Typing the command firewall at the netsh advfirewall context changes to the Netsh AdvFirewall Firewall context, where you can view, create, and modify firewall rules. This context is the command-line equivalent to the Inbound Rules and Outbound Rules nodes of the Windows Firewall with Advanced Security MMC snap-in.
Note |
---|
This context is different from the netsh firewall context. You can only run the command netsh advfirewall firewall, or apply policies created with that command on computers that are running Windows Vista or Windows Server 2008. The netsh firewall context is backwards compatible with Windows XP and Windows Server 2003, but only enables you to configure a subset of what the advfirewall firewall context supports. For more information about the netsh firewall context, see Netsh Commands for Windows Firewall. |
Important |
---|
The netsh firewall context is supplied only for backward compatibility. We recommend that you do not use this context on a computer that is running Windows Vista or a later version of Windows, because by using it you can create and modify firewall rules only for the domain and private profiles. Earlier versions of Windows only supported a domain and standard profile. On Windows Vista and later, the standard profile maps to the private profile and domain continues to map to the domain profile. Rules for the public profile can only be manipulated when the computer is actually attached to a public network and the command is run against the "current" profile.Starting in Windows® 7 and Windows Server® 2008 R2, running any command in the firewall context produces the following message:IMPORTANT: “netsh firewall” is deprecated; use “netsh advfirewall firewall” instead. For more information on using “netsh advfirewall firewall” commands instead of “netsh firewall”, see KB article 947709 at http://go.microsoft.com/fwlink?linkid=121488. |
To view the syntax of commands available in the Firewall context, click a command:
add
In the netsh advfirewall firewall context, the add command only has one variation, the add rule command.
add rule
Adds a new inbound or outbound firewall rule that filters traffic by allowing or blocking network packets that match the specified criteria.
Syntax
add rule
name = RuleName
dir = { in | out }
action = { allow | block | bypass }
[ program = ProgramPath\FileName ]
[ service = { ServiceShortName | any } ]
[ description = RuleDescription ]
[ enable = { yes |no } ]
[ profile = { public | private | domain | any | [ ,... ] } ]
[ localip = { Addresses } ]
[ remoteip = { Addresses } ]
[ localport = { any | Integer | rpc | rpc-epmap | iphttps | teredo | [ ,... ] } ]
[ remoteport = { any | Integer | [ ,... ] } ]
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
[ interfacetype = { any | wireless | lan | ras } ]
[ rmtcomputergrp = SDDLString ]
[ rmtusrgrp = SDDLString ]
[ edge = { yes | deferapp | deferuser | no } ]
[ security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]
Parameters
- name = RuleName
- Required. Specifies the name of this firewall rule. The name should be unique, and must not be "all".
- dir = { in | out }
- Required. Specifies whether this rule matches inbound or
outbound network traffic.dir can be any of the following
values:
- in. The rule matches only inbound
network traffic that is arriving at the computer. This rule appears
in the Windows Firewall with Advanced Security MMC snap-in under
Inbound Rules.
- out. The rule matches only outbound
network traffic that is sent by the computer. This rule appears in
the Windows Firewall with Advanced Security MMC snap-in under
Outbound Rules.
- in. The rule matches only inbound
network traffic that is arriving at the computer. This rule appears
in the Windows Firewall with Advanced Security MMC snap-in under
Inbound Rules.
- action ={ allow | block | bypass }
- Required. Specifies what Windows Firewall with Advanced
Security does to filter network packets that match the criteria
specified in this rule.action can be one of the following:
- allow. Network packets that match all
criteria specified in this rule are permitted through the
firewall.
- block. Network packets that match all
criteria specified in this rule are dropped by the firewall.
- bypass. If dir=in, then this
option is valid only for rules that have one or more accounts
listed in rmtcomputergrp and optionally rmtusrgrp.
Network packets that match this rule and that are successfully
authenticated against a computer account specified in
rmtcomputergrp and against a user account identified in
rmtusrgrp are permitted through the firewall. If you specify
this option, then you cannot set security=notrequired. This
option is the equivalent to the Override block rules
checkbox in the Windows Firewall with Advanced Security MMC
snap-in.
For computers that are running Windows 7 or Windows Server 2008 R2, action=bypass is permitted on an outbound rule. Selecting this option on an outbound rule causes matching traffic to be permitted though this rule even if other matching rules would block the traffic. No accounts are required in rmtcomputergrp or rmtusergrp for an outbound bypass rule, however, if authorized or excepted computers are listed in those groups they will be enforced.
The action=bypass option on an outbound rule is not valid on computers that are running earlier versions of Windows.
- allow. Network packets that match all
criteria specified in this rule are permitted through the
firewall.
- [ program = ProgramPath\FileName ]
- Specifies that network traffic generated by the identified
executable program matches this rule.
Caution Creating firewall rules for hosting processes such as svchost.exe can lead to unpredictable behavior in Windows Firewall with Advanced Security. Starting in Windows Vista, the security of Windows network services was increased by using predefined, built-in firewall rules. Creating new rules referencing services that are already protected by the built-in rules might result in conflicts or undesired side-effects.
- [ service = { ServiceShortName | any } ]
- Specifies that traffic generated by the identified service matches this rule. The ServiceShortName for a service can be found in Services MMC snap-in, by right-clicking the service, selecting Properties, and examining Service Name.If service is not specified then network traffic generated by any program or service matches this rule.
- [ description = RuleDescription ]
- Provides information about the firewall rule.
- [ enable = { yes | no } ]
- Specifies whether the rule is currently enabled.If enable is not specified, the default is yes.
