Windows Server,  Windows XP

Control Windows Firewall From The Command Line

The Windows Firewall is controlled using the netsh command along with the advfirewall option. This command is pretty easy to use, although knowing the syntax helps. The most basic thing you do is enable the firewall, done by issuing a set verb along with a profile (in this case we’ll use current profile) and then setting the state to on, as follows:

netsh advfirewall set currentprofile state on

Or if you were controlling the domain profile:

netsh advfirewall set domainprofile state on

You can also choose to set other options within a profile. So to set the firewall policy to always block inbound traffic and allow outgoing traffic, use the set currentprofile followed by firewallpolicy as the option to set and then blockinboundalways and allowoutbound delimited with a comma:

netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound

To restore information back to defaults, use the reset verb:

netsh advfirewall reset

To open incoming access to just the file and printer sharing services:

netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes

Or remote desktop connections:

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain

Because the Windows Firewall can be stageful, you can also allow a program to have access (in or out), as with the following app called SecureApp.exe:

netsh advfirewall firewall add rule name="Secure App" dir=in action=allow program="C:\Program Files\SecureApp.exe" enable=yes

Or to restrict that app:

netsh advfirewall firewall add rule name="Secure App" dir=in action=deny program="C:\Program Files\SecureApp.exe" enable=yes

You can also allow based on IP or range of IP by adding the remoteip variable:

netsh advfirewall firewall add rule name="Secure App" dir=in action=allow program="C:\Program Files\SecureApp.exe" enable=yes remoteip=206.13.28.12,LocalSubnet profile=domain

Or to open a specific port:

netsh advfirewall firewall add rule name="Open SSL" dir=in action=allow protocol=TCP localport=443

Overall, the netsh advfirewall command is pretty easy to use and allows for a lot of programatic control of the Windows Firewall without having to learn a lot of complex scripting. And of course, to disable, feel free to just turn that on to an off from the initial command:

netsh advfirewall set currentprofile state off