[WindowsFirewall] (Unattend.txt)

[WindowsFirewall]

Answer File = Unattend.txt and Winbom.ini; WinbomType = Factory

Windows Firewall is a stateful host firewall that discards unsolicited incoming traffic, providing a level of protection for computers against malicious users or programs. To provide better protection for computers connected to any kind of network (such as the Internet, a home network, or an organization network), Windows XP SP2 enables Windows Firewall on all network connections by default.

The [WindowsFirewall] section must be included in your answer file to configure firewall sections and entries in unattended Setup or Sysprep in factory mode.

All of the sections for the Windows Firewall are user defined. For example, the user-defined profile is referenced by the Profiles entry in the [WindowsFirewall] section. Windows Firewall maintains two sets of configurations known as profiles. The Domain profile is used when a computer is a member of a domain, while the Standard profile is used when a computer is not connected to a domain. You may specify a domain type of profile, a standard type, or a profile that applies to both domain and standard. The name of the user-defined profile must match the section name of [WindowsFirewall.profile_name]. See the examples later in this topic.

To configure Windows Firewall settings, you must include the [WindowsFirewall] section along with one or more of the following user-defined sections in the Unattend.txt file:

The [WindowsFirewall] section contains entries for specifying which user-defined profiles to use and for specifying the log file settings.

Entry	Description
Profiles	Specifies the names of the user-defined profiles to use for configuring the Windows Firewall (domain, standard, or both domain and standard.
LogFile	Specifies the location and file name of the Pfirewall.log file.
LogSize	Specifies the maximum size of the Pfirewall.log file.
LogDroppedPackets	Specifies whether to enable logging dropped packets to the Pfirewall.log file.
LogConnections	Specifies whether to enable logging connections to the Pfirewall.log file.

Sample

This sample demonstrates one use of the [WindowsFirewall] section of Unattend.txt. See the examples later in this topic for more details and descriptive user-defined names.

[WindowsFirewall]
Profiles = WindowsFirewall.profile1_name,  WindowsFirewall.profile2_name
LogFile = %WINDIR%\Pfirewall.log
LogSize = 4096
LogDroppedPackets = 1
LogConnections = 1

Profiles

Specifies the names of the user-defined profiles to use for configuring the Windows Firewall. You may specify a domain profile, standard profile, or a profile for both domain and standard. Each profile_name must be unique, and each profile_name must match the name in the [WindowsFirewall.profile_name] section. For more information about Windows Firewall profile types, see Type.

Syntax	Profiles = WindowsFirewall.profile1_name, WindowsFirewall.profile2_name
Value	WindowsFirewall.profile_name
Example	Profiles = WindowsFirewall.standard_profilename, WindowsFirewall.domain_profile_name, WindowsFirewall.Both_types_profile_name
Comments	This is a required entry. The Profiles entry lists the user-defined profiles to configure the Windows Firewall. This entry must match the [WindowsFirewall.profile_name] section name.

icon Return to top

LogFile

Specifies the location and file name of the Pfirewall.log file.

Syntax	LogFile = path
Value	path
Default	%WINDIR%\Pfirewall.log
Example	LogFile = %WINDIR%\Pfirewall.log
Comments	This is an optional entry. Use this entry to create a log file for troubleshooting.

icon Return to top

LogSize

Specifies the maximum size of the Pfirewall.log file.

Syntax	LogSize = Size in KB
Value	Size in KB
Default	4096
Example	LogSize = 4096
Comments	This is an optional entry. Use this entry to limit the size of the log file.

icon Return to top

LogDroppedPackets

Specifies whether to enable logging dropped packets in the Pfirewall.log file.

Syntax	LogDroppedPackets = 0 \| 1
Values	1 Enables logging dropped packets to the Pfirewall.log file. 0 Does not enable logging dropped packets to the Pfirewall.log file.
Default Value	0
Example	LogDroppedPackets = 0
Comments	This is an optional entry. Use this entry for troubleshooting connection problems.

icon Return to top

LogConnections

Specifies whether to enable logging connections in the Pfirewall.log file.

