security - Is there a limit to the number of IP addresses for a Windows Firewall rule's Scope?

05
2014-04
  • kevinmicke

    I've got a Powershell script that adds IP addresses trying to run brute force attacks on my server to a firewall rule that blocks them from accessing it. Recently it stopped working, and started throwing this error:

    Exception setting "RemoteAddresses": "The array bounds are invalid. (Exception from HRESULT: 0x800706C6)"

    Is there a limit to the number of IP addresses you can put in the Scope of a Windows Firewall rule? This is running on Windows Server 2008 R2.

    • Answers
  • kevinmicke

    Yes - the limit is 1000 entries total. A single IP addresses is counted as one entry if it's entered on it's own, or a range of IPs is counted as one entry if it's entered as one range.

    In my case, deleting one of the IP addresses from the Scope of the above rule will allow the script to add it (or any other IP address) back to the Scope. The errors are thrown for every attempted entry over 1000.

    As a workaround, once you get to 1000 entries in the current firewall rule, you can simply create a similar rule with a different Scope. It's not elegant, but it will get the job done.


    • Related Question

    security - Configure Windows firewall to prevent an application from listening on a specific port
  • U-D13

    The issue: there are many applications struggling to listen on port 80 (Skype, Teamviewer et al.), and to many of them that even is not essential (in the sense that you can have a httpd running and blocking the http port, and the other application won't even squeak about being unable to open the port). What makes things worse, some of the apps provide no way to configure the app not to use specific ports (that's what you get for using proprietary software) - you can either add it to Windows Firewall exceptions (and succumb to undesired port opening behavior) or not (and risk losing most - if not all - of the functionality).

    Technically, it is not impossible for the firewall to deny an application opening an incoming port even if the application is in the exception list. And if this functionality is built into the Windows Firewall somewhere, there should be a way to activate it.

    So, what I want to know is:

    1. whether there exists such an option,
      and if it does
    2. how to activate it.

    EDIT: I wouldd like to stress that I am talking about the Windows Firewall version that is bundled with Windows XP.


    • Related Answers
  • U-D13

    After giving it a second thought, I realized that most likely this won't work, because as far as I know Windows firewall just blocks inbound packets. It never prevents an application opening a port for listening, just blocks the incoming traffic, if the port is not in the exceptions list.

    Am I right or am I wrong? Any opinions on this?