If 'imageFileName' is NULL, the function // determines whether the port is allowed for all applications. // // ipVersion - IP version of the traffic. If 'localAddress' is non-NULL, // this must not be NET_FW_IP_VERSION_ANY. // // portNumber - Local IP port number of the traffic. If 'portNumber' is // zero, 'imageFileName' must not be NULL and the function checks if the // application is allowed to listen on any port. // // localAddress - Either a dotted-decimal IPv4 address or an IPv6 hex // address specifying the local address of the traffic. Typically, this is // the address passed to bind. If 'localAddress' is NULL, the function // determines whether the port is allowed for all interfaces. // // ipProtocol - IP protocol of the traffic, either NET_FW_IP_PROTOCOL_TCP or // NET_FW_IP_PROTOCOL_UDP. Ignored if 'portNumber' is zero. // // allowed - Returns a VARIANT of type VT_BOOL indicating whether the port // is allowed for at least some local interfaces and remote addresses. // // restricted - Returns a VARIANT of type VT_BOOL indicating whether some // local interfaces or remote addresses are blocked for this port. For // example, if the port is restricted to the local subnet only. // [id(4)] HRESULT IsPortAllowed( [in] BSTR imageFileName, [in] NET_FW_IP_VERSION ipVersion, [in] LONG portNumber, [in] BSTR localAddress, [in] NET_FW_IP_PROTOCOL ipProtocol, [out] VARIANT* allowed, [out] VARIANT* restricted ); // Determines whether the specified ICMP type is allowed. [id(5)] HRESULT IsIcmpTypeAllowed( [in] NET_FW_IP_VERSION ipVersion, [in] BSTR localAddress, [in] BYTE type, [out] VARIANT* allowed, [out] VARIANT* restricted ); } [ uuid(DB4F3345-3EF8-45ED-B976-25A6D3B81B71), version(1.0) ] library NetFwPublicTypeLib { importlib("stdole2.tlb"); interface INetFwRemoteAdminSettings; interface INetFwIcmpSettings; interface INetFwOpenPort; interface INetFwOpenPorts; interface INetFwService; interface INetFwServices; interface INetFwAuthorizedApplication; interface INetFwAuthorizedApplications; interface INetFwProfile; interface INetFwPolicy; interface INetFwMgr; [ uuid(0CA545C6-37AD-4A6C-BF92-9F7610067EF5) ] coclass NetFwOpenPort { [default] interface INetFwOpenPort; } [ uuid(EC9846B3-2762-4A6B-A214-6ACB603462D2) ] coclass NetFwAuthorizedApplication { [default] interface INetFwAuthorizedApplication; } [ uuid(304CE942-6E39-40D8-943A-B913C40C9CD4) ] coclass NetFwMgr { [default] interface INetFwMgr; } }