How to Configure Windows 2008 Advanced Firewall with the NETSH CLI
In a previous article, we covered How to configure the new Windows Server 2008 advanced firewall MMC snap-in. In this article, we show you how to perform similar configurations of the new Windows 2008 Server Advanced Firewall, but totally from the Windows command line interface (CLI), using the netsh utility. There are many reasons why you would want to do this, let’s find out more…
What is the netsh advfirewall utility?
New in Windows 2008 Server, you will find a more advanced host-based firewall. Here are some of the new features to justify the new name, taken from our article on how to configure the advanced firewall using the MMC:
- New GUI interface – an MMC snap-in is now available to configure the advanced firewall.
- Bi-directional – filters outbound traffic as well as inbound traffic.
- Works better with IPSEC – now the firewall rules and IPSec encryption configurations are integrated into one interface.
- Advanced Rules configuration – you can create firewall rules (exceptions) for Windows Active Directory (AD) service accounts & groups, source/destination IP addresses, protocol numbers, source and destination TCP/UDP ports, ICMP, IPv6 traffic, and interfaces on the Windows Server.
Netsh advfirewall is the command line tool used for configuring the new Windows 2008 Server Advanced Firewall.
Why use the CLI interface to configure a Windows firewall?
While some people will prefer to use the graphical MMC snap-in to configure the new advanced firewall, others will prefer to do their configuration through the CLI for the following reasons:
- It’s faster – once you learn how to use the netsh advfirewall commands, it will be faster than clicking on the GUI.
- It can be scripted – you could script common functions you perform with this tool.
- Works when GUI is not available – just like other CLI tools, you can use netsh advfirewall when the GUI is not available, such as in Window Server 2008 Core.
What command do I use with netsh advfirewall?
Here are the 9 most important commands that you need to know when using the netsh advfirewall command utility:
The help (?) command
This is probably the most useful command there is. Anytime you type the ? command it will allow you to see all the options that are available for that context (see Figure 1).
netsh advfirewall help options
The consec (connection security profile) command
The connection profiles allow you to create IPSEC VPNs between two systems. In other words, consec rules allow you to secure the traffic that is coming through the firewall, not just restrict or filter it.
This command option takes you into the connection security configuration mode, like this:
netsh advfirewall> consec
netsh advfirewall consec>
At that point, if you type the ? command, you will see that there are six different contexts within the netsh advfirewall consec command (see Figure 2).
If you type ? there, you will see how you can modify security profile using the following commands:
- Add command just lets you add a new connections security rule.
- Delete command lets you delete a connection security rule.
- Dump command does not work in this context.
- Help command just shows you all the available commands.
- Set command will let you set the new values for an existing rule.
netsh advfirewall consec options
To see what is going on with the firewall, you will have to use the show command. It offers 3 different options under it.
- Show alias will show you the aliases.
- The show helper command can show you all the top-level helpers.
- Show mode command can show you if the firewall is online or offline.
Lets you export all the current configurations of your firewall to a file. This command is very helpful because you can back up all your settings to file and restore them if you don’t like the configurations that you have made.
Here is an example:
netsh advfirewall export “c:\advfirewall.wfw”
The command is where you can add new inbound and outbound rules to your firewall. It will also allow you to make changes to your rules on the firewall.
netsh advfirewall firewall
Inside the firewall context, you will see that there are 4 important commands. They are:
- Add command lets you add inbound and outbound firewall rules.
- Delete command will let you delete a rule.
- Set lets you set new values for rules that have already been created.
- Show will display a specified firewall rule.
Here is an example of how to add & how to delete a firewall rule:
Add an inbound rule for messenger.exe
netsh advfirewall firewall add rule name="allow messenger" dir=in program="c:\programfiles\messenger\msmsgs.exe” action=allow
Delete all inbound rules for local port 21
netsh advfirewall firewall delete name rule name=all protocol=tcp localport=21
Import allows you to import the configurations for your firewall from a file. This command lets you import a file that you have exported. Here is an example:
netsh advfirewall import “c:\advfirewall.wfw”
This command allows you to reset the firewall policy back to the default policy. Be careful with this command because as soon as you type the command it will reset the policy without asking if you are sure or not. Here is an example:
netsh advfirewall reset
The set command will allow you to change the firewall state for different profiles. There are six different contexts for the set command.
netsh advfirewall set
- Set allprofiles will let you change the settings for all the profiles.
- Set currentprofile will let you change the setting for just the current profile.
- Set domainprofile will let you change the settings for the domain profile.
- Set global will let you set the global settings of the firewall.
- Set privateprofile will let you change the settings for the private profile.
- Set publicprofile will let you change the settings for the public profile.
Examples of using the set command:
- Turn the firewall off for all profiles:
netsh advfirewall set allprofiles state off
- Set the default behavior to block inbound and allow outbound connections on all profiles:
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
- Turn on remote management on all profiles:
netsh advfirewall set allprofiles settings remotemanagement enable
- Log dropped connections on all profiles:
netsh advfirewall set allprofiles logging droppedconnections enable
The show command will show you all the settings that you have made to all the different profiles.
In this article, we went over the primary commands that you need to know to configure the Windows 2008 firewall with the netsh advfirewall command. Now you just need to decide on your own if you like using the GUI interface or the command line to configure you firewall. Both methods should have the same options. The command line interface is a lot faster way of configuring windows 2008 firewall, once you know the commands.
And remember, if you want to learn how to use the Windows Server 2008 Advanced Security Firewall, please see our other article on this topic: How to configure the new Windows Server 2008 advanced firewall MMC snap-in.