NetSh Advfirewall command will allow you to view
and change the Microsoft Windows Firewall settings. If you type
netsh advfirewall from a command prompt, you will be able to
see the available options for the command.
Note: the commands below should work on Windows Vista, Windows 7, Windows 8, and Windows Server 2008.
C:\>netsh advfirewall The following commands are available: Commands in this context: ? - Displays a list of commands. consec - Changes to the `netsh advfirewall consec' context. dump - Displays a configuration script. export - Exports the current policy to a file. firewall - Changes to the `netsh advfirewall firewall' context. help - Displays a list of commands. import - Imports a policy file into the current policy store. mainmode - Changes to the `netsh advfirewall mainmode' context. monitor - Changes to the `netsh advfirewall monitor' context. reset - Resets the policy to the default out-of-box policy. set - Sets the per-profile or global settings. show - Displays profile or global properties. The following sub-contexts are available: consec firewall mainmode monitor To view help for a command, type the command, followed by a space, and then type ?.
You can view the current firewall settings with netsh advfirewall
show commands. Issuing the command netsh advfirewall with
no options will show you the options available to you for the show
command.
C:\>netsh advfirewall show The following commands are available: Commands in this context: show allprofiles - Displays properties for all profiles. show currentprofile - Displays properties for the active profile. show domainprofile - Displays properties for the domain properties. show global - Displays the global properties. show privateprofile - Displays properties for the private profile. show publicprofile - Displays properties for the public profile. show store - Displays the policy store for the current interactive session.
If I want to see the current profile, I can view it with
netsh advfirewall show currentprofile.
C:\>netsh advfirewall show currentprofile Domain Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pf irewall.log MaxFileSize 4096 Ok.
Issuing the same command, but for allprofiles, rather than
just currentprofile, will show something like the following:
C:\>netsh advfirewall show allprofiles Domain Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pf irewall.log MaxFileSize 4096 Private Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pf irewall.log MaxFileSize 4096 Public Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pf irewall.log MaxFileSize 4096 Ok. C:\>
If I wished to turn the firewall off for all profiles, I could issue
the command netsh advfirewall set allprofiles state off
C:\>netsh advfirewall set allprofiles state off Ok. C:\>netsh advfirewall show allprofiles Domain Profile Settings: ---------------------------------------------------------------------- State OFF Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pf irewall.log MaxFileSize 4096 Private Profile Settings: ---------------------------------------------------------------------- State OFF Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pf irewall.log MaxFileSize 4096 Public Profile Settings: ---------------------------------------------------------------------- State OFF Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pf irewall.log MaxFileSize 4096 Ok. C:\>
To turn the firewall back on for all profiles, use the command
netsh advfirewall set allprofiles state on.
C:\>netsh advfirewall set allprofiles state on Ok. C:\>
If I wish to open a port on the firewall, I can use a netsh
advfirewall firewall add rule command. E.g., on a Windows 7 system on
which I'm running Copssh
OpenSSH for Windows software to allow SSH connectivity to the system for
remote management of it, I want to allow port 22 connectivity through the
firewall. I can use the command below to allow that connectivity.
C:\>netsh advfirewall firewall add rule name="SSH Port 22" dir=in action=allow p rotocol=TCP localport=22 Ok. C:\>
Or, if I already had a rule named "Copssh", I could check that rule
with a netsh advfirewall firewall show rule command as in
the instance below.
C:\>netsh advfirewall firewall show rule name="Copssh" Rule Name: Copssh ---------------------------------------------------------------------- Enabled: Yes Direction: In Profiles: Domain,Private,Public Grouping: LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: 22 RemotePort: Any Edge traversal: No Action: Allow Ok. C:\>