Configure Windows Firewall using command line

Let's see manual configuring Windows Firewall using GUI and using command line. Possibilities of configuring Windows Firewall from command line are identical possibilities of configuring from GUI. Using command line allows you create batch file to run on other computers so you can essentially shorten a time spending for configuring firewall on workstations according to your requirements.

This article examines how to configure Windows Firewall using the Netsh command-line utility.

Windows XP Service Pack 2 (SP2) includes the Windows Firewall, a replacement for the feature previously known as the Internet Connection Firewall (ICF). Windows Firewall is a stateful host firewall that drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic. Windows Firewall is also included with Windows Server 2003 Service Pack 1 (SP1).

Now we configure Windows Firewall step-by-step

Step 1. Windows Firewall: General

The General tab with its default settings is shown in the following figure.

From the General tab, you can select the following:

  • On (recommended) - Select to enable Windows Firewall for all of the network connections that are selected on the Advanced tab. Windows Firewall is enabled to allow only solicited and excepted incoming traffic. Excepted traffic is configured on the Exceptions tab.
  • Don't allow exceptions - Click to allow only solicited incoming traffic. Excepted incoming traffic is not allowed. The settings on the Exceptions tab are ignored and all of the network connections are protected, regardless of the settings on the Advanced tab.
  • Off (not recommended) - Select to disable Windows Firewall. This is not recommended, especially for network connections that are directly accessible from the Internet, unless you are already using a third-party host firewall product.

Enable/Disable Windows firewall using command line

netsh firewall set opmode
                 [ mode = ] ENABLE|DISABLE
                 [ [ exceptions = ] ENABLE|DISABLE
                 [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
                 [ interface = ] name ]

Sets firewall operational configuration.

Parameters:

mode - Operational mode.

ENABLE - Enable firewall.
DISABLE - Disable firewall.

exceptions - Exception mode (optional).

ENABLE - Allow through firewall (default).
DISABLE - Do not allow through firewall.

profile - Configuration profile (optional).

CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

interface - Interface name (optional).

Examples:

Enable the Firewall:

netsh firewall set opmode enable

Enable the Firewall and DO NOT Allow Port/Program Exceptions:

netsh firewall set opmode enable disable

Enable Firewall and Allow Port/Program Exceptions:

netsh firewall set opmode enable enable

Disable the Firewall:

netsh firewall set opmode disable
 

Step 2. Windows Firewall: Exceptions

The following figure shows the Exceptions tab with its settings.

From the Exceptions tab, you can enable or disable an existing program (an application or service) or port or maintain the list of programs and ports that define excepted traffic. The excepted traffic is not allowed when the Don't allow exceptions option is selected on the General tab.

 

Add program-based exception to Exceptions list in Windows Firewall

To add a program exception, click Add Program. The Add Program dialog box is displayed from which you can select a program or browse for a program's file name. The following figure shows an example.

 

Add/Modify program-based exception using command line

netsh firewall add allowedprogram

Used to add a program-based exception.

netsh firewall set allowedprogram

Used to modify the settings of an existing program-based exception.

Syntax and parameters of commands add and set are identical.

Syntax:

Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall add allowedprogram
                 [ program = ] path
                 [ name = ] name
                 [ [ mode = ] ENABLE|DISABLE
                 [ scope = ] ALL|SUBNET|CUSTOM
                 [ addresses = ] addresses
                 [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Adds firewall allowed program configuration.

Parameters:

program - Program path and file name.

name - Program name.

mode - Program mode (optional).

ENABLE - Allow through firewall (default).
DISABLE - Do not allow through firewall.

scope - Program scope (optional).

ALL - Allow all traffic through firewall (default).
SUBNET - Allow only local network (subnet) traffic through firewall.
CUSTOM - Allow only specified traffic through firewall.

addresses - Custom scope addresses (optional).

profile - Configuration profile (optional).

CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

Remarks: 'scope' must be 'CUSTOM' to specify 'addresses'.

Examples:

netsh firewall add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE
netsh firewall add allowedprogram C:\MyApp\MyApp.exe MyApp DISABLE
netsh firewall add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
netsh firewall add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode =ENABLE
netsh  firewall add  allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = DISABLE
netsh  firewall add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLE scope = CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
 

Delete existing program-based exception using command line

netsh firewall delete allowedprogram

Used to delete an existing program-based exception.

Syntax:

Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall delete allowedprogram
                      [ program = ] path
                      [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Deletes firewall allowed program configuration.

Parameters:

program - Program path and file name.

profile - Configuration profile (optional).

CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

Examples:

delete allowedprogram C:\MyApp\MyApp.exe
delete allowedprogram program = C:\MyApp\MyApp.exe
 

Add a Port to Exceptions list

To add a port exception, click AddPort. The Add a Port dialog box is displayed, from which you can configure a TCP or UDP port. The following figure shows an example.

Windows Firewall allows you to specify the scope of excepted traffic. The scope defines the portion of the network from which the excepted traffic is allowed to originate. To define the scope for a program or port, click Change Scope. The following figure shows an example.

 

Add/Modify port-based exception using command line

netsh firewall add portopening

Used to create a port-based exception.

netsh firewall set portopening

Used to modify the settings of an existing port-based exception.

Syntax and parameters of commands add and set are identical.

Syntax:

Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall add portopening
                   [ protocol = ] TCP|UDP|ALL
                   [ port = ] 1-65535
                   [ name = ] name
                   [ [ mode = ] ENABLE|DISABLE
                   [ scope = ] ALL|SUBNET|CUSTOM
                   [ addresses = ] addresses
                   [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
                   [ interface = ] name ]

Adds firewall port configuration.

Parameters:

protocol - Port protocol.

TCP - Transmission Control Protocol (TCP).
UDP - User Datagram Protocol (UDP).
ALL - All protocols.

port - Port number.

name - Port name.

mode - Port mode (optional).

ENABLE - Allow through firewall (default).
DISABLE - Do not allow through firewall.

scope - Port scope (optional).

ALL - Allow all traffic through firewall default).
SUBNET - Allow only local network (subnet) traffic through firewall.
CUSTOM - Allow only specified traffic through firewall.

addresses - Custom scope addresses (optional).

profile - Configuration profile (optional).

CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

interface - Interface name (optional).

Remarks:

'profile' and 'interface' may not be specified together. 'scope' and 'interface' may not be specified together. 'scope' must be 'CUSTOM' to specify 'addresses'.

Examples:

netsh firewall add portopening TCP 80 MyWebPort
netsh firewall add portopening UDP 500 IKE ENABLE ALL
netsh firewall add portopening ALL 53 DNS ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
netsh firewall add portopening protocol = TCP port = 80 name =MyWebPort
netsh  firewall add  portopening protocol = UDP port = 500 name = IKE mode = ENABLE scope = ALL
netsh  firewall add portopening protocol = ALL port = 53 name =DNS mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
 

Delete existing port-based exception using command line

netsh firewall delete portopening

Used to delete an existing port-based exception.

Syntax:

Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall delete portopening
                      [ protocol = ] TCP|UDP|ALL
                      [ port = ] 1-65535
                      [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
                      [ interface = ] name ]

Deletes firewall port configuration.

Parameters:

protocol - Port protocol.

TCP - Transmission Control Protocol (TCP).
UDP - User Datagram Protocol (UDP).
ALL - All protocols.

port - Port number.

profile - Configuration profile (optional).

CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

interface - Interface name (optional).

Remarks:

'profile' and 'interface' may not be specified together. Examples:

netsh firewall delete portopening TCP 80
netsh firewall delete portopening UDP 500
netsh firewall delete portopening protocol = TCP port = 80 
netsh  firewall delete portopening protocol = UDP port = 500
 

Windows Firewall Notifications

Applications can use Windows Firewall application programming interface (API) function calls to automatically add exceptions. When applications create exceptions using the Windows Firewall APIs, the user is not notified. If the application using the Windows Firewall APIs does not specify an exception name, the exception is not displayed in the exceptions list on the Exceptions tab of the Windows Firewall.

When an application that does not use the Windows Firewall API runs and attempts to listen on TCP or UDP ports, Windows Firewall prompts a local administrator with a Windows Security Alert dialog box. The following figure shows an example.

 

Set option "Display a notification when Windows Firewall blocks a program" using command line

netsh firewall set notifications

Used to specify the notification behavior.

Syntax:

Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall set notifications
                   [ mode = ] ENABLE|DISABLE
                   [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Sets firewall notification configuration.

Parameters:

mode - Notification mode.

ENABLE - Allow pop-up notifications from firewall.
DISABLE - Do not allow pop-up notifications from firewall.

profile - Configuration profile (optional).

CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

Examples:

netsh firewall set notifications ENABLE
netsh firewall set notifications DISABLE
netsh firewall set notifications mode = ENABLE netsh  firewall
netsh firewall set notifications mode = DISABLE
 

Step 3. Windows Firewall: Advanced Options

The following figure shows the Advanced tab.

