Windows installer sets all erl.exe and epmd.exe firewall rules to block

[Vacant0mens]

Describe the bug

On install of RabbitMQ v3.11.17 all firewall rules created to allow Erlang components to be available on the network are set to block, which causes the Management UI/Api and AMQP to only be available on localhost or the local machine.

Reproduction steps

1. choco install -y rabbitmq --version=3.11.17
2. attempt browser connection to http://[machine]:15672/ or application connection to amqp://[machine]:5672/
3. request times out

Expected behavior

It's easy enough to set the rules to 'allow', but I expected that the firewall rules would be set to 'allow' by default.

Additional context

To confirm the issue, run the following in PowerShell:

Get-NetFirewallRule | Where-Object {$_.DisplayName -in @("erl", "epmd","erlang")} | Select-Object Name, DisplayName, Enabled, Action

and you'll get the following output (or at least something similar):

Name        : TCP Query User{<GUID>}C:\program files\erlang otp\bin\erl.exe
DisplayName : Erlang
Enabled     : True
Action      : Block

Name        : UDP Query User{<GUID>}C:\program files\erlang otp\bin\erl.exe
DisplayName : Erlang
Enabled     : True
Action      : Block

Name        : TCP Query User{<GUID>}C:\program files\erlang otp\erts-13.2.2.1\bin\epmd.exe
DisplayName : epmd
Enabled     : True
Action      : Block

Name        : UDP Query User{<GUID>}C:\program files\erlang otp\erts-13.2.2.1\bin\epmd.exe
DisplayName : epmd
Enabled     : True
Action      : Block

Name        : TCP Query User{<GUID>}C:\program files\erlang otp\erts-13.2.2.1\bin\erl.exe
DisplayName : Erlang
Enabled     : True
Action      : Block

Name        : UDP Query User{<GUID>}C:\program files\erlang otp\erts-13.2.2.1\bin\erl.exe
DisplayName : Erlang
Enabled     : True
Action      : Block

[lukebakken]

Note that chaco install rabbitmq first installs Erlang via the Erlang NSIS installer, which Team RabbitMQ has no control other.

Neither the Erlang nor the RabbitMQ NSIS installers do anything with the Windows Firewall, meaning that it is up to system administrators to open the appropriate ports after installation. If we were to add code to automatically open ports, we would get many requests to stop messing with the firewall.

When I install and run RabbitMQ locally in my Windows environment, I always have to modify the firewall (via an automatic popup) the first time the erl.exe, werl.exe or epmd.exe runs, just as you note.

[Vacant0mens]

After a fresh install of RabbitMQ via chocolatey, without me doing anything besides running the command choco install -y --no-progress rabbitmq, there are now firewall rules in the Windows Firewall as I stated in my original post.

I checked before and during the install, and they did not exist after the Erlang install had completed. So they seem to get added during the RabbitMQ install process because it installs fine and the rules show up after that without any other action on my part.

In fact, I also found several firewall rules pointing at these files (which no longer exist on the machine):
C:\program files\erl8.3\erts-8.3\bin\epmd.exe
C:\program files\erl8.3\bin\erl.exe
(yes, I've been using this machine for a while...)
I only came across these rules because the last version I installed set them all to Block and I couldn't access RabbitMQ at all, except from within the machine itself.

If it's not the installer that does it, it must be part of the service setup or management plugin enable process or something, but it's definitely not a human doing it. To be clear, the <GUID>'s in the firewall rule names in my original post were actually full 32-character GUID's. I doubt any human would want to type those up by hand, but they're pretty easy to generate in code. The only explanation for them that I can think of is that they're generated by Windows when the rules get created and whatever creates them adds them into the rule name.

Also, if the chocolatey install is run on a Windows Server Core machine the installer has an issue loading a firewall component from C:\Windows\System32.
If I run the choco command remotely it hangs on Installing rabbitmq ..., but if run on the core machine itself, it installs fine without any intervention from me, except that I get this error message box:

[Vacant0mens]

While it may not necessarily be the installers specifically, here's more evidence that there's something in RabbitMQ (or maybe Windows too) that's setting the rules:

When I run Get-NetFirewallRule *erl*, the first 6 rules are always the only ones that are set to Allow, while the rest are set to Block. Which will definitely cause problems because the first 6 are always from the oldest version that has been installed. In my case, only the rules for C:\program files\erl8.3\* were set to Allow, while the rules for C:\program files\erl-24.2.2\* (among others) were set to Block.

[lukebakken]

I realize all of this seems to point to the RabbitMQ installer, but we have no code in the installer or in RabbitMQ to do anything with the firewall:

https://github.com/rabbitmq/rabbitmq-packaging/blob/main/windows-exe/rabbitmq_nsi.in

Nor does it appear that the Erlang installer does anything with the firewall:

https://github.com/erlang/otp/blob/master/erts/etc/win32/nsis/erlang20.nsi

Here is the NSIS plugin that could be used to configure the firewall:

https://nsis.sourceforge.io/NSIS_Simple_Firewall_Plugin

I see no occurrence of the string SimpleFC in either *.nsi file.

