How to set an 'IP range' in the windows Firewall?

[c6ke]

I think some of you already know about the fault in the Windows Firewall letting everyone see your shared files. Whatever - I don't want to talk about that BUT: In order to stop my windows behaving like that I really need to know how to tell the computer this:

I allow you to use the IP Range from
192.168.1.0/255.255.255.0 to 192.168.1.213/255.255.255.0

There is a field in the Windows Firewall context menu where i can enter this. My Problem is that it doesn't accept stuff like 192.168.1.*

'#' doesn't work either.

This are the only symbols I know to tell the pc to use all endings for * or #. I don't want to start entering this line 213 times.

So How do I enter this there??? How do I express an IP Range for my little Windows to understand me?

If you don't know what I mean goto
SystemSettings -> Firewall -> Exceptions -> "The service for printer and datasharing" -> edit -> and try to change the range. you will see what i'm talking about

[ArcticFox]

Not sure about the Windows firewall, I know ZoneAlarm and I'm assuming Kerio Firewall (forgot the exact name) will let you do stuff like that.

[PresterJohn]

hmmm...you must really be a glutton for punishment if you want to use the XP firewall.

but to answer your question, yes there is a way to enter an exception range. you need to edit the netfw.inf file in your %windir%\inf folder.

after you've modified the netfw file, open a command prompt and run: netsh firewall reset to force the system to reread its contents.

within the inf file, you must edit the appropriate section, ie. domainprofile or standardprofile depending on whther the machine participates in a domain or workgroup

more info regarding syntax,etc is probably on the MS website if you search.

the netsh firewall command also allows scripted commands to control the firewall, but i am not 100% certain that a subset of a range can be entered w/o having to explicitly list all the ips.

[c6ke]

oaaah! I hate this.

I don't want to use this firewall as my main firewall (i'm not sooo stupid ). I'm also using anotherone (Mcafee). But I want to keep it activated as then Windows doesn't try to tell me to activate it all the time.

I don't see where to enter ip adresses or even a range in this inf file. I already checked MS site and found nothing. Sorry

[c6ke]

Nobody has a better idea? I simply need this one symbol I think

like * is assigned to any 1,2 or 3 digit number and then

192.168.1.*

which is the right symbol? I'm sure * is not!

[c6ke]

.,-:'bump':-,.

[doddsy]

Quote:

Originally Posted by c6ke

oaaah! I hate this.

I don't want to use this firewall as my main firewall (i'm not sooo stupid ). I'm also using anotherone (Mcafee). But I want to keep it activated as then Windows doesn't try to tell me to activate it all the time.

I don't see where to enter ip adresses or even a range in this inf file. I already checked MS site and found nothing. Sorry

it seems to me that you just want to stop the windows alerts when you turn off the firewall.

I am now assuming that you have xp SP2, as thats how windows security behaves in SP2

so if you go to control panel and then windows security center.

then click on "change the way windows SC alerts me".

then uncheck the firewall alerts box.

[c6ke]

OK anyways. I'll do that now as our LAN now has a debian server with Firewall

That means that windows is useless

[800XL]

In case someone is looking for an answer to the original question still:

I believe what you are looking for is how to correctly use the network mask. There is very little documentation on how this is done for windows, and less still that is actually good documentation. I'm a little rusty on my subnetting, but I think I got most of this right. Anyone caring to differ, please speak up.

To show a single IP, you would just put it in like: 192.168.1.1

To show a subnet or range, you give the network address and the mask, like: 192.168.1.0/255.255.255.0 or 192.168.1.0/24. This translates to 192.168.1.0 through 255. Ranges get complicated as you narrow it down, but it just follows the rules of subnetting and there are some how to docs on the web that cover that. I think it would basically go something like:

192.168.1.0/255.255.255.128 should mean 0-127
Then add 192.168.1.128/255.255.255.192 for 128-191
That leaves 192.168.1.192/255.255.255.224 for 192-223

If you want closer to 213 you'd have to keep breaking it down I think.

Full line in the custom scope fields would look like:

192.168.1.0/255.255.255.0 this is 0-255

192.168.1.0/255.255.255.128,192.168.1.128/255.255.255.192,192.168.1.192/255.255.255.224 This gets 0-223

Remember no spaces in the line or windows ignores the whole thing.

The basic gist of this is that you want to be careful in selecting IP ranges when grouping machines. Start and end of a range should fall at sums of powers of two, like 128-191, 192-223 or 64-127. This makes it easier to figure out a mask that fits. You notice that you see a lot of these numbers in IP addresses, and its because you can subnet mask them without having to use a binary calculator all the time. Hopefully Microsoft will get the idea and put in an easier syntax for ranges in the future, instead of good fashioned cryptic 10 year old TCPIP standard.

[James T]

Another notation sometimes used is 192.168.1.0/24, this is equivalent to 192.168.1.0/255.255.255.0.