Syntax	LogConnections = 0 \| 1
Values	1 Enables logging connections to the Pfirewall.log file. 0 Does not enable logging connections to the Pfirewall.log file.
Default Value	0
Example	LogConnections = 0
Comments	This is an optional entry. Use this entry for troubleshooting connectivity problems.

icon Return to top

Example of a User-defined Configuration of Windows Firewall

You may configure the Windows Firewall by using the [WindowsFirewall] section and its associated sections and entries to add programs and services, open ports, and enable ICMP settings. This example shows one way to add sections and entries to the Unattend.txt file.

[WindowsFirewall]
Profiles=WindowsFirewall.Standard 
LogFile = "%WINDIR%\pfirewall.log"
LogSize = 4096
LogDroppedPackets = 1
LogConnections = 1

[WindowsFirewall.Standard]
Type = 3
Mode = 1
Exceptions = 1
Notifications = 1
MulticastBroadcastResponse = 1
AllowedPrograms = WindowsFirewall.RemoteAssistance
Services = WindowsFirewall.RemoteDesktop
PortOpenings = WindowsFirewall.WebService
IcmpSettings = WindowsFirewall.EchoRequest

[WindowsFirewall.RemoteAssistance]
Program = "%WINDIR%\System32\Sessmgr.exe"
Name = "Remote Assistance"
Mode = 1
Scope = 2
Addresses = "192.168.0.5,LocalSubnet"

[WindowsFirewall.RemoteDesktop]
Type = 2
Mode = 1
Scope = 2
Addresses = "192.168.0.5,LocalSubnet"

[WindowsFirewall.WebService]
Protocol= 6
Port = 80
Name = "Web Server (TCP 80)"
Mode = 1
Scope = 2
Addresses = "192.168.0.5,LocalSubnet"

[WindowsFirewall.EchoRequest]
Type = 8
Mode = 1

Important

You need to include quotes around strings with spaces and around strings that use environment variables.

Note

You do not need to add the Addresses entry in the previous example. If you add Addresses entry, ensure that there are no spaces.

Example of a User-defined Profile to Disable Windows Firewall

You may disable the Windows Firewall, if you are including a third-party firewall that is active and enabled with your offering. Add the following sections and entries to the Unattend.txt file:

[WindowsFirewall]
Profiles = WindowsFirewall.TurnOffFirewall

[WindowsFirewall.TurnOffFirewall]
Mode = 0

Note

You do not need to include the Type entry in the [WindowsFirewall.TurnOffFirewall] section. The default value of All is applied if there is no Type entry.

Using the Windows Firewall Netfw.inf File to Configure Default Settings

If the end user makes changes to the Windows Firewall settings, and then decides to use the Restore Defaults button on the Advanced tab of the Windows Firewall applet in Control Panel, the default settings are read from the Netfw.inf file. Any configurations made to Windows Firewall settings in Unattend.txt or Winbom.ini are ignored. If you want the Restore Defaults button to restore factory default settings, you must use the Netfw.inf file to customize the Windows Firewall Exceptions list.

For information about how to use the Netfw.inf file to configure the Windows Firewall Exceptions list and default firewall settings, see the white paper on the OPK product CD entitled, Using the Windows Firewall .Inf File in Microsoft Windows XP Service Pack 2.

How Windows Firewall Settings are Configured

When Setup runs it first adds any Windows Firewall settings from Netfw.inf to the registry, and then appends any settings from Unattend.txt. When you run Sysprep û factory, any Windows Firewall settings from Winbom.ini are appended to existing settings in the registry.

Important

If you customize the Windows Firewall Exceptions list by using Unattend.txt and then use Winbom.ini to make additional customizations, it is possible to create conflicting entries for a single application. Ensure that entries made by using Winbom.ini do not conflict with entries made earlier by using Unattend.txt.