Title
#general
z

Zweasta

07/25/2020, 7:14 PM
Like
iptables
table for linux, is there any plan to build a table for windows systems ?
s

seph

07/25/2020, 7:28 PM
Does windows have something like
iptables
?
z

Zweasta

07/25/2020, 7:34 PM
Nope, but at least I am looking for something which helps me find the firewall open ports in windows..
s

seph

07/25/2020, 8:39 PM
Does windows have any tooling or APIs to display it?
8:39 PM
I think osquery would happily accept a PR with this functionality. But I don't know anyone working on one
z

Zweasta

07/25/2020, 10:25 PM
This thread could help: https://serverfault.com/questions/207620/windows-equivalent-of-iptables In windows there is something called
netsh advfirewall
, maybe this can be a good API to use for osquery to develop a table in this regard..
s

seph

07/26/2020, 11:08 AM
The ToB extension is a wrapper around netsh
z

Zweasta

07/26/2020, 4:52 PM
The table
PortBlacklist
only allows us to know if a port is blocked, and also I am not willing to manage port blocking or unblocking. I just need to know the open ports. That's it.
sundsta

sundsta

07/26/2020, 9:36 PM
These rules are all held in the registry, it should be relatively straightforward to parse them. The major complication is that Windows applies different policies depending if it is on a public, private, or domain-joined network
z

Zweasta

07/26/2020, 10:02 PM
I am potentially looking at a power shell script:
$fw = New-Object -ComObject HNetCfg.FWPolicy2 
$fw.Rules | where {$_.Enabled -like $true} | Format-Table LocalPorts
Will this be able to find all the rules that are held in registry ?
sundsta

sundsta

07/27/2020, 3:59 PM
Not sure. I believe the rules are in
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
but I don’t have a Windows machine to verify with at the moment
z

Zweasta

07/27/2020, 10:02 PM
Thanks, will check it!