Windows firewall is a useful mechanism which is used to control network traffic and ports. There are different ways to manage Windows firewall like GUI, Powershell and MS-DOS. Today we will look in detail how to manage windows firewall from command line with a popular tool named netsh . Netsh is a built-in tool which exists all Windows versions like Windows Server 2008, Windows Server 2012, windows Server 2016, Windows 7, Windows 8 and Windows 10.

Help

Help about netsh command can be printed with /? option.

$ netsh /?

As we can see from the output netsh command provides a lot of network management features like Wlan, Bridge, Dhcp, Ras etc.

Interactive Shell

Netsh command can be used from command line just issuing commands. But there is also an interactive shell where the same commands can be used to manage network. While using interactive shell netsh command is eliminated. Interactive shell can be started just using netsh command like below.

$ neths

There is also sub shells or modules where they can be used issuing command like advfirewall

$ advfirewall

Network Profiles

As we know Windows operating systems comes with built-in profiles where different network security settings are application according to these profiles. After the network connection is established Windows ask us what type of network is the connected network. We select one of the following profiles.

• Domain Profile
• Private Profile
• Public Profile

List All Network Profiles

All existing network profiles can be listed with advfirewall show allprofiles command like below.

$ advfirewall show allprofiles

As we can see from command output following information about network profiles are provided.

• State show whether this profiles is available and useable
• Firewall Policy show Inbound and Outbound connection policy whether inbound or outbound connection can be made in this profile by default.
• Local Firewall Rules shows whether local  firewall rules exists or Group Policy inherited.
• Local Con Sec Rules
• Inbound User Notification show if an inbound connection is established whether a notification will be shown users desktop
• Remote Management specifies whether  remote management ports and mechanisms can be used.
• Logging is partition about creating logs.
• Log Allowed Connections shows the configuration whether allowed connections will be logged
• Log Dropped Connections shows the configuration whether dropped connections will be logged
• File Name specifies the path and name of the firewall log.
• Max File Size shows the size of a log file which can be the maximum

Domain Profile

Domain profile is designed Windows systems those are in the Windows Domain.

Private Profile

Private profile is designed to be used in private life areas like home or at friend where we can semi trust to the network and not controlled by domain controller.

Public Profile

Public profile is designed to be used in public areas where real security threads exists. These areas are libraries, cafe etc.

Turn Off Firewall

Windows firewall is by default enabled. Firewall rules are strict and generally do not give ability to run 3. party applications on different ports. Another scenario is we have all ready installed an end point security solution and we do not need Windows built-in firewall. We can simply turn off Firewall. This will disable firewall for currently active network profile.

$ advfirewall set currentprofile state off

Turn On Firewall

As we stated previous step firewall of Windows operating systems are enabled by default. But we may need to enable and start firewall in some situations. This will enable firewall for currently active network profile.

$ advfirewall set currentprofile state on

Turn On Firewall For All Network Profiles

Previous steps turn on and off firewall for the current provide. We can also turn on firewall for all existing profile with the following command. This will turn on firewall for Domain, Private and Public Profiles for the default configuration.

$ advfirewall set allprofiles state on

List Current Firewall Configuration

We have previously listed all existing profiles configurations. We can also list only current profile configuration.

$ advfirewall show currentprofile

Open Port

Now we can start the real firewall management operations. One of the most used command and feature is opening firewall port. We will specify the Layer 4 protocol type like TCP or UDP and the port number with related name for identifier. In this example we will enable the port number 443 and name it MyHttps.

$ advfirewall firewall add portopening tcp 443 MyHttps

Close Port

We may need to close a port to make our system more secure and fortify our system. We will use delete command to remove existing open ports or exceptions. In this example we remote the port number TCP 443 with the name of MyHttps .

$ firewall delete portopening tcp 443

Drop ICMP or Ping Packets

One of the most used technique to troubleshoot the network connectivity in IT environment is using ICMP packets in Ping mechanism. We generally ping remote system to decide whether the network is running and remote system is up. But this may create some security hole in critical environments. So disabling ping is the more secure way.

We can disable the ping and drop ICMP packets with the following command.

$ firewall set icmpsetting type=all mode=disable

Enable Log

Logging creates  structural information about  the events occurred in the Windows firewall. These logs may provide information about users, remote IP addresses, ports and actions. Logs can be used for security related mechanisms like Log Collection and SIEM. We can enable logs with set logging command like below.

$ firewall set logging  %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 ENABLE

In this example we enable logging by specifying log file path, the maximum line count of log file and status. After the maximum line count is reached  the old logs will be deleted.