Let's see manual configuring Windows Firewall using GUI and using command line. Possibilities of configuring Windows Firewall from command line are identical possibilities of configuring from GUI. Using command line allows you create batch file to run on other computers so you can essentially shorten a time spending for configuring firewall on workstations according to your requirements.
This article examines how to configure Windows Firewall using the Netsh command-line utility.
Windows XP Service Pack 2 (SP2) includes the Windows Firewall, a replacement for the feature previously known as the Internet Connection Firewall (ICF). Windows Firewall is a stateful host firewall that drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic. Windows Firewall is also included with Windows Server 2003 Service Pack 1 (SP1).
Now we configure Windows Firewall step-by-step
The General tab with its default settings is shown in the following figure.
From the General tab, you can select the following:
netsh firewall set opmode [ mode = ] ENABLE|DISABLE [ [ exceptions = ] ENABLE|DISABLE [ profile = ] CURRENT|DOMAIN|STANDARD|ALL [ interface = ] name ]
Sets firewall operational configuration.
Parameters:
mode - Operational mode.
ENABLE - Enable firewall. DISABLE - Disable firewall.
exceptions - Exception mode (optional).
ENABLE - Allow through firewall (default). DISABLE - Do not allow through firewall.
profile - Configuration profile (optional).
CURRENT - Current profile (default). DOMAIN - Domain profile. STANDARD - Standard profile. ALL - All profiles.
interface - Interface name (optional).
Examples:
Enable the Firewall:
netsh firewall set opmode enable
Enable the Firewall and DO NOT Allow Port/Program Exceptions:
netsh firewall set opmode enable disable
Enable Firewall and Allow Port/Program Exceptions:
netsh firewall set opmode enable enable
Disable the Firewall:
netsh firewall set opmode disable
The following figure shows the Exceptions tab with its settings.
From the Exceptions tab, you can enable or disable an existing program (an application or service) or port or maintain the list of programs and ports that define excepted traffic. The excepted traffic is not allowed when the Don't allow exceptions option is selected on the General tab.
To add a program exception, click Add Program. The Add Program dialog box is displayed from which you can select a program or browse for a program's file name. The following figure shows an example.
netsh firewall add allowedprogram
Used to add a program-based exception.
netsh firewall set allowedprogram
Used to modify the settings of an existing program-based exception.
Syntax and parameters of commands add and set are identical.
Syntax:
Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.
netsh firewall add allowedprogram [ program = ] path [ name = ] name [ [ mode = ] ENABLE|DISABLE [ scope = ] ALL|SUBNET|CUSTOM [ addresses = ] addresses [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
Adds firewall allowed program configuration.
Parameters:
program - Program path and file name.
name - Program name.
mode - Program mode (optional).
ENABLE - Allow through firewall (default). DISABLE - Do not allow through firewall.
scope - Program scope (optional).
ALL - Allow all traffic through firewall (default). SUBNET - Allow only local network (subnet) traffic through firewall. CUSTOM - Allow only specified traffic through firewall.
addresses - Custom scope addresses (optional).
profile - Configuration profile (optional).
CURRENT - Current profile (default). DOMAIN - Domain profile. STANDARD - Standard profile. ALL - All profiles.
Remarks: 'scope' must be 'CUSTOM' to specify 'addresses'.
Examples:
netsh firewall add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE netsh firewall add allowedprogram C:\MyApp\MyApp.exe MyApp DISABLE netsh firewall add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet netsh firewall add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode =ENABLE netsh firewall add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = DISABLE netsh firewall add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLE scope = CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
netsh firewall delete allowedprogram
Used to delete an existing program-based exception.
Syntax:
Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.
netsh firewall delete allowedprogram [ program = ] path [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
Deletes firewall allowed program configuration.
Parameters:
program - Program path and file name.
profile - Configuration profile (optional).
CURRENT - Current profile (default). DOMAIN - Domain profile. STANDARD - Standard profile. ALL - All profiles.
