Skip to content

Configure Windows Firewall using command line

Step 3. Windows Firewall: Advanced Options

The following figure shows the Advanced tab.

windows firewall advanced

The Advanced tab contains the following sections:

  • Network Connection Settings
  • Security Logging
  • ICMP
  • Default Settings

Network Connections Settings

In Network Connection Settings, you can:

  • Specify the set of interfaces on which Windows Firewall is enabled. To enable, select the check box next to the network connection name. To disable, clear the check box. By default, all of the network connections have Windows Firewall enabled. If a network connection does not appear in this list, then it is not a standard networking connection. Examples include some custom dialers from Internet service providers (ISPs).
  • Configure advanced settings of an individual network connection by clicking the network connection name, and then clicking Settings.

If you clear all of the check boxes in the Network Connection Settings, then Windows Firewall is not protecting your computer, regardless of whether you have selected On (recommended) on the General tab. The settings in Network Connection Settings are ignored if you have selected Don’t allow exceptions on the General tab, in which case all interfaces are protected.

When you click Settings, the Advanced Settings dialog box is displayed, as shown in the following figure.

advanced settings services

From the Advanced Settings dialog box, you can configure specific services from the Services tab (by TCP or UDP port only) or enable specific types of ICMP traffic from the ICMP tab.

On the Services tab, do one of the following:

  • If you want to enable a service, under Services select the check box next to service that you want to enable, and then enter the required information.
  • If you want to add a service definition, click Add, and then enter the required information.
  • If you want to edit a service definition, click the service that you want to edit, click Edit, and then change the appropriate information.
  • If you want to delete a service definition, click the service that you want to delete, and then click Delete.

service settings

Notes:

  • No two service definitions can use the same port numbers simultaneously.
  • For service definitions that are preconfigured, you can edit only the field that is labeled Name or IP address of the computer hosting this service on your network.
  • For service definitions that you have added, you can edit only the fields that are labeled Name or IP address of the computer hosting this service on your network, External Port number for this service, and Internal Port number for this service.
  • You can delete only the service definitions that you have added. You cannot delete service definitions that are preconfigured.

On the ICMP tab, do one of the following:

  • To enable Internet Control Message Protocol (ICMP) options, select the check box next to each type of request for information to which you would like your computer to respond.
  • To disable ICMP options, clear any or all of the ICMP check boxes.

advanced settings icmp

Enable or disable Windows Firewall pre-defined services using command line

netsh firewall set service

Used to enable or disable the pre-defined file and printer sharing, remote administration, remote desktop, and UPnP exceptions.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall set service
                   [ type = ] FILEANDPRINT|REMOTEADMIN|REMOTEDESKTOP|UPNP|ALL
                   [ [ mode = ] ENABLE|DISABLE
                   [ scope = ] ALL|SUBNET|CUSTOM
                   [ addresses = ] addresses
                   [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Sets firewall service configuration.

Parameters:

type – Service type.
FILEANDPRINT – File and printer sharing.
REMOTEADMIN – Remote administration.
REMOTEDESKTOP – Remote assistance and remote desktop.
UPNP – UPnP framework.
ALL – All types.

mode – Service mode (optional).
ENABLE – Allow through firewall (default).
DISABLE – Do not allow through firewall.

scope – Service scope (optional).
ALL – Allow all traffic through firewall(default).
SUBNET – Allow only local network (subnet) traffic through firewall.
CUSTOM – Allow only specified traffic through firewall.

addresses – Custom scope addresses (optional).

profile – Configuration profile (optional).
CURRENT – Current profile (default).
DOMAIN – Domain profile.
STANDARD – Standard profile.
ALL – All profiles.

Remarks:
‘scope’ ignored if ‘mode’ is DISABLE.
‘scope’ must be ‘CUSTOM’ to specify’addresses’.

Examples:

netsh firewall set service FILEANDPRINT
netsh firewall set service REMOTEADMIN ENABLE SUBNET
netsh firewall set service REMOTEDESKTOP ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
netsh firewall set service type = FILEANDPRINT
netsh firewall set service type = REMOTEADMIN mode = ENABLE scope = SUBNET
netsh firewall set service type = REMOTEDESKTOP mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

Set Windows Firewall Security Logging

windows firewall advanced

In Security Logging, click Settings to specify the configuration of Windows Firewall logging in the Log Settings dialog box, as shown in the following figure

log settings

From the Log Settings dialog box, you can configure whether to log discarded (dropped) packets or successful connections and specify the name and location of the log file (by default set to Systemroot\pfirewall.log) and its maximum size.

Set Windows Firewall Security Logging using command line

netsh firewall set logging

Used to specify logging options.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall set logging
                   [ [ filelocation = ] path
                   [ maxfilesize = ] 1-32767
                   [ droppedpackets = ] ENABLE|DISABLE
                   [ connections = ] ENABLE|DISABLE ]

Sets firewall logging configuration.

