Netsh AdvFirewall: Manage Windows Firewall using NetShell

Ok, this one’s about managing your Windows Firewall with Advanced Security (WFAS).

Today, most companies disable the Windows Firewall. Why? i think this has several reasons. One reason probably is that they think the LAN is safe and there is no need for a Firewall – negligent! Other reasons might be: laziness, missing understanding / know how, too less time.. Ok, in this post i want to write down some of my own experiences when managing the Windows Firewall with Advanced Security (WFAS) but also i want to show you, that there are easy ways to manage the WFAS using the Netsh command line tool.

Logo_cmd

Note: Whenever you want to switch to the graphical user interface you can just call the Windows Firewall with Advanced Security MMC using:

wf.msc

To start getting an overview of your current firewall settings i recommend opening a command prompt (cmd.exe) and type netsh. This will start the NetSh command line tool.

netsh

Then switch to the Firewall context just type AdvFirewall (note: Netsh Firewall’ is depreciated. Firewall is now in sub context to AdvFirewall starting Windows Vista or Windows 7 / Windows Server 2008 (R2)– I’m not absolutely sure).

Now type show allprofiles to list the three firewall profiles (Domain Profile, Private Profile and Public Profile).

NetSh-AdvFirewall-Show-AllProfiles

Now switch to the Firewall Context type Firewall. Well, this might be a bit confusing. I think this is because Microsoft had to keep the existing Firewall context from legacy systems like Windows XP SP2+ so they had to put the existing Firewall context below the AdvFirewall context ..

netsh AdvFirewall Firewall

To list all existing rules type: show rule name=all

To export all the rules to a textfile type

C:\>netsh advfirewall firewall show rule name=all >c:\temp\fwRules.txt

Let’s say you want to allow File and Printer Sharing for a few specific IP Addresses:

netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Session-In)" new enable=yes remoteip=192.168.0.1,192.168.0.100

netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Name-In)" new enable=yes remoteip=192.168.0.1,192.168.0.100

netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Datagram-In)" new enable=yes remoteip=192.168.0.1,192.168.0.100

netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes remoteip=192.168.0.1,192.168.0.100

To allow ping replies (enable echo / ICMP requests)

netsh advfirewall firewall add rule name="All ICMP V4" dir=in action=allow protocol=icmpv4

i might update this post with additional rules etc when i find the time .. feel free to comment!

Links

Netsh AdvFirewall Firewall Command @technet

How to use the "netsh advfirewall firewall" context instead of the "netsh firewall" context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista