Skip to content

Configure Windows Firewall using command line

Step 2. Windows Firewall: Exceptions

The following figure shows the Exceptions tab with its settings.

windows firewall: exceptions

From the Exceptions tab, you can enable or disable an existing program (an application or service) or port or maintain the list of programs and ports that define excepted traffic. The excepted traffic is not allowed when the Don’t allow exceptions option is selected on the General tab.

Add program-based exception to Exceptions list in Windows Firewall

To add a program exception, click Add Program. The Add Program dialog box is displayed from which you can select a program or browse for a program’s file name. The following figure shows an example.

windows firewall: add program to exceptions list

Add/Modify program-based exception using command line

netsh firewall add allowedprogram

Used to add a program-based exception.

netsh firewall set allowedprogram

Used to modify the settings of an existing program-based exception.

Syntax and parameters of commands add and set are identical.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall add allowedprogram
                   [ program = ] path
                   [ name = ] name
                   [ [ mode = ] ENABLE|DISABLE
                   [ scope = ] ALL|SUBNET|CUSTOM
                   [ addresses = ] addresses
                   [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Adds firewall allowed program configuration.

Parameters:

program – Program path and file name.

name – Program name.

mode – Program mode (optional).
ENABLE – Allow through firewall (default).
DISABLE – Do not allow through firewall.

scope – Program scope (optional).
ALL – Allow all traffic through firewall (default).
SUBNET – Allow only local network (subnet) traffic through firewall.
CUSTOM – Allow only specified traffic through firewall.

addresses – Custom scope addresses (optional).

profile – Configuration profile (optional).
CURRENT – Current profile (default).
DOMAIN – Domain profile.
STANDARD – Standard profile.
ALL – All profiles.

Remarks: ‘scope’ must be ‘CUSTOM’ to specify ‘addresses’.

Examples:

netsh firewall add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE
netsh firewall add allowedprogram C:\MyApp\MyApp.exe MyApp DISABLE
netsh firewall add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
netsh firewall add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode =ENABLE
netsh  firewall add  allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = DISABLE
netsh  firewall add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLE scope = CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

Delete existing program-based exception using command line

netsh firewall delete allowedprogram

Used to delete an existing program-based exception.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall delete allowedprogram
                      [ program = ] path
                      [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Deletes firewall allowed program configuration.

Parameters:

program – Program path and file name.

profile – Configuration profile (optional).
CURRENT – Current profile (default).
DOMAIN – Domain profile.
STANDARD – Standard profile.
ALL – All profiles.

Examples:

delete allowedprogram C:\MyApp\MyApp.exe
delete allowedprogram program = C:\MyApp\MyApp.exe

Add a Port to Exceptions list

To add a port exception, click AddPort. The Add a Port dialog box is displayed, from which you can configure a TCP or UDP port. The following figure shows an example.

windows firewall: add port to exceptions list

Windows Firewall allows you to specify the scope of excepted traffic. The scope defines the portion of the network from which the excepted traffic is allowed to originate. To define the scope for a program or port, click Change Scope. The following figure shows an example.

windows firewall: change scope

Add/Modify port-based exception using command line

netsh firewall add portopening

Used to create a port-based exception.

netsh firewall set portopening

Used to modify the settings of an existing port-based exception.

Syntax and parameters of commands add and set are identical.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall add portopening
                   [ protocol = ] TCP|UDP|ALL
                   [ port = ] 1-65535
                   [ name = ] name
                   [ [ mode = ] ENABLE|DISABLE
                   [ scope = ] ALL|SUBNET|CUSTOM
                   [ addresses = ] addresses
                   [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
                   [ interface = ] name ]

Adds firewall port configuration.