Examples:
delete allowedprogram C:\MyApp\MyApp.exe delete allowedprogram program = C:\MyApp\MyApp.exe
To add a port exception, click AddPort. The Add a Port dialog box is displayed, from which you can configure a TCP or UDP port. The following figure shows an example.
Windows Firewall allows you to specify the scope of excepted traffic. The scope defines the portion of the network from which the excepted traffic is allowed to originate. To define the scope for a program or port, click Change Scope. The following figure shows an example.
netsh firewall add portopening
Used to create a port-based exception.
netsh firewall set portopening
Used to modify the settings of an existing port-based exception.
Syntax and parameters of commands add and set are identical.
Syntax:
Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.
netsh firewall add portopening [ protocol = ] TCP|UDP|ALL [ port = ] 1-65535 [ name = ] name [ [ mode = ] ENABLE|DISABLE [ scope = ] ALL|SUBNET|CUSTOM [ addresses = ] addresses [ profile = ] CURRENT|DOMAIN|STANDARD|ALL [ interface = ] name ]
Adds firewall port configuration.
Parameters:
protocol - Port protocol.
TCP - Transmission Control Protocol (TCP). UDP - User Datagram Protocol (UDP). ALL - All protocols.
port - Port number.
name - Port name.
mode - Port mode (optional).
ENABLE - Allow through firewall (default). DISABLE - Do not allow through firewall.
scope - Port scope (optional).
ALL - Allow all traffic through firewall default). SUBNET - Allow only local network (subnet) traffic through firewall. CUSTOM - Allow only specified traffic through firewall.
addresses - Custom scope addresses (optional).
profile - Configuration profile (optional).
CURRENT - Current profile (default). DOMAIN - Domain profile. STANDARD - Standard profile. ALL - All profiles.
interface - Interface name (optional).
Remarks:
'profile' and 'interface' may not be specified together. 'scope' and 'interface' may not be specified together. 'scope' must be 'CUSTOM' to specify 'addresses'.
Examples:
netsh firewall add portopening TCP 80 MyWebPort netsh firewall add portopening UDP 500 IKE ENABLE ALL netsh firewall add portopening ALL 53 DNS ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet netsh firewall add portopening protocol = TCP port = 80 name =MyWebPort netsh firewall add portopening protocol = UDP port = 500 name = IKE mode = ENABLE scope = ALL netsh firewall add portopening protocol = ALL port = 53 name =DNS mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
netsh firewall delete portopening
Used to delete an existing port-based exception.
Syntax:
Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.
netsh firewall delete portopening [ protocol = ] TCP|UDP|ALL [ port = ] 1-65535 [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL [ interface = ] name ]
Deletes firewall port configuration.
Parameters:
protocol - Port protocol.
TCP - Transmission Control Protocol (TCP). UDP - User Datagram Protocol (UDP). ALL - All protocols.
port - Port number.
profile - Configuration profile (optional).
CURRENT - Current profile (default). DOMAIN - Domain profile. STANDARD - Standard profile. ALL - All profiles.
interface - Interface name (optional).
Remarks:
'profile' and 'interface' may not be specified together. Examples:
netsh firewall delete portopening TCP 80 netsh firewall delete portopening UDP 500 netsh firewall delete portopening protocol = TCP port = 80 netsh firewall delete portopening protocol = UDP port = 500
Applications can use Windows Firewall application programming interface (API) function calls to automatically add exceptions. When applications create exceptions using the Windows Firewall APIs, the user is not notified. If the application using the Windows Firewall APIs does not specify an exception name, the exception is not displayed in the exceptions list on the Exceptions tab of the Windows Firewall.
When an application that does not use the Windows Firewall API runs and attempts to listen on TCP or UDP ports, Windows Firewall prompts a local administrator with a Windows Security Alert dialog box. The following figure shows an example.
netsh firewall set notifications
Used to specify the notification behavior.
Syntax:
Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.
netsh firewall set notifications [ mode = ] ENABLE|DISABLE [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
Sets firewall notification configuration.
Parameters:
mode - Notification mode.