The Advanced tab contains the following sections:

  • Network Connection Settings
  • Security Logging
  • ICMP
  • Default Settings
 

Network Connections Settings

In Network Connection Settings, you can:

  • Specify the set of interfaces on which Windows Firewall is enabled. To enable, select the check box next to the network connection name. To disable, clear the check box. By default, all of the network connections have Windows Firewall enabled. If a network connection does not appear in this list, then it is not a standard networking connection. Examples include some custom dialers from Internet service providers (ISPs).
  • Configure advanced settings of an individual network connection by clicking the network connection name, and then clicking Settings.

If you clear all of the check boxes in the Network Connection Settings, then Windows Firewall is not protecting your computer, regardless of whether you have selected On (recommended) on the General tab. The settings in Network Connection Settings are ignored if you have selected Don’t allow exceptions on the General tab, in which case all interfaces are protected.

When you click Settings, the Advanced Settings dialog box is displayed, as shown in the following figure.

From the Advanced Settings dialog box, you can configure specific services from the Services tab (by TCP or UDP port only) or enable specific types of ICMP traffic from the ICMP tab.

On the Services tab, do one of the following:

  • If you want to enable a service, under Services select the check box next to service that you want to enable, and then enter the required information.
  • If you want to add a service definition, click Add, and then enter the required information.
  • If you want to edit a service definition, click the service that you want to edit, click Edit, and then change the appropriate information.
  • If you want to delete a service definition, click the service that you want to delete, and then click Delete.

Notes:

  • No two service definitions can use the same port numbers simultaneously.
  • For service definitions that are preconfigured, you can edit only the field that is labeled Name or IP address of the computer hosting this service on your network.
  • For service definitions that you have added, you can edit only the fields that are labeled Name or IP address of the computer hosting this service on your network, External Port number for this service, and Internal Port number for this service.
  • You can delete only the service definitions that you have added. You cannot delete service definitions that are preconfigured.

On the ICMP tab, do one of the following:

  • To enable Internet Control Message Protocol (ICMP) options, select the check box next to each type of request for information to which you would like your computer to respond.
  • To disable ICMP options, clear any or all of the ICMP check boxes.

 

Enable or disable Windows Firewall pre-defined services using command line

netsh firewall set service

Used to enable or disable the pre-defined file and printer sharing, remote administration, remote desktop, and UPnP exceptions.

Syntax:

Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall set service
                 [ type = ] FILEANDPRINT|REMOTEADMIN|REMOTEDESKTOP|UPNP|ALL
                 [ [ mode = ] ENABLE|DISABLE
                 [ scope = ] ALL|SUBNET|CUSTOM
                 [ addresses = ] addresses
                 [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Sets firewall service configuration.

Parameters:

type - Service type.

FILEANDPRINT - File and printer sharing.
REMOTEADMIN - Remote administration.
REMOTEDESKTOP - Remote assistance and remote desktop.
UPNP - UPnP framework.
ALL - All types.

mode - Service mode (optional).

ENABLE - Allow through firewall (default).
DISABLE - Do not allow through firewall.

scope - Service scope (optional).

ALL - Allow all traffic through firewall(default).
SUBNET - Allow only local network (subnet) traffic through firewall.
CUSTOM - Allow only specified traffic through firewall.

addresses - Custom scope addresses (optional).

profile - Configuration profile (optional).

CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

Remarks:

  • 'scope' ignored if 'mode' is DISABLE.
  • 'scope' must be 'CUSTOM' to specify'addresses'.

Examples:

netsh firewall set service FILEANDPRINT
netsh firewall set service REMOTEADMIN ENABLE SUBNET
netsh firewall set service REMOTEDESKTOP ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
netsh firewall set service type = FILEANDPRINT
netsh firewall set service type = REMOTEADMIN mode = ENABLE scope = SUBNET
netsh firewall set service type = REMOTEDESKTOP mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
 

Set Windows Firewall Security Logging

In Security Logging, click Settings to specify the configuration of Windows Firewall logging in the Log Settings dialog box, as shown in the following figure

From the Log Settings dialog box, you can configure whether to log discarded (dropped) packets or successful connections and specify the name and location of the log file (by default set to Systemroot\pfirewall.log) and its maximum size.

 

Set Windows Firewall Security Logging using command line

netsh firewall set logging

Used to specify logging options.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall set logging
                 [ [ filelocation = ] path
                 [ maxfilesize = ] 1-32767
                 [ droppedpackets = ] ENABLE|DISABLE
                 [ connections = ] ENABLE|DISABLE ]

Sets firewall logging configuration.

Parameters:

filelocation - Log path and file name (optional).

maxfilesize - Maximum log file size in kilobytes (optional).

droppedpackets - Dropped packet log mode (optional).

ENABLE - Log in firewall.
DISABLE - Do not log in firewall.

connections - Successful connection log mode (optional).

ENABLE - Log in firewall.
DISABLE - Do not log in firewall.