Parameters:

filelocation – Log path and file name (optional).

maxfilesize – Maximum log file size in kilobytes (optional).

droppedpackets – Dropped packet log mode (optional).
ENABLE – Log in firewall.
DISABLE – Do not log in firewall.

connections – Successful connection log mode (optional).
ENABLE – Log in firewall.
DISABLE – Do not log in firewall.

Remarks:
At least one parameter must be specified.

Examples:

netsh firewall set logging %windir%\pfirewall.log 4096
netsh firewall set logging %windir%\pfirewall.log 4096 ENABLE
netsh firewall set logging filelocation = %windir%\pfirewall.log maxfilesize = 4096
netsh firewall set logging filelocation = %windir%\pfirewall.log maxfilesize = 4096 droppedpackets = ENABLE

ICMP Settings

windows firewall advanced

In ICMP, click Settings to specify the types of ICMP traffic that are allowed in the ICMP dialog box, as shown in the following figure.

icmp settings

From the ICMP dialog box, you can enable and disable the types of incoming ICMP messages that Windows Firewall allows for all the connections selected on the Advanced tab. ICMP messages are used for diagnostics, reporting error conditions, and configuration. By default, no ICMP messages in the list are allowed.

A common step in troubleshooting connectivity problems is to use the Ping tool to ping the address of the computer to which you are trying to connect. When you ping, you send an ICMP Echo message and get an ICMP Echo Reply message in response. By default, Windows Firewall does not allow incoming ICMP Echo messages and therefore the computer cannot send an ICMP Echo Reply in response. To configure Windows Firewall to allow the incoming ICMP Echo message, you must enable the Allow incoming echo request setting.

Set Windows Firewall ICMP Settings using command line

netsh firewall set icmpsetting

Used to specify excepted ICMP traffic.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall set icmpsetting
                   [ type = ] 2-5|8-9|11-13|17|ALL
                   [ [ mode = ] ENABLE|DISABLE
                   [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
                   [ interface = ] name ]

Sets firewall ICMP configuration.

Parameters:

type – ICMP type.
2 – Allow outgoing packet too big.
3 – Allow outgoing destination unreachable.
4 – Allow outgoing source quench.
5 – Allow redirect.
8 – Allow incomming echo request.
9 – Allow incomming router request.
11 – Allow outgoing time exceeded.
12 – Allow outgoing parameter problem.
13 – Allow incomming timestamp request.
17 – Allow incomming mask request.
ALL – All types.

mode – ICMP mode (optional).
ENABLE – Allow through firewall (default).
DISABLE – Do not allow through firewall.

profile – Configuration profile (optional).
CURRENT – Current profile (default).
DOMAIN – Domain profile.
STANDARD – Standard profile.
ALL – All profiles.

interface – Interface name (optional).

Remarks:
‘profile’ and ‘interface’ may not be specified together.
‘type’ 2 and ‘interface’ may not be specified together.

Examples:

netsh firewall set icmpsetting 8
netsh firewall set icmpsetting 8 ENABLE
netsh firewall set icmpsetting ALL DISABLE
netsh firewall set icmpsetting type = 8
netsh firewall set icmpsetting type = 8 mode = ENABLE
netsh firewall set icmpsetting type = ALL mode = DISABLE

Configure unicast response to a multicast or broadcast request behavior using command line

netsh firewall set multicastbroadcastresponse

Used to specify the unicast response to a multicast or broadcast request behavior.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

netsh firewall set multicastbroadcastresponse
                   [ mode = ] ENABLE|DISABLE
                   [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Sets firewall multicast/broadcast response configuration.

Parameters:

mode – Multicast/broadcast response mode.
ENABLE – Allow responses to multicast/broadcast traffic through the firewall.
DISABLE – Do not allow responses to multicast/broadcast traffic through the firewall.

profile – Configuration profile (optional).
CURRENT – Current profile (default).
DOMAIN – Domain profile.
STANDARD – Standard profile.
ALL – All profiles.

Examples:

netsh firewall set multicastbroadcastresponse ENABLE
netsh firewall set multicastbroadcastresponse DISABLE
netsh firewall set multicastbroadcastresponse mode = ENABLE
netsh firewall set multicastbroadcastresponse mode = DISABLE

Restore all Windows Firewall settings to default state

windows firewall advanced

In Advanced Tab Click Restore Defaults to reset Windows Firewall back to its originally installed state. When you click Restore Defaults, you are prompted to verify your decision before Windows Firewall settings are changed.

Restore all Windows Firewall settings to default state using command line

netsh firewall reset

Used to reset the configuration of Windows Firewall to default settings. There are no command line options for the reset command.

Related posts:

  1. Configuring network settings from command line
  2. Networking Command-line Utilities
  3. Find and change (spoof) your MAC address in Windows XP
  4. 112 Windows run commands
  5. Full List of Key Commands for the Command Prompt

Pages: 1 2 3 4 5

Posted in Articles.

Comments Off

By Crimson October 1, 2006

« »
SEO Powered by Platinum SEO from Techblissonline