Like you I have installed Erlang many, many times on my work laptop so I can't really trust any test that I do, especially since my employer manages the laptop. If I have time I will bring up a fresh Windows VM to see what the behavior is by default, though even then VM packagers usually change policies around the firewall.

Here is the source for both the Erlang and RabbitMQ chocolatey packages:

• https://github.com/chocolatey-beam/erlang-package
• https://github.com/rabbitmq/chocolatey-package

[Vacant0mens]

I attempted the install on a fresh install of Windows Server Core. All of the firewall rules showed up as I expected, except for the rules relating to epmd.exe, which is strange.

Looking back at my other servers, it looks like the rules for epmd.exe stopped getting updated after erl8.3.

Seems like this might be Windows "helping us out" by making firewall rules for newly installed programs, but having issues with it since there's no UI to pop up the message about whether to enable/allow the rules or not.

[lukebakken]

Thank you for taking the time to research this a bit.

https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring

My guess is that the following settings, that block inbound connections by default, are the cause. This is a screenshot from my work laptop:

When you install RabbitMQ there are Erlang processes that are started that attempt to make network connections to localhost:25672 (i.e. distributed Erlang). My guess is that these are what trigger the firewall popups.

I will see if I can add firewall rules for the programs prior to installation to see if that fixes the issue.

[lukebakken]

@Vacant0mens I removed all firewall rules for the various Erlang programs, installed OTP 26.0.1, and then ran this Powershell command in an admin context:

 Get-ChildItem -Filter '*.exe' -Recurse -Path 'C:\Program Files\Erlang OTP\' | %{ Write-Host $_; netsh advfirewall firewall add rule "name=allow-$($_.Name)" 'dir=in' "program=$_" 'profile=any' 'action=allow' }

Then, I installed RabbitMQ 3.12.1, and ran this command in the same admin shell:

C:\Program Files\RabbitMQ Server\rabbitmq_server-3.12.1
> .\sbin\rabbitmq-plugins.bat enable rabbitmq_management rabbitmq_stream rabbitmq_stream_management rabbitmq_amqp1_0 rabbitmq_shovel rabbitmq_shovel_management

I did NOT get any popups from the Windows Firewall service, so I'm assuming that by adding the inbound rules the issue is fixed.

Of course, netsh advfirewall... can be replaced with Set-NetFirewallRule.

Let me know if this works in your environment!

[Vacant0mens]

I super-appreciate your answer! 👍

It would probably be slightly better for non-development/non-home use to filter the exe's that get a firewall rule, just to be a little safer.

Something like:

Get-ChildItem -Recurse -Path 'C:\Program Files\Erlang OTP\' | Where-Object {$_.Name -in @("erl.exe", "epmd.exe", "werl.exe")}

In my testing, only erl.exe and epmd.exe needed any firewall rules for a standalone instance. @lukebakken, do you happen to know if there are other exe's that need firewall access if clustering (or another similar feature) is enabled?

Also, it seems like "program=$_" is using the string-ified object, which ends up being $_.Name in this case. If you wanted to be a bit more direct/specific "program=$($_.FullName)" should work too.

and for future readers, here's a PowerShell script example (using parameter splatting):

$AllowedExes = @("erl.exe", "epmd.exe", "werl.exe")
$ErlangExes = Get-ChildItem -Filter '*.exe' -Recurse -Path 'C:\Program Files\Erlang OTP\' | Where-Object {$_.Name -in $AllowedExes}
foreach ($Exe in $ErlangExes.FullName) {
    Write-Verbose "Updating or creating firewall rule for $Exe"
    $FwRuleName = "RabbitMQ and Erlang - Allow - $Exe"
    $FwParams = @{
        'Name' = $FwRuleName
        'DisplayName' = $FwRuleName
        'Direction' = 'In'
        'Program' = "$Exe"
        'Profile' = 'any'
        'Enabled' = $true
        'Action' = 'Allow'
    }
    if ($null -eq (Get-NetFirewallRule -Name $FwRuleName)) {
        New-NetFirewallRule @FwParams
    }
    else {
	Set-NetFirewallRule @FwParams
    }
}

[lukebakken]

Thanks.

Yes if we decide to add FW rules to the RabbitMQ installer we would only create rules for the following executables:

• epmd.exe
• erl.exe
• werl.exe

Thanks for the much improved powershell script!

[lukebakken]

@Vacant0mens - I modified the script to read the Erlang installation information from the registry -

https://github.com/lukebakken/misc/blob/main/ps1/windows-firewall.ps1

Interestingly enough, 'Enabled' = $true doesn't work in my environment, and instead this is required

https://github.com/lukebakken/misc/blob/main/ps1/windows-firewall.ps1#L67

Anyway, I think at some point we will incorporate this process into the RabbitMQ installation.