ENABLE - Allow pop-up notifications from firewall. DISABLE - Do not allow pop-up notifications from firewall.
profile - Configuration profile (optional).
CURRENT - Current profile (default). DOMAIN - Domain profile. STANDARD - Standard profile. ALL - All profiles.
Examples:
netsh firewall set notifications ENABLE netsh firewall set notifications DISABLE netsh firewall set notifications mode = ENABLE netsh firewall netsh firewall set notifications mode = DISABLE
The following figure shows the Advanced tab.
The Advanced tab contains the following sections:
In Network Connection Settings, you can:
If you clear all of the check boxes in the Network Connection Settings, then Windows Firewall is not protecting your computer, regardless of whether you have selected On (recommended) on the General tab. The settings in Network Connection Settings are ignored if you have selected Don’t allow exceptions on the General tab, in which case all interfaces are protected.
When you click Settings, the Advanced Settings dialog box is displayed, as shown in the following figure.
From the Advanced Settings dialog box, you can configure specific services from the Services tab (by TCP or UDP port only) or enable specific types of ICMP traffic from the ICMP tab.
On the Services tab, do one of the following:
Notes:
On the ICMP tab, do one of the following:
netsh firewall set service
Used to enable or disable the pre-defined file and printer sharing, remote administration, remote desktop, and UPnP exceptions.
Syntax:
Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.
netsh firewall set service [ type = ] FILEANDPRINT|REMOTEADMIN|REMOTEDESKTOP|UPNP|ALL [ [ mode = ] ENABLE|DISABLE [ scope = ] ALL|SUBNET|CUSTOM [ addresses = ] addresses [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
Sets firewall service configuration.
Parameters:
type - Service type.
FILEANDPRINT - File and printer sharing. REMOTEADMIN - Remote administration. REMOTEDESKTOP - Remote assistance and remote desktop. UPNP - UPnP framework. ALL - All types.
mode - Service mode (optional).
ENABLE - Allow through firewall (default). DISABLE - Do not allow through firewall.
scope - Service scope (optional).
ALL - Allow all traffic through firewall(default). SUBNET - Allow only local network (subnet) traffic through firewall. CUSTOM - Allow only specified traffic through firewall.
addresses - Custom scope addresses (optional).
profile - Configuration profile (optional).
CURRENT - Current profile (default). DOMAIN - Domain profile. STANDARD - Standard profile. ALL - All profiles.
Remarks:
Examples:
netsh firewall set service FILEANDPRINT netsh firewall set service REMOTEADMIN ENABLE SUBNET netsh firewall set service REMOTEDESKTOP ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet netsh firewall set service type = FILEANDPRINT netsh firewall set service type = REMOTEADMIN mode = ENABLE scope = SUBNET netsh firewall set service type = REMOTEDESKTOP mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
In Security Logging, click Settings to specify the configuration of Windows Firewall logging in the Log Settings dialog box, as shown in the following figure
From the Log Settings dialog box, you can configure whether to log discarded (dropped) packets or successful connections and specify the name and location of the log file (by default set to Systemroot\pfirewall.log) and its maximum size.
netsh firewall set logging
Used to specify logging options.
Syntax:
Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.
netsh firewall set logging [ [ filelocation = ] path [ maxfilesize = ] 1-32767 [ droppedpackets = ] ENABLE|DISABLE [ connections = ] ENABLE|DISABLE ]
Sets firewall logging configuration.
Parameters:
filelocation - Log path and file name (optional).
maxfilesize - Maximum log file size in kilobytes (optional).
droppedpackets - Dropped packet log mode (optional).
ENABLE - Log in firewall. DISABLE - Do not log in firewall.
connections - Successful connection log mode (optional).
ENABLE - Log in firewall. DISABLE - Do not log in firewall.