- [ profile = { public | private | domain | any | [ ,... ] } ]
- Specifies the profile(s) to which the firewall rule is assigned. The rule is active on the local computer only when the specified profile is currently active.You can include multiple entries for profile by separating them with a comma. Do not include any spaces.If profile is not specified, the default is any.
- [ localip = { Addresses } ]
- Specifies that network packets with matching IP addresses match
this rule. localip is compared to the Destination IP address
field of an inbound network packet. It is compared to the Source IP
address field of an outbound network packet.localip can be
any of the following values:
- any. Matches any IP address.
- IPAddress. Matches only the exact IPv4
or IPv6 address.
- IPSubnet. Matches any IPv4 or IPv6
address that is part of the specified subnet. The format is the
subnet address, followed by '/' and then either the number of bits
in the subnet mask or the subnet mask itself.
- IPRange. Matches any IPv4 or IPv6
addresses that fall within the specified range. The format is the
starting and ending IP addresses of the range separated by a
'-'.
- any. Matches any IP address.
- [ remoteip = { Addresses } ]
- Specifies that network packets with matching IP addresses match
this rule. remoteip is compared to the Destination IP
address field of an outbound network packet. It is compared to the
Source IP address field of an inbound network
packet.remoteip can be any of the following values:
- any. Matches any IP address.
- localsubnet. Matches any IP address
that is on the same IP subnet as the local computer.
- dns|dhcp|wins|defaultgateway. Matches
the IP address of any computer that is configured as the identified
server type on the local computer.
- IPAddress. Matches only the exact IPv4
or IPv6 address specified.
- IPSubnet. Matches any an IPv4 or IPv6
subnet that is part of the specified subnet. The format is the
subnet address, followed by '/' and then either the number of bits
in the subnet mask or the subnet mask itself.
- IPRange. Matches any IPv4 or IPv6
addresses that fall within the specified range. The format is the
starting and ending IP addresses of the range separated by a
'-'.
- any. Matches any IP address.
- [ localport = { any | Integer | rpc | rpc-epmap | teredo | [ ,... ] } ]
- Specifies that network packets with matching IP port numbers
matched by this rule. localport is compared to the Source
Port field of an outbound network packet. It is compared to the
Destination Port field of an inbound network
packet.localport can be any of the following values:
- any. Matches any value in the port
field of the IP packet.
- Integer. Specifies the exact port
number that must be present for the packet to match the rule. The
port values can be individual numbers from 0 through 65535, a
range, such as 5000-5020, or a comma-separated list of
numbers and ranges.
Note Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2. - rpc. Matches inbound TCP packets that
are addressed to the listening socket of an application that
correctly registers the port as an RPC listening port. A rule with
this option must also specify protocol = tcp, and
dir = in. We recommend that you also specify the
appropriate program = ProgramName and/or
service = ServiceName options to ensure
that only the correct service can send or receive traffic by using
this rule. This option eliminates the need to know the specific
port numbers assigned to the application at when it starts.
- rpc-epmap. Matches inbound TCP packets
that are addressed to the dynamic RPC endpoint mapper service. A
rule with this option must also specify
protocol = tcp, and dir = in. We
recommend that you also specify
program = %windir%\system32\svchost.exe, and
service = rpcss to ensure that only the RPC
service can send or receive network traffic by using this rule.
This option eliminates the need to know the specific port numbers
assigned to the service when it starts. If you have one or more
rules that specify localport = rpc, then you must
also create a rule with localport = rpc-epmap
enabled. This allows both the incoming request to the mapper, and
the subsequent packets to the ephemeral ports assigned by the RPC
service.
- Teredo. Matches inbound UDP packets
that contain Teredo packets. Teredo is an IPv4 to IPv6 transition
technology that allows IPv4 computers to communicate with IPv6
computers.
- iphttps. Matches inbound TCP packets
that contain HTTPS with embedded IPv6 packets. IP-HTTPS is a
firewall traversal protocol that allows IPv6 packets that would
otherwise be blocked if sent by using Teredo, 6to4, or native IPv6.
HTTPS is almost universally permitted through a firewall, so IP
over HTTPS is another mechanism that can be used when a firewall
does not support other edge traversal protocols. The IP-HTTPS
option is valid on computers that are running Windows 7 or
Windows Server 2008 R2 only, and is ignored if applied by
Group Policy to computers that are running earlier versions of
Windows,
- any. Matches any value in the port
field of the IP packet.
- [ remoteport = { any | Integer | [ ,... ] } ]
- Specifies that network packets with matching IP port numbers
match this rule. remoteport is compared to the Destination
Port field of an outbound network packet. It is compared to the
Source Port field of an inbound network packet.remoteport
can be any of the following values:
- any. Matches any value in the port
field of the IP packet.
- Integer. Specifies the exact port
number that must be present for the packet to match the rule. The
port values can be individual numbers, a range, such as
5000-5020, or a comma-separated list of numbers and
ranges.
Note Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.
- any. Matches any value in the port
field of the IP packet.
- [ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
- Specifies that network packets with a matching IP protocol
match this rule.protocol can be any of the following values:
- any. Matches any value in the Protocol
field of the IP packet.
- Integer. Specifies the protocol by
number that must be present for the packet to match the rule. The
value can range from 0 through 255.
- icmpv4. Specifies that all ICMP v4
packets match this rule.
- icmpv6. Specifies that all ICMP v6
packets match this rule.
- icmpv4: type ,
code. Specifies that only ICMP v4 network packets with the
specified type and code match this rule. type and
code can each be either the keyword any, or an
integer ranging from 0 to 255.
- icmpv6: type ,
code. Specifies that only ICMP v6 network packets with the
specified type and code match this rule. type and
code can each be either the keyword any, or an
integer ranging from 0 to 255.
