Netsh AdvFirewall Firewall Commands
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Typing the command firewall at the netsh advfirewall context changes to the Netsh AdvFirewall Firewall context, where you can view, create, and modify firewall rules. This context is the command-line equivalent to the Inbound Rules and Outbound Rules nodes of the Windows Firewall with Advanced Security MMC snap-in.
Note
note
netsh firewall
netsh advfirewall firewall
netsh firewall
advfirewall firewall
netsh firewall
Important
Important
IMPORTANT: “netsh firewall” is deprecated; use “netsh advfirewall firewall” instead. For more information on using “netsh advfirewall firewall” commands instead of “netsh firewall”, see KB article 947709 at http://go.microsoft.com/fwlink?linkid=121488.
To view the syntax of commands available in the Firewall context, click a command:
add
In the netsh advfirewall firewall context, the add command only has one variation, the add rule command.
add rule
Adds a new inbound or outbound firewall rule that filters traffic by allowing or blocking network packets that match the specified criteria.
Syntax
add rule
name = RuleName
dir = { in | out }
action = { allow | block | bypass }
[ program = ProgramPath\FileName ]
[ service = { ServiceShortName | any } ]
[ description = RuleDescription ]
[ enable = { yes |no } ]
[ profile = { public | private | domain | any | [ ,... ] } ]
[ localip = { Addresses } ]
[ remoteip = { Addresses } ]
[ localport = { any | Integer | rpc | rpc-epmap | iphttps | teredo | [ ,... ] } ]
[ remoteport = { any | Integer | [ ,... ] } ]
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
[ interfacetype = { any | wireless | lan | ras } ]
[ rmtcomputergrp = SDDLString ]
[ rmtusrgrp = SDDLString ]
[ edge = { yes | deferapp | deferuser | no } ]
[ security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]
Parameters
name = RuleName
Required
dir = { in | out }
Required
dir
in. The rule matches only inbound network traffic that is arriving at the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Inbound Rules.

out. The rule matches only outbound network traffic that is sent by the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Outbound Rules.

action ={ allow | block | bypass }
Required
action
allow. Network packets that match all criteria specified in this rule are permitted through the firewall.

block. Network packets that match all criteria specified in this rule are dropped by the firewall.

bypass. If dir=in, then this option is valid only for rules that have one or more accounts listed in rmtcomputergrp and optionally rmtusrgrp. Network packets that match this rule and that are successfully authenticated against a computer account specified in rmtcomputergrp and against a user account identified in rmtusrgrp are permitted through the firewall. If you specify this option, then you cannot set security=notrequired. This option is the equivalent to the Override block rules checkbox in the Windows Firewall with Advanced Security MMC snap-in.

For computers that are running Windows 7 or Windows Server 2008 R2, action=bypass is permitted on an outbound rule. Selecting this option on an outbound rule causes matching traffic to be permitted though this rule even if other matching rules would block the traffic. No accounts are required in rmtcomputergrp or rmtusergrp for an outbound bypass rule, however, if authorized or excepted computers are listed in those groups they will be enforced.

The action=bypass option on an outbound rule is not valid on computers that are running earlier versions of Windows.

[ program = ProgramPath\FileName ]
Caution
Caution
program
[ service = { ServiceShortName | any } ]
ServiceShortName
Properties
Service Name
service
[ description = RuleDescription ]
[ enable = { yes | no } ]
enable
yes
[ profile = { public | private | domain | any | [ ,... ] } ]
profile
profile
any
[ localip = { Addresses } ]
localip
localip
any. Matches any IP address.

IPAddress. Matches only the exact IPv4 or IPv6 address.

IPSubnet. Matches any IPv4 or IPv6 address that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.

localip
localip
any
[ remoteip = { Addresses } ]
remoteip
remoteip
any. Matches any IP address.

localsubnet. Matches any IP address that is on the same IP subnet as the local computer.

dns|dhcp|wins|defaultgateway. Matches the IP address of any computer that is configured as the identified server type on the local computer.

IPAddress. Matches only the exact IPv4 or IPv6 address specified.

IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.

remoteip
remoteip
any
[ localport = { any | Integer | rpc | rpc-epmap | teredo | [ ,... ] } ]
localport
localport
any. Matches any value in the port field of the IP packet.