Remarks:

At least one parameter must be specified. Examples:

netsh firewall set logging %windir%\pfirewall.log 4096
netsh firewall set logging %windir%\pfirewall.log 4096 ENABLE
netsh firewall set logging filelocation = %windir%\pfirewall.log maxfilesize = 4096
netsh firewall set logging filelocation = %windir%\pfirewall.log maxfilesize = 4096 droppedpackets = ENABLE
 

ICMP Settings

In ICMP, click Settings to specify the types of ICMP traffic that are allowed in the ICMP dialog box, as shown in the following figure.

From the ICMP dialog box, you can enable and disable the types of incoming ICMP messages that Windows Firewall allows for all the connections selected on the Advanced tab. ICMP messages are used for diagnostics, reporting error conditions, and configuration. By default, no ICMP messages in the list are allowed.

A common step in troubleshooting connectivity problems is to use the Ping tool to ping the address of the computer to which you are trying to connect. When you ping, you send an ICMP Echo message and get an ICMP Echo Reply message in response. By default, Windows Firewall does not allow incoming ICMP Echo messages and therefore the computer cannot send an ICMP Echo Reply in response. To configure Windows Firewall to allow the incoming ICMP Echo message, you must enable the Allow incoming echo request setting. Set Windows Firewall ICMP Settings using command line

netsh firewall set icmpsetting

Used to specify excepted ICMP traffic.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall set icmpsetting
                 [ type = ] 2-5|8-9|11-13|17|ALL
                 [ [ mode = ] ENABLE|DISABLE
                 [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
                 [ interface = ] name ]

Sets firewall ICMP configuration.

Parameters:

type - ICMP type.

2 - Allow outgoing packet too big.
3 - Allow outgoing destination unreachable.
4 - Allow outgoing source quench.
5 - Allow redirect.
8 - Allow incomming echo request.
9 - Allow incomming router request.
11 - Allow outgoing time exceeded.
12 - Allow outgoing parameter problem.
13 - Allow incomming timestamp request.
17 - Allow incomming mask request.
ALL - All types.

mode - ICMP mode (optional).

ENABLE - Allow through firewall (default).
DISABLE - Do not allow through firewall.

profile - Configuration profile (optional).

CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

interface - Interface name (optional).

Remarks:

'profile' and 'interface' may not be specified together. 'type' 2 and 'interface' may not be specified together.

Examples:

netsh firewall set icmpsetting 8
netsh firewall set icmpsetting 8 ENABLE
netsh firewall set icmpsetting ALL DISABLE
netsh firewall set icmpsetting type = 8
netsh firewall set icmpsetting type = 8 mode = ENABLE
netsh firewall set icmpsetting type = ALL mode = DISABLE

Configure unicast response to a multicast or broadcast request behavior using command line

netsh firewall set multicastbroadcastresponse

Used to specify the unicast response to a multicast or broadcast request behavior.

Syntax:

Note:Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall set multicastbroadcastresponse
                 [ mode = ] ENABLE|DISABLE
                 [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Sets firewall multicast/broadcast response configuration.

Parameters:

mode - Multicast/broadcast response mode.

ENABLE - Allow responses to multicast/broadcast traffic through the firewall.
DISABLE - Do not allow responses to multicast/broadcast traffic through the firewall.

profile - Configuration profile (optional).

CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

Examples:

netsh firewall set multicastbroadcastresponse ENABLE
netsh firewall set multicastbroadcastresponse DISABLE
netsh firewall set multicastbroadcastresponse mode = ENABLE
netsh firewall set multicastbroadcastresponse mode = DISABLE
 

Restore all Windows Firewall settings to default state

In Advanced Tab Click Restore Defaults to reset Windows Firewall back to its originally installed state. When you click Restore Defaults, you are prompted to verify your decision before Windows Firewall settings are changed.

 

Restore all Windows Firewall settings to default state using command line

netsh firewall reset

Used to reset the configuration of Windows Firewall to default settings. There are no command line options for the reset command.

 

Display Windows Firewall settings using command line

netsh firewall show commands

The following show commands are used to display the current configuration:

  • show allowedprogram - Displays the excepted programs.
  • show config - Displays the local configuration information.
  • show currentprofile - Displays the current profile.
  • show icmpsetting - Displays the ICMP settings.
  • show logging - Displays the logging settings.
  • show multicastbroadcastresponse - Displays multicast/broadcast response settings.
  • show notifications - Displays the current settings for notifications.
  • show opmode - Displays the operational mode.
  • show portopening - Displays the excepted ports.
  • show service - Displays the services.
  • show state - Displays the current state information.

For additional information about the show config and show state commands, see Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2.

Jul 25, 2011

Similar articles