Parameters:

protocol – Port protocol.
TCP – Transmission Control Protocol (TCP).
UDP – User Datagram Protocol (UDP).
ALL – All protocols.

port – Port number.

name – Port name.

mode – Port mode (optional).
ENABLE – Allow through firewall (default).
DISABLE – Do not allow through firewall.

scope – Port scope (optional).
ALL – Allow all traffic through firewall
(default).
SUBNET – Allow only local network (subnet)
traffic through firewall.
CUSTOM – Allow only specified traffic through
firewall.

addresses – Custom scope addresses (optional).

profile – Configuration profile (optional).
CURRENT – Current profile (default).
DOMAIN – Domain profile.
STANDARD – Standard profile.
ALL – All profiles.

interface – Interface name (optional).

Remarks:
‘profile’ and ‘interface’ may not be specified together.
‘scope’ and ‘interface’ may not be specified together.
‘scope’ must be ‘CUSTOM’ to specify ‘addresses’.

Examples:

netsh firewall add portopening TCP 80 MyWebPort
netsh firewall add portopening UDP 500 IKE ENABLE ALL
netsh firewall add portopening ALL 53 DNS ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
netsh firewall add portopening protocol = TCP port = 80 name =MyWebPort
netsh  firewall add  portopening protocol = UDP port = 500 name = IKE mode = ENABLE scope = ALL
netsh  firewall add portopening protocol = ALL port = 53 name =DNS mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

Delete existing port-based exception using command line

netsh firewall delete portopening

Used to delete an existing port-based exception.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall delete portopening
                      [ protocol = ] TCP|UDP|ALL
                      [ port = ] 1-65535
                      [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
                      [ interface = ] name ]

Deletes firewall port configuration.

Parameters:

protocol – Port protocol.
TCP – Transmission Control Protocol (TCP).
UDP – User Datagram Protocol (UDP).
ALL – All protocols.

port – Port number.

profile – Configuration profile (optional).
CURRENT – Current profile (default).
DOMAIN – Domain profile.
STANDARD – Standard profile.
ALL – All profiles.

interface – Interface name (optional).

Remarks:
‘profile’ and ‘interface’ may not be specified together.

Examples:

netsh firewall delete portopening TCP 80
netsh firewall delete portopening UDP 500
netsh firewall delete portopening protocol = TCP port = 80 netsh  firewall
delete portopening protocol = UDP port = 500

Windows Firewall Notifications

Applications can use Windows Firewall application programming interface (API) function calls to automatically add exceptions. When applications create exceptions using the Windows Firewall APIs, the user is not notified. If the application using the Windows Firewall APIs does not specify an exception name, the exception is not displayed in the exceptions list on the Exceptions tab of the Windows Firewall.

windows firewall exceptions

When an application that does not use the Windows Firewall API runs and attempts to listen on TCP or UDP ports, Windows Firewall prompts a local administrator with a Windows Security Alert dialog box. The following figure shows an example.

windows firewall alert

Set option “Display a notification when Windows Firewall blocks a program” using command line

netsh firewall set notifications

Used to specify the notification behavior.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall set notifications
                   [ mode = ] ENABLE|DISABLE
                   [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Sets firewall notification configuration.

Parameters:

mode – Notification mode.
ENABLE – Allow pop-up notifications from firewall.
DISABLE – Do not allow pop-up notifications from firewall.

profile – Configuration profile (optional).
CURRENT – Current profile (default).
DOMAIN – Domain profile.
STANDARD – Standard profile.
ALL – All profiles.

Examples:

netsh firewall set notifications ENABLE
netsh firewall set notifications DISABLE
netsh firewall set notifications mode = ENABLE netsh  firewall
netsh firewall set notifications mode = DISABLE

Related posts:

  1. Configuring network settings from command line
  2. Networking Command-line Utilities
  3. Find and change (spoof) your MAC address in Windows XP
  4. 112 Windows run commands
  5. Full List of Key Commands for the Command Prompt

Pages: 1 2 3 4 5

Posted in Articles.

Comments Off

By Crimson October 1, 2006

« »
SEO Powered by Platinum SEO from Techblissonline