- tcp. Specifies that only TCP traffic
addressed to or from the ports identified by localport and
remoteport matches this rule.
- udp. Specifies that only UDP traffic
addressed to or from the ports identified by localport and
remoteport matches this rule.
- any. Matches any value in the Protocol
field of the IP packet.
- [ interfacetype = { any | wireless | lan | ras } ]
- Specifies that only network packets passing through the
indicated interface types match this rule. Using this parameter
allows you to specify different firewall requirements for each of
the three main network types. The value must be one of the
following:
- any. Network packets passing through
any of the interface types match this rule.
- wireless. Network packets that pass
through a wireless network adapter match this rule.
- lan. Network packets that pass through
a wired LAN adapter match this rule.
- ras. Network packets that pass through
a RAS interface, such as a VPN or dial-up network connection match
this rule.
- any. Network packets passing through
any of the interface types match this rule.
- [ rmtcomputergrp = SDDLString ]
- Specifies that only network packets that are authenticated as coming from or going to a computer identified in the list of computer and group accounts match this rule.If rmtcomputergrp is specified, then security must be set to either authenticate or authenc.If action=bypass, then at least one computer or computer group account must be specified in rmtcomputergrp.For rmtcomputergrp to match, the network traffic must be authenticated using a credential that carries computer account information.
- [ rmtusrgrp = SDDLString ]
- Specifies that only network packets that are authenticated as coming from or going to a user identified in the list of user and group accounts match this rule.If rmtusrgrp is specified, then security must be set to either authenticate or authenc.For rmtusergrp to match, the network traffic must be authenticated using a credential that carries user account information.
- [ edge = { yes | deferapp | deferuser | no } ]
- Valid only when dir=in. Specifies that traffic that traverses an edge device, such as a Network Address Translation (NAT) enabled router, between the local and remote computer matches this rule. The deferapp and deferuser options are valid on computers running Windows 7 and Windows Server 2008 R2 only. If set to deferapp or deferuser, then Windows allows the application or user to programmatically register with the firewall to receive inbound unsolicited application traffic from the edge device.This option is the equivalent of the Allow edge traversal checkbox in the Windows Firewall with Advanced Security MMC snap-in.If edge is not specified, the default is no.
- [ security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]
- Specifies that only network packets protected with the
specified type of IPsec options match this rule.security can
be one of the following values:
- authenticate. Network packets that are
authenticated by IPsec match this rule. You must create a separate
connection security rule to authenticate the traffic. This option
is the equivalent of the Allow only secure connections in
the Windows Firewall with Advanced Security MMC snap-in.
- authenc. Network packets that are
authenticated and encrypted by IPsec match this rule. You must
create a separate connection security rule to authenticate and
encrypt the traffic. This option is the equivalent of the
Require encryption option in the Windows Firewall with
Advanced Security MMC snap-in.
- authdynenc. Network packets that are
authenticated by IPsec match this rule, and if the initial packet
is not already encrypted, then a new quick mode SA is negotiated
with the remote host to encrypt the connection. All succeeding
packets are authenticated and encrypted. If the negotiation of a
quick mode encryption SA fails, then the firewall blocks the
connection. You must create a separate connection security rule
that requires authentication and encryption to permit negotiation
of an appropriate encrypted SA. This option is the equivalent of
the Allow systems to dynamically negotiate encryption in the
Windows Firewall with Advanced Security MMC snap-in.
Note This option is valid for inbound firewall rules only.This option is available only on computers that are running Windows 7 or Windows Server 2008 R2. Group Policies created with this option are compatible with computers that are running Windows Vista or later versions of Windows. - authnoencap. Network connections that
are authenticated, but not encapsulated by ESP or AH match this
rule. This option is useful for connections that must be monitored
by network equipment, such as intrusion detection systems (IDS),
that are not compatible with ESP NULL-protected network packets.
The initial connection is authenticated by IPsec by using AuthIP,
but the quick mode SA permits cleartext traffic. To use this
option, you must also configure a connection security rule that
specifies authnoencap as a quick mode security method.
Note This option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only. - notrequired. Any network packet
matches this rule, whether or not it is protected by IPsec. This
option is the equivalent of not selecting the Allow only secure
connections option in the Windows Firewall with Advanced
Security MMC snap-in.
- authenticate. Network packets that are
authenticated by IPsec match this rule. You must create a separate
connection security rule to authenticate the traffic. This option
is the equivalent of the Allow only secure connections in
the Windows Firewall with Advanced Security MMC snap-in.
Remarks
- Rules that specify port ranges can be created
by using netsh on Windows 7 and Windows
Server 2008 R2 only. However, rules with port ranges that
are applied to computers running Windows Vista and Windows
Server 2008 by using Group Policy work correctly.
- Do not create a firewall rule with the name
all. Doing this creates a conflict with the netsh
option to select all firewall rules (for example, delete rule
name=all).
- If rmtcomputergrp or rmtusergrp
is specified, then the network traffic must also match a connection
security rule that authenticates the connection. The authentication
protocol used must include identification of a computer or user
account, such as Kerberos v5, NTLM v2, or a computer certificate
with account mapping enabled.
- Do not set both edge=yes and
remoteip=localsubnet. They are conflicting options and
result in the firewall blocking all network traffic from outside
the edge device.
- For more information about SDDL strings and
their format, see "Security Descriptor String Format" (http://go.microsoft.com/fwlink/?linkid=109950) on the
Microsoft MSDN Web site.
