You can determine if the Microsoft
Windows Firewall is enabled from a command line interface (CLI) by
opening a command prompt window
and using the
netsh command netsh advfirewall show currentprofile. If it is
enabled, you will see the "state" value is set to "ON".
C:\Users\nell>netsh advfirewall show currentprofile Public Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 Ok. C:\Users\nell>
If you want to check on whether inbound access is permitted through the
firewall for a particular port or application, you can search for it with a
netsh advfirewall firewall show rule name=all dir=in command.
Since there will likely be many lines of output, you can filter the output for
a particular port or application name by
piping it to the find command. E.g., if I want to check on whether a rule is
in place for an SSH server application, I can have find look for
"SSH".
C:\Users\nell>netsh advfirewall firewall show rule name=all dir=in | find "SSH" Rule Name: Bitvise SSH Server (TCP/IPv6 22) Grouping: Bitvise SSH Server Rule Name: Bitvise SSH Server (TCP/IPv4 22) Grouping: Bitvise SSH Server C:\Users\nell>
Once I've identified the full name for the rule, I can use it to view the details for the relevant rule.
C:\Users\nell>netsh advfirewall firewall show rule name="Bitvise SSH Server (TCP/IPv4 22)" Rule Name: Bitvise SSH Server (TCP/IPv4 22) ---------------------------------------------------------------------- Enabled: Yes Direction: In Profiles: Domain,Private Grouping: Bitvise SSH Server LocalIP: 0.0.0.0-255.255.255.255 RemoteIP: LocalSubnet Protocol: TCP LocalPort: 22 RemotePort: Any Edge traversal: No Action: Allow Ok. C:\Users\nell>
In the case above, the rule is active only for the " domain" and "private" network profiles, but not the "public" profile.
Note: you can also see this information through a graphical user interface (GUI) on a Windows 10 system by taking the following steps:
For the GUI method, I could, at the point above, click on the check box
for "Public" for the
"Bitvise SSH
Server" entry and then click on OK to allow inbound
Secure
Shell (SSH) access when the system is connected to any network.
Or for the command prompt method, I could use a netsh advfirewall
set rule command. The syntax for the command can be viewed by
issuing a netsh advfirewall set rule /? command.
C:\>netsh advfirewall firewall set rule /?
Usage: set rule
group=<string> | name=<string>
[dir=in|out]
[profile=public|private|domain|any[,...]]
[program=<program path>]
[service=service short name|any]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any]
[remoteport=0-65535|<port range>[,...]|any]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any]
new
[name=<string>]
[dir=in|out]
[program=<program path>
[service=<service short name>|any]
[action=allow|block|bypass]
[description=<string>]
[enable=yes|no]
[profile=public|private|domain|any[,...]]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[localport=0-65535|RPC|RPC-EPMap|any[,...]]
[remoteport=0-65535|any[,...]]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any]
[interfacetype=wireless|lan|ras|any]
[rmtcomputergrp=<SDDL string>]
[rmtusrgrp=<SDDL string>]
[edge=yes|deferapp|deferuser|no (default=no)]
[security=authenticate|authenc|authdynenc|notrequired]
Remarks:
- Sets a new parameter value on an identified rule. The command fails
if the rule does not exist. To create a rule, use the add command.
- Values after the new keyword are updated in the rule. If there are
no values, or keyword new is missing, no changes are made.
- A group of rules can only be enabled or disabled.
- If multiple rules match the criteria, all matching rules will
be updated.
- Rule name should be unique and cannot be "all".
- If a remote computer or user group is specified, security must be
authenticate, authenc or authdynenc.
- Setting security to authdynenc allows systems to dynamically
negotiate the use of encryption for traffic that matches
a given Windows Firewall rule. Encryption is negotiated based on
existing connection security rule properties. This option
enables the ability of a machine to accept the first TCP
or UDP packet of an inbound IPsec connection as long as
it is secured, but not encrypted, using IPsec.
Once the first packet is processed, the server will
re-negotiate the connection and upgrade it so that
all subsequent communications are fully encrypted.
- Authdynenc is valid only when dir=in.
- If action=bypass, the remote computer group must be specified when dir=in.
- If service=any, the rule applies only to services.
- ICMP type or code can be "any".
- Edge can only be specified for inbound rules.
Examples:
Change the remote IP address on a rule called "allow80":
netsh advfirewall firewall set rule name="allow80" new
remoteip=192.168.0.2
Enable a group with grouping string "Remote Desktop":
netsh advfirewall firewall set rule group="remote desktop" new
enable=yes
Change the localports on the rule "Allow port range" for udp-
Set rule name="Allow port range" dir=out protocol=udp localport=5000-5020 action=allow
C:\>The syntax for the command I would need to use to add the public profile to the list of network profiles for which SSH access is permitted is shown below:
C:\Users\nell>netsh advfirewall firewall set rule name="Bitvise SSH Server (TCP/IPv4 22)" new profile=public The requested operation requires elevation (Run as administrator). C:\Users\nell>
But, in the above example, the command did not work because I was at a regular command prompt window when I issued the command. You need to open a command prompt window with administrator permission to create a new firewall rule or modify an existing one. If you don't know how to open a command prompt window with administrator privilege, see Obtaining a Command Prompt on a Windows 8 System; method 2 will also work on a Windows 10 system.
To add the "public" profile to the list of profiles for which the SSH rule is enabled, I could use the command below:
C:\windows\system32>netsh advfirewall firewall set rule name="Bitvise SSH Server (TCP/IPv4 22)" new profile=any Updated 1 rule(s). Ok. C:\windows\system32>netsh advfirewall firewall show rule name="Bitvise SSH Server (TCP/IPv4 22)" Rule Name: Bitvise SSH Server (TCP/IPv4 22) ---------------------------------------------------------------------- Enabled: Yes Direction: In Profiles: Domain,Private,Public Grouping: Bitvise SSH Server LocalIP: 0.0.0.0-255.255.255.255 RemoteIP: LocalSubnet Protocol: TCP LocalPort: 22 RemotePort: Any Edge traversal: No Action: Allow Ok. C:\windows\system32>
Note: you need to include "new" in the command to modify an existing rule. And to add "public" to "domain" and "private", I needed to specify "any". If I used "public" rather than "any", then that rule would be modified to only allow access through the firewall for the Bitvise SSH Server application for the public network profile as shown below:
C:\windows\system32>netsh advfirewall firewall set rule name="Bitvise SSH Server (TCP/IPv4 22)" new profile=public Updated 1 rule(s). Ok. C:\windows\system32>netsh advfirewall firewall show rule name="Bitvise SSH Server (TCP/IPv4 22)" Rule Name: Bitvise SSH Server (TCP/IPv4 22) ---------------------------------------------------------------------- Enabled: Yes Direction: In Profiles: Public Grouping: Bitvise SSH Server LocalIP: 0.0.0.0-255.255.255.255 RemoteIP: LocalSubnet Protocol: TCP LocalPort: 22 RemotePort: Any Edge traversal: No Action: Allow Ok. C:\windows\system32>
Related articles: