Netsh AdvFirewall: Manage Windows Firewall using NetShell
| Ok, this one’s about managing your Windows Firewall with Advanced Security (WFAS).
Today, most companies disable the Windows Firewall. Why? i think this has several reasons. One reason probably is that they think the LAN is safe and there is no need for a Firewall – negligent! Other reasons might be: laziness, missing understanding / know how, too less time.. Ok, in this post i want to write down some of my own experiences when managing the Windows Firewall with Advanced Security (WFAS) but also i want to show you, that there are easy ways to manage the WFAS using the Netsh command line tool. |
 |
Note: Whenever you want to switch to the graphical user interface you can just call the Windows Firewall with Advanced Security MMC using:
wf.msc
To start getting an overview of your current firewall settings i recommend opening a command prompt (cmd.exe) and type netsh. This will start the NetSh command line tool.
netsh
Then switch to the Firewall context just type AdvFirewall (note: ‘Netsh Firewall’ is depreciated. Firewall is now in sub context to AdvFirewall starting Windows Vista or Windows 7 / Windows Server 2008 (R2)– I’m not absolutely sure).
Now type show allprofiles to list the three firewall profiles (Domain Profile, Private Profile and Public Profile).
Now switch to the Firewall Context type Firewall. Well, this might be a bit confusing. I think this is because Microsoft had to keep the existing Firewall context from legacy systems like Windows XP SP2+ so they had to put the existing Firewall context below the AdvFirewall context ..
netsh AdvFirewall Firewall
To list all existing rules type: show rule name=all
To export all the rules to a textfile type
C:\>netsh advfirewall firewall show rule name=all >c:\temp\fwRules.txt
Let’s say you want to allow File and Printer Sharing for a few specific IP Addresses:
netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Session-In)" new enable=yes remoteip=192.168.0.1,192.168.0.100
netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Name-In)" new enable=yes remoteip=192.168.0.1,192.168.0.100
netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Datagram-In)" new enable=yes remoteip=192.168.0.1,192.168.0.100
netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes remoteip=192.168.0.1,192.168.0.100
To allow ping replies (enable echo / ICMP requests)
netsh advfirewall firewall add rule name="All ICMP V4" dir=in action=allow protocol=icmpv4
i might update this post with additional rules etc when i find the time .. feel free to comment!
Links
[…] ..::\ http://www.christiano.ch //::.. » Netsh AdvFirewall: Manage Windows Firewall using NetShell […]
So I see how to set File & Printer sharing, but how to query for it? What is the proper command to NETSH ADVFIREWALL SHOW?
Thanks
i tried to enable the remote desktop – remotefx for Private profile only.
when i tried below command
netsh advfirewall firewall set rule group=””remote desktop – remoteFX”” new enable=Yes profile=private
got error :
“only the enable parameter can be used to update rule”
may be i left some parameters?
try changing group= to name=
Okay, when updating an existing rule, why do you have to specify new? This broke my mind yesterday. Especially trying to refer to microsoft’s documentation.