One way to find the SDDL strings for computer, user, or group accounts is to use the Windows Firewall with Advanced Security MMC snap-in to create a temporary firewall rule. If the accounts of interest are domain accounts, you must run the snap-in on a computer that is joined to the domain with the accounts. Be sure to disable the rule so that it cannot interfere with any network traffic. On the Users and Computers tab, select Only allow connections from these computers, and then click the Add button to find the computer or machine group account of interest. You can also select the Only allow connections from these users, and then click the Add button to find the user or group account of interest. After creating the rule, you can use the command netsh advfirewall firewall show rule name=rulename verbose to view the SDDL string for that computer or group. Be sure to delete the temporary rule when you are finished.
- The localport=teredo option is valid
for protocol=udp only.
Examples
- The following command creates an outbound
rule to block all traffic from the local computer that originates
on TCP port 80.
add rule name="Block Outbound Port 80" dir=out localport=80 protocol=TCP action=block
- The following command creates a rule that
blocks all inbound traffic from all WINS servers:
add rule name="Block WINS" dir=in action=block remoteip=wins
- The following command creates an inbound rule
that allows traffic for the Windows Messenger program only from
computers on the same subnet as the local computer.
add rule name="Allow Messenger" dir=in program="c:\program files\messenger\msmsgs.exe" remoteip=localsubnet action=allow
- The following command creates a rule that
permits inbound Windows Messenger network traffic only if the
connection from the remote computer is authenticated by using a
separate connection security rule.
add rule name="Allow Authenticated Messenger" dir=in program="c:\program files\messenger\msmsgs.exe" security=authenticate action=allow
- The following command creates a rule that
allows all network traffic from computers that are members of a
specific computer group, and only from users that are members of a
specific user group. Both memberships must be confirmed by
authentication using a separate connection security rule. The
actual SDDL strings to use should be determined by referring to the
SDDL documentation and steps identified in the Remarks
section above.
add rule name="Allow Only Specific Computers and Users" dir=in rmtcomputergrp=D:(A;;CC;;; SIDforMachineGroupAccount ) rmtusergrp= D:(A;;CC;;; SIDforUserGroupAccount ) action=bypass security=authenticate
- The following two commands creates rules that
prevent all wireless network traffic:
add rule name="Block Wireless In" dir=in interface=wireless action=block
add rule name="Block Wireless Out" dir=out interface=wireless action=block
- The following command creates a rule to allow
TCP traffic addressed to port 12345 and the range of ports
5000-5020 to a specific application from computers on the remote
side of an edge (NAT) device, using the Teredo IPv6 interface:
add rule name="Allow TCP 12345 and 5000-5020 over Teredo" dir=in action=allow edge=yes remoteip=any protocol=TCP localport=12345,5000-5020 program="c:\program files\TestIPv6App.exe"
Note Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.
delete
In the netsh advfirewall firewall context, the Delete command only has one variation, the Delete Rule command.
delete rule
Deletes all connection security rules that match the specified criteria.
Syntax
delete rule
name = { all | RuleName }
[ dir = { in | out } ]
[ profile = { public | private | domain | any | [ ,... ] } ]
[ program = ProgramPath\FileName ]
[ service = { ServiceShortName | any } ]
[ localip = { Addresses } ]
[ remoteip = { Addresses } ]
[ localport = { any | Integer | rpc | rpc-epmap | teredo | [ ,... ] } ]
[ remoteport = { any | Integer | [ ,... ] } ]
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp }]
Parameters
- name = { all | RuleName }
- Required. You can specify one of the following values:
- The rule name of the connection security rule
you want deleted.
- all. Specifies that all rules matching
the criteria in the other parameters are deleted. If no other
parameters are included in the command then all connection security
rules are deleted.
- The rule name of the connection security rule
you want deleted.
- [ dir = { in | out } ]
- Specifies that only rules of the selected direction are deleted. The value can be either in or out.
- [ profile = { public | private | domain | any | [ ,... ] } ]
- Specifies that only rules assigned to the specified profile(s) are deleted. If you specify more than one profile, then only rules that include the exact same list of profiles match.
- [ program = ProgramPath\FileName ]
- Specifies that only rules that match the identified program are deleted.
- [ service = { ServiceShortName | any } ]
- Specifies that only rules that match the identified service name are deleted.
- [ localip = { Addresses } ]
- Specifies that only rules that match the IP addresses, ranges,
or subnets are deleted. If your rule includes multiple entries,
then the rule only matches if it contains the exact same list of
entries.localip can be any of the following values:
- The keyword any.
- IPAddress. Specifies an IPv4 or IPv6
address.
- IPSubnet. Specifies an IPv4 or IPv6
subnet. The format is the subnet address, followed by '/' and then
either the number of bits in the subnet mask or the subnet mask
itself.
- IPRange. Specifies a range of IPv4 or
IPv6 addresses. The format is the starting and ending IP addresses
of the range separated by a '-'.
- The keyword any.
- [ remoteip = { Addresses } ]
- Specifies that only rules that match the IP addresses, ranges,
subnets, or server types are deleted. If your rule includes
multiple entries, then the rule only matches if it contains the
exact same list of entries.remoteip can be any of the
following values:
- One of the keywords any,
localsubnet, dns, dhcp, wins,
defaultgateway.
- IPAddress. Specifies an IPv4 or IPv6
address.
- IPSubnet. Specifies an IPv4 or IPv6
subnet. The format is the subnet address, followed by '/' and then
either the number of bits in the subnet mask or the subnet mask
itself.
- IPRange. Specifies a range of IPv4 or
IPv6 addresses. The format is the starting and ending IP addresses
of the range separated by a '-'.
- One of the keywords any,
localsubnet, dns, dhcp, wins,
defaultgateway.
- [ localport = { any |
Integer | rpc | rpc-epmap |
teredo | [ ,... ] } ]
[ remoteport = { any | Integer | [ ,... ] } ]
- Specifies that only rules that match the port numbers or
keywords indicated are deleted. The port values can be individual
numbers from 0 through 65535, a range, such as 5000-5020, or
a comma-separated list of numbers and ranges.
Note Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.
- [ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
- Specifies that only rules that match the indicated protocol value are deleted.
Remarks
- If multiple rules are found that match the
specified criteria, then they are all deleted.
- If you specify name=all and do not
specify any other criteria, then all firewall rules are
deleted.
- Rules that specify port ranges can be created
and modified by using netsh on Windows 7 and Windows
Server 2008 R2 only. However, rules with port ranges that
are applied to computers running Windows Vista and Windows
Server 2008 by using Group Policy work correctly.
Examples
- The following example deletes a rule based on
its exact name:
Delete rule name="rule1"
- The following example deletes all rules for
TCP port 80:
delete rule name=all protocol=tcp localport=80
set
In the netsh advfirewall firewall context, the Set command only has one variation, the Set Rule command.
set rule
Modifies an existing firewall rule identified by name, or found by matching the specified criteria. Criteria that precede the keyword new identify the rule(s) to be modified. Criteria that follow the keyword new indicate properties that are modified or added.
Syntax
set rule
{ group = GroupName | name = { all | RuleName } }
[ dir = { in | out } ]
[ profile = { public | private | domain | any } [ ,... ] ]
[ program = ProgramPath\FileName ]
[ service = { ServiceShortName | any } ]
[ localip = Addresses ]
[ remoteip = Addresses ]
[ localport = { any | rpc | rpc-epmap | teredo | iphttps | Integer | [ ,... ] } ]
[ remoteport = { any | Integer | [ ,... ] } ]
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
new
[ name = NewRuleName ]
[ dir = { in |out } ]
[ program = ProgramPath\FileName ]
[ service = { ServiceShortName | any } ]
[ action = { allow | block | bypass } ]
[ description =RuleDescription ]
[ enable = { yes | no } ]
[ profile = { public | private | domain | any | [ ,... ] } ]
[ localip = Addresses ]
[ remoteip = Addresses ]
[ localport = { any | rpc | rpc-epmap | teredo | iphttps | Integer | [ ,... ] } ]
[ remoteport = { any | Integer | [,... ] }
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
[ interfacetype ={ any | wiresless | lan | ras } ]
[ rmtcomputergrp = SDDLString ]
[ rmtusrgrp = SDDLString ]
[ edge = { yes | deferapp | deferuser | no } ]
[ security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]
Parameters
- { group = GroupName | name = { all | RuleName } }
- Required. Specifies either the group name for a set of rules to modify together, or a rule name assigned to an existing rule that you want to modify. If you specify the group name for a set of rules, then all of the rules in that group receive the same set of modifications.If name=all, then all rules that match the other criteria listed before the new keyword are modified.If name=all, and no other parameters are included before the new keyword, then all rules are modified as indicated.
- [ dir = { in | out } ]
- Specifies that only matching rules of the indicated direction are modified. The value of dir can be either in or out.
- [ profile = { public | private | domain | any } [ ,... ] ]
- Specifies that only matching rules that are assigned to the indicated profile are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.
- [ program = ProgramPath\FileName ]
- Specifies that only rules that match the identified program are modified.
- [ service = { ServiceShortName | any } ]
- Specifies that only rules that match the identified service name are modified.If service is not specified, then rules that specify any value, including no value, and that match all other criteria, are modified.
- [ localip = { Addresses } ]
- Specifies that only rules that match the IP addresses, ranges,
or subnets are modified. If you specify a comma separated list,
then only rules that contain the exact same list are
modified.localip can be any of the following values:
- The keyword any.
- IPAddress. Specifies an IPv4 or IPv6
address.
- IPSubnet. Specifies an IPv4 or IPv6
subnet. The format is the subnet address, followed by '/' and then
either the number of bits in the subnet mask or the subnet mask
itself.
- IPRange. Specifies a range of IPv4 or
IPv6 addresses. The format is the starting and ending IP addresses
of the range separated by a '-'.
- The keyword any.
- [ remoteip = { Addresses } ]
- Specifies that only rules that match the IP addresses, ranges,
subnets, or server types are modified. If you specify a comma
separated list, then only rules that contain the exact same list
are modified.remoteip can be any of the following values:
- One of the keywords any,
localsubnet, dns, dhcp, wins,
defaultgateway.
- IPAddress. Specifies an IPv4 or IPv6
address.
- IPSubnet. Specifies an IPv4 or IPv6
subnet. The format is the subnet address, followed by '/' and then
either the number of bits in the subnet mask or the subnet mask
itself.
- IPRange. Specifies a range of IPv4 or
IPv6 addresses. The format is the starting and ending IP addresses
of the range separated by a '-'.
- One of the keywords any,
localsubnet, dns, dhcp, wins,
defaultgateway.
- [ localport = { any | Integer | rpc | rpc-epmap | teredo | iphttps | [ ,... ] } ] [ remoteport = { any | Integer | [ ,... ] } ]
- Specifies that only rules that match the port numbers or
keywords indicated are modified. The port values can be individual
numbers, a range, such as 5000-5020, or a comma-separated
list of numbers and ranges. If you specify a comma separated list,
then only rules that contain the exact same list are modified.
Note Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.
- [ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
- Specifies that only rules that match the indicated protocol value are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.
- new
- Any parameter that precedes this keyword is used to find a match for the rules that are modified. Any parameter that follows this keyword indicates a value that is modified in the rules that match the specified criteria.
- [ name = NewRuleName ]
- Specifies a new name for the connection security rule. The name should be unique, and must not be "all".
- [ dir = { in | out } ]
- Specifies whether this rule matches inbound or outbound network
traffic.Dir can be one of the following values:
- in. The rule matches only inbound
network traffic that is arriving at the computer. This rule appears
in the Windows Firewall with Advanced Security MMC snap-in under
Inbound Rules.
- out. The rule matches only outbound
network traffic that is sent by the computer. This rule appears in
the Windows Firewall with Advanced Security MMC snap-in under
Outbound Rules.
- in. The rule matches only inbound
network traffic that is arriving at the computer. This rule appears
in the Windows Firewall with Advanced Security MMC snap-in under
Inbound Rules.
- [ action = { allow | block | bypass } ]
- Specifies what Windows Firewall with Advanced Security does to
filter network packets that match the criteria specified in this
rule.action can be one of the following:
- allow. Network packets that match all
criteria specified in this rule are permitted through the
firewall.
- block. Network packets that match all
criteria specified in this rule are dropped by the firewall.
- bypass. If dir=in, then this
option is valid only for rules that have one or more accounts
listed in rmtcomputergrp and optionally rmtusrgrp.
Network packets that match this rule and that are successfully
authenticated against a computer account specified in
rmtcomputergrp and against a user account identified in
rmtusrgrp are permitted through the firewall. If you specify
this option, then you cannot set
security = notrequired. This option is the
equivalent to the Override block rules checkbox in the
Windows Firewall with Advanced Security MMC snap-in.
For computers that are running Windows 7 or Windows Server 2008 R2, action=bypass is permitted on an outbound rule. Selecting this option on an outbound rule causes matching traffic to be permitted though this rule even if other matching rules would block the traffic. No accounts are required in rmtcomputergrp or rmtusergrp for an outbound bypass rule, however, if authorized or excepted computers are listed in those groups they will be enforced.
The action=bypass option on an outbound rule is not valid on computers that are running earlier versions of Windows. Those computers will not successfully process a rule with this option.
- allow. Network packets that match all
criteria specified in this rule are permitted through the
firewall.
- [ program = ProgramPath\FileName ]
- Specifies that network traffic generated by the identified
executable program matches this rule.
Caution Creating firewall rules for hosting processes such as svchost.exe can lead to unpredictable behavior in Windows Firewall with Advanced Security. Starting in Windows Vista, the security of Windows network services was increased by using predefined, built-in firewall rules. Creating new rules referencing services that are already protected by the built-in rules might result in conflicts or undesired side-effects.
- [ service = { ServiceShortName | any } ]
- Specifies that traffic generated by the identified service matches this rule. The ServiceShortName for a service can be found in Services MMC snap-in, by right-clicking the service, selecting Properties, and examining Service Name.
- [ description =RuleDescription ]
- Provides information about the firewall rule.
- [ enable = { yes | no } ]
- Specifies whether the rule is currently enabled.
- [ profile = { public | private | domain | any | [ ,... ] } ]
- Specifies the profile(s) to which the firewall rule is assigned. The rule is active on the local computer only when the specified profile is currently active.You can include multiple entries for profile by separating them with a comma. Do not include any spaces.
- [ localip = { Addresses } ]
- Specifies that network packets with matching IP addresses match
this rule. localip is compared to the Destination IP address
field of an inbound network packet. It is compared to the Source IP
address field of an outbound network packet.localip can be
any of the following values:
- any. Matches any IP address.
- IPAddress. Matches only the exact IPv4
or IPv6 address.
- IPSubnet. Matches any an IPv4 or IPv6
subnet that is part of the specified subnet. The format is the
subnet address, followed by '/' and then either the number of bits
in the subnet mask or the subnet mask itself.
- IPRange. Matches any IPv4 or IPv6
addresses that fall within the specified range. The format is the
starting and ending IP addresses of the range separated by a
'-'.
- any. Matches any IP address.
- [ remoteip = { Addresses } ]
- Specifies that network packets with matching IP addresses match
this rule. remoteip is compared to the Destination IP
address field of an outbound network packet. It is compared to the
Source IP address field of an inbound network
packet.remoteip can be any of the following values:
- any. Matches any IP address.
- localsubnet. Matches any IP address
that is on the same IP subnet as the local computer.
- dns|dhcp|wins|defaultgateway. Matches
the IP address of any computer that is configured as the identified
server type on the local computer.
- IPAddress. Matches only the exact IPv4
or IPv6 address specified.
- IPSubnet. Matches any an IPv4 or IPv6
subnet that is part of the specified subnet. The format is the
subnet address, followed by '/' and then either the number of bits
in the subnet mask or the subnet mask itself.
- IPRange. Matches any IPv4 or IPv6
addresses that fall within the specified range. The format is the
starting and ending IP addresses of the range separated by a
'-'.
- any. Matches any IP address.
- [ localport = { any | Integer | rpc | rpc-epmap | teredo | iphttps | [ ,... ] } ]
- Specifies that network packets with matching IP port numbers
match this rule. localport is compared to the Source Port
field of an outbound network packet. It is compared to the
Destination Port field of an inbound network
packet.localport can be any of the following values:
- any. Matches any value in the port
field of the IP packet.
- Integer. Specifies the exact port
number that must be present for the packet to match the rule. The
port values can be individual numbers, a range, such as
5000-5020, or a comma-separated list of numbers and
ranges.
Note Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2. - rpc. Matches inbound TCP packets that
are addressed to the listening socket of an application that
correctly registers the port as an RPC listening port. A rule with
this option must also specify protocol = tcp,
dir = in. We recommend that you also specify the
appropriate program = ProgramName and/or
service = ServiceName options to ensure
that only the correct service can send or receive traffic by using
this rule. This option eliminates the need to know the specific
port numbers assigned to the application at when it starts.
- rpc-epmap. Matches inbound TCP packets
that are addressed to the dynamic RPC endpoint mapper service. A
rule with this option must also specify
protocol = tcp, dir = in. We
recommend that you also specify
program = %windir%\system32\svchost.exe, and
service = rpcss to ensure that only the RPC
service can send or receive network traffic by using this rule.
This option eliminates the need to know the specific port numbers
assigned to the service when it starts. . If you have one or more
rules that specify localport = rpc, then you must
also create a rule with localport = rpc-epmap
enabled. This allows both the incoming request to the mapper, and
the subsequent packets to the ephemeral ports assigned by the RPC
service.
- teredo. Matches inbound UDP packets
that contain Teredo packets. Teredo is an IPv4 to IPv6 transition
technology that allows IPv4 computers to communicate with IPv6
computers.
- iphttps. Matches inbound TCP packets
that contain HTTPS with embedded IPv6 packets. IP-HTTPS is a
firewall traversal protocol that allows IPv6 packets that would
otherwise be blocked if sent by using Teredo, 6to4, or native IPv6.
HTTPS is almost universally permitted through a firewall, so IP
over HTTPS is another mechanism that can be used when a firewall
does not support other edge traversal protocols. The IP-HTTPS
option is valid on computers that are running Windows 7 or
Windows Server 2008 R2 only, and is ignored if applied by
Group Policy to computers that are running earlier versions of
Windows,
- any. Matches any value in the port
field of the IP packet.
- [ remoteport = { any | Integer | [ ,... ] } ]
- Specifies that network packets with matching IP port numbers
match this rule. remoteport is compared to the Destination
Port field of an outbound network packet. It is compared to the
Source Port field of an inbound network packet.remoteport
can be any of the following values:
- any. Matches any value in the port
field of the IP packet.
- Integer. Specifies the exact port
number that must be present for the packet to match the rule. The
port values can be individual numbers, a range, such as
5000-5020, or a comma-separated list of numbers and
ranges.
Note Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.
- any. Matches any value in the port
field of the IP packet.
- [ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
- Specifies that network packets with a matching IP protocol
match this rule.protocol can be one of the following values:
- any. Matches any value in the Protocol
field of the IP packet.
- Integer. Specifies the protocol by
number that must be present for the packet to match the rule.
- icmpv4. Specifies that all ICMP v4
packets match this rule.
- icmpv6. Specifies that all ICMP v6
packets match this rule.
- icmpv4: type ,
code. Specifies that only ICMP v4 network packets with the
specified type and code match this rule. type and
code can each be either the keyword any, or an
integer ranging from 0 to 255.
- icmpv6: type ,
code. Specifies that only ICMP v6 network packets with the
specified type and code match this rule. type and
code can each be either the keyword any, or an
integer ranging from 0 to 255.
- tcp. Specifies that only TCP traffic
addressed to or from the ports identified by localport and
remoteport matches this rule.
- udp. Specifies that only UDP traffic
addressed to or from the ports identified by localport and
remoteport matches this rule.
- any. Matches any value in the Protocol
field of the IP packet.
- [ interfacetype = { any | wireless | lan | ras } ]
- Specifies that only network packets passing through the
indicated interface types match this rule. Using this parameter
allows you to specify different firewall requirements for each of
the three main network types. The value must be one of the
following:
- any. Network packets passing through
any of the interface types match this rule.
- wireless. Network packets that pass
through a wireless network adapter match this rule.
- lan. Network packets that pass through
a wired LAN adapter match this rule.
- ras. Network packets that pass through
a RAS interface, such as a VPN or dial-up network connection match
this rule.
- any. Network packets passing through
any of the interface types match this rule.
- [ rmtcomputergrp = SDDLString ]
- Specifies that only network packets that are authenticated as coming from or going to a computer identified in the list of computer and group accounts are filtered by this rule.If rmtcomputergrp is specified, then security must be set to either authenticate or authenc.If action = bypass, then at least one computer or computer group account must be specified in rmtcomputergrp.For rmtcomputergrp to match, the network traffic must be authenticated using a credential that carries computer account information.
- [ rmtusrgrp = SDDLString ]
- Specifies that only network packets that are authenticated as coming from or going to a user identified in the list of user and group accounts are filtered this rule.If rmtusrgrp is specified, then security must be set to either authenticate or authenc.For rmtusergrp to match, the network traffic must be authenticated using a credential that carries user account information.
- [ edge = { yes | deferapp | deferuser | no } ]
- Valid only when dir = in. Specifies that traffic that traverses an edge device, such as a Network Address Translation (NAT) enabled router, between the local and remote computer matches this rule. The deferapp and deferuser options are valid on computers running Windows 7 and Windows Server 2008 R2 only. If set to deferapp or deferuser, then Windows allows the application or user to programmatically register with the firewall to receive inbound unsolicited application traffic from the edge device.This option is the equivalent of the Allow edge traversal checkbox in the Windows Firewall with Advanced Security MMC snap-in.
- [ security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]
- Specifies that only network packets protected with the
specified type of IPsec options match this rule.security can
be one of the following values:
- authenticate. Network packets that are
authenticated by IPsec match this rule. You must create a separate
connection security rule to authenticate the traffic. This option
is the equivalent of the Allow only secure connections in
the Windows Firewall with Advanced Security MMC snap-in.
- authenc. Network packets that are
authenticated and encrypted by IPsec match this rule. You must
create a separate connection security rule to authenticate and
encrypt the traffic. This option is the equivalent of the
Require encryption option in the Windows Firewall with
Advanced Security MMC snap-in.