Remarks:
At least one parameter must be specified. Examples:
netsh firewall set logging %windir%\pfirewall.log 4096 netsh firewall set logging %windir%\pfirewall.log 4096 ENABLE netsh firewall set logging filelocation = %windir%\pfirewall.log maxfilesize = 4096 netsh firewall set logging filelocation = %windir%\pfirewall.log maxfilesize = 4096 droppedpackets = ENABLE
In ICMP, click Settings to specify the types of ICMP traffic that are allowed in the ICMP dialog box, as shown in the following figure.
From the ICMP dialog box, you can enable and disable the types of incoming ICMP messages that Windows Firewall allows for all the connections selected on the Advanced tab. ICMP messages are used for diagnostics, reporting error conditions, and configuration. By default, no ICMP messages in the list are allowed.
A common step in troubleshooting connectivity problems is to use the Ping tool to ping the address of the computer to which you are trying to connect. When you ping, you send an ICMP Echo message and get an ICMP Echo Reply message in response. By default, Windows Firewall does not allow incoming ICMP Echo messages and therefore the computer cannot send an ICMP Echo Reply in response. To configure Windows Firewall to allow the incoming ICMP Echo message, you must enable the Allow incoming echo request setting. Set Windows Firewall ICMP Settings using command line
netsh firewall set icmpsetting
Used to specify excepted ICMP traffic.
Syntax:
Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.
netsh firewall set icmpsetting [ type = ] 2-5|8-9|11-13|17|ALL [ [ mode = ] ENABLE|DISABLE [ profile = ] CURRENT|DOMAIN|STANDARD|ALL [ interface = ] name ]
Sets firewall ICMP configuration.
Parameters:
type - ICMP type.
2 - Allow outgoing packet too big. 3 - Allow outgoing destination unreachable. 4 - Allow outgoing source quench. 5 - Allow redirect. 8 - Allow incomming echo request. 9 - Allow incomming router request. 11 - Allow outgoing time exceeded. 12 - Allow outgoing parameter problem. 13 - Allow incomming timestamp request. 17 - Allow incomming mask request. ALL - All types.
mode - ICMP mode (optional).
ENABLE - Allow through firewall (default). DISABLE - Do not allow through firewall.
profile - Configuration profile (optional).
CURRENT - Current profile (default). DOMAIN - Domain profile. STANDARD - Standard profile. ALL - All profiles.
interface - Interface name (optional).
Remarks:
'profile' and 'interface' may not be specified together. 'type' 2 and 'interface' may not be specified together.
Examples:
netsh firewall set icmpsetting 8 netsh firewall set icmpsetting 8 ENABLE netsh firewall set icmpsetting ALL DISABLE netsh firewall set icmpsetting type = 8 netsh firewall set icmpsetting type = 8 mode = ENABLE netsh firewall set icmpsetting type = ALL mode = DISABLE
Configure unicast response to a multicast or broadcast request behavior using command line
netsh firewall set multicastbroadcastresponse
Used to specify the unicast response to a multicast or broadcast request behavior.
Syntax:
Note:Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.
netsh firewall set multicastbroadcastresponse [ mode = ] ENABLE|DISABLE [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
Sets firewall multicast/broadcast response configuration.
Parameters:
mode - Multicast/broadcast response mode.
ENABLE - Allow responses to multicast/broadcast traffic through the firewall. DISABLE - Do not allow responses to multicast/broadcast traffic through the firewall.
profile - Configuration profile (optional).
CURRENT - Current profile (default). DOMAIN - Domain profile. STANDARD - Standard profile. ALL - All profiles.
Examples:
netsh firewall set multicastbroadcastresponse ENABLE netsh firewall set multicastbroadcastresponse DISABLE netsh firewall set multicastbroadcastresponse mode = ENABLE netsh firewall set multicastbroadcastresponse mode = DISABLE
In Advanced Tab Click Restore Defaults to reset Windows Firewall back to its originally installed state. When you click Restore Defaults, you are prompted to verify your decision before Windows Firewall settings are changed.
netsh firewall reset
Used to reset the configuration of Windows Firewall to default settings. There are no command line options for the reset command.
netsh firewall show commands
The following show commands are used to display the current configuration:
For additional information about the show config and show state commands, see Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2.
Jul 25, 2011