- authdynenc. Network packets are that
are authenticated by IPsec match this rule, and if the initial
packet is not already encrypted, then a new quick mode SA is
negotiated with the remote host to encrypt the connection. All
succeeding packets are authenticated and encrypted. If the
negotiation of a quick mode encryption SA fails, then the firewall
blocks the connection. You must create a separate connection
security rule that requires authentication and encryption to permit
negotiation of an appropriate encrypted SA. This option is the
equivalent of the Allow systems to dynamically negotiate
encryption in the Windows Firewall with Advanced Security MMC
snap-in.
Note This option is valid for inbound firewall rules only.This option is available only on computers that are running Windows 7 or Windows Server 2008 R2. Group Policies created with this option are compatible with computers that are running Windows Vista or later versions of Windows. - authnoencap. Network connections that
are authenticated, but not encapsulated by ESP or AH match this
rule. This option is useful for connections that must be monitored
by network equipment, such as intrusion detection systems (IDS),
that are not compatible with ESP NULL-protected network packets.
The initial connection is authenticated by IPsec by using AuthIP,
but the quick mode SA permits cleartext traffic. To use this
option, you must also configure a connection security rule that
specifies authnoencap as a quick mode security method.
Note This option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only. - notrequired. Any network packet
matches this rule, whether or not it is protected by IPsec. This
option is the equivalent of not selecting the Allow only secure
connections option in the Windows Firewall with Advanced
Security MMC snap-in.
- authenticate. Network packets that are
authenticated by IPsec match this rule. You must create a separate
connection security rule to authenticate the traffic. This option
is the equivalent of the Allow only secure connections in
the Windows Firewall with Advanced Security MMC snap-in.
Remarks
- Do not modify a firewall rule to use the name
all. Doing this creates a conflict with the netsh
option to select all firewall rules (for example, set rule
name=all).If multiple rules match the criteria you specify,
then all matching rules are modified with the changes included in
the command.
- Rules that specify port ranges can be created
or modified by using netsh on Windows 7 and Windows
Server 2008 R2 only. However, rules with port ranges that
are applied to computers running Windows Vista and Windows
Server 2008 by using Group Policy work correctly.
- Any parameters that follow the new
keyword that you do not include in the command are not modified,
and maintain their previous value.
- To see the group assignments for the
predefined Windows Firewall rules, look in the Windows Firewall
with Advanced Security MMC snap-in, under the Inbound Rules
and Outbound Rules nodes. The Group column in the
Details pane contains the group assignment for each rule. This
version of Windows supports group names only for predefined rules
included with Windows Firewall at installation. There is currently
no supported way to create a group or assign your custom rules to a
group.
- If rmtcomputergrp or rmtusergrp
is specified, then the network traffic must also match a connection
security rule that authenticates the connection. The authentication
protocol used must include identification of a computer or user
account, such as Kerberos v5, NTLM v2, or a computer certificate
with account mapping enabled.
- Do not set both edge = yes
and remoteip = localsubnet. They are conflicting
options and result in the firewall blocking all network traffic
from outside the edge device.
- For more information about SDDL strings and
their format, see "Security Descriptor String Format" (http://go.microsoft.com/fwlink/?linkid=109950) on the
Microsoft MSDN Web site.
- One way to find an SDDL string for a computer
or group account is to use the Windows Firewall with Advanced
Security MMC snap-in to create a temporary firewall rule. Be sure
to disable the rule so that it cannot interfere with any network
traffic. On the Users and Computers tab, select Only
allow connections from these computers, and then use the
Add button to find the computer or group account(s) of
interest. After creating the rule, you can use the command netsh
advfirewall firewall show rule name=rulename
verbose to view the SDDL string for that computer or group.
Be sure to delete the temporary rule when you are finished.
Examples
- The following command changes a rule to match
a different remote IP address of a Web server whose traffic is
allowed by a rule:
set rule name="AllowWeb80" new remoteip=192.168.0.2
- The following command enables all rules in a
predefined group:
set rule group="windows firewall remote management" new enable=yes
- The following command changes a rule to
require authentication. A separate connection security rule must
exist to perform the authentication:
set rule name="AllowMessenger" new security=authenticate
- For more example of how to use the various
parameters that can follow the new keyword, see the
firewall add rule examples
section.
show
In the netsh advfirewall firewall context, the show command only has one variation, the Show Rule command.
show rule
Displays an existing connection security rule.
Syntax
show rule
name = { all | RuleName }
[ profile = { public | private | domain | any } [ ,... ] ]
[ type = { dynamic | static } ]
[ verbose ]
Parameters
- name = { all | RuleName }
- Required. Specifies the rule name assigned to the rule that you want to display. If name=all, then all rules that match the other criteria listed before the new keyword are displayed.If name=all, and no other parameters are included before the new keyword, then all rules are displayed.
- [ profile = { public | private | domain | any | [ ,... ] } ]
- Specifies that only matching rules that are assigned to the indicated profile are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.
- [ type = { dynamic | static } ]
- Specifies that you only want those rules of the selected type
displayed.Type can be one of the following values:
- Dynamic. Displays the rules currently
active on your local computer.
- Static. Displays rules defined in the
current store, as defined by the set store command.
- Dynamic. Displays the rules currently
active on your local computer.
- [verbose]
- Specifies that you want additional details for each rule displayed.
Examples
- The following command displays all currently
defined firewall rules:
show rule name=all
- The following command displays all firewall
rules that are for the domain profile:
show rule name=all profile=domain
This command does not show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain included in the rule.