Integer
5000-5020
Note
note
rpc. Matches inbound TCP packets that are addressed to the listening socket of an application that correctly registers the port as an RPC listening port. A rule with this option must also specify protocol = tcp, and dir = in. We recommend that you also specify the appropriate program = ProgramName and/or service = ServiceName options to ensure that only the correct service can send or receive traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the application at when it starts.

rpc-epmap. Matches inbound TCP packets that are addressed to the dynamic RPC endpoint mapper service. A rule with this option must also specify protocol = tcp, and dir = in. We recommend that you also specify program = %windir%\system32\svchost.exe, and service = rpcss to ensure that only the RPC service can send or receive network traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the service when it starts. If you have one or more rules that specify localport = rpc, then you must also create a rule with localport = rpc-epmap enabled. This allows both the incoming request to the mapper, and the subsequent packets to the ephemeral ports assigned by the RPC service.

Teredo. Matches inbound UDP packets that contain Teredo packets. Teredo is an IPv4 to IPv6 transition technology that allows IPv4 computers to communicate with IPv6 computers.

iphttps. Matches inbound TCP packets that contain HTTPS with embedded IPv6 packets. IP-HTTPS is a firewall traversal protocol that allows IPv6 packets that would otherwise be blocked if sent by using Teredo, 6to4, or native IPv6. HTTPS is almost universally permitted through a firewall, so IP over HTTPS is another mechanism that can be used when a firewall does not support other edge traversal protocols. The IP-HTTPS option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only, and is ignored if applied by Group Policy to computers that are running earlier versions of Windows,

localport
localport
any
[ remoteport = { any | Integer | [ ,... ] } ]
remoteport
remoteport
any. Matches any value in the port field of the IP packet.

Integer
5000-5020
Note
note
remoteport
remoteport
any
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
protocol
any. Matches any value in the Protocol field of the IP packet.

Integer. Specifies the protocol by number that must be present for the packet to match the rule. The value can range from 0 through 255.

icmpv4. Specifies that all ICMP v4 packets match this rule.

icmpv6. Specifies that all ICMP v6 packets match this rule.

icmpv4:type,code. Specifies that only ICMP v4 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.

icmpv6:type,code. Specifies that only ICMP v6 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.

tcp. Specifies that only TCP traffic addressed to or from the ports identified by localport and remoteport matches this rule.

udp. Specifies that only UDP traffic addressed to or from the ports identified by localport and remoteport matches this rule.

protocol
protocol
any
[ interfacetype = { any | wireless | lan | ras } ]
any. Network packets passing through any of the interface types match this rule.

wireless. Network packets that pass through a wireless network adapter match this rule.

lan. Network packets that pass through a wired LAN adapter match this rule.

ras. Network packets that pass through a RAS interface, such as a VPN or dial-up network connection match this rule.

interfacetype
any
[ rmtcomputergrp = SDDLString ]
rmtcomputergrp
security
authenticate
authenc
action=bypass
rmtcomputergrp
rmtcomputergrp
[ rmtusrgrp = SDDLString ]
rmtusrgrp
security
authenticate
authenc
rmtusergrp
[ edge = { yes | deferapp | deferuser | no } ]
dir=in
deferapp
deferuser
deferapp
deferuser
Allow edge traversal
edge
no
[ security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]
security
authenticate. Network packets that are authenticated by IPsec match this rule. You must create a separate connection security rule to authenticate the traffic. This option is the equivalent of the Allow only secure connections in the Windows Firewall with Advanced Security MMC snap-in.

authenc. Network packets that are authenticated and encrypted by IPsec match this rule. You must create a separate connection security rule to authenticate and encrypt the traffic. This option is the equivalent of the Require encryption option in the Windows Firewall with Advanced Security MMC snap-in.

authdynenc
Allow systems to dynamically negotiate encryption
Note
note
authnoencap
authnoencap
Note
note
notrequired. Any network packet matches this rule, whether or not it is protected by IPsec. This option is the equivalent of not selecting the Allow only secure connections option in the Windows Firewall with Advanced Security MMC snap-in.

security
notrequired
Remarks
Rules that specify port ranges can be created by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

Do not create a firewall rule with the name all. Doing this creates a conflict with the netsh option to select all firewall rules (for example, delete rule name=all).

If rmtcomputergrp or rmtusergrp is specified, then the network traffic must also match a connection security rule that authenticates the connection. The authentication protocol used must include identification of a computer or user account, such as Kerberos v5, NTLM v2, or a computer certificate with account mapping enabled.

Do not set both edge=yes and remoteip=localsubnet. They are conflicting options and result in the firewall blocking all network traffic from outside the edge device.

For more information about SDDL strings and their format, see "Security Descriptor String Format" (http://go.microsoft.com/fwlink/?linkid=109950) on the Microsoft MSDN Web site.

One way to find the SDDL strings for computer, user, or group accounts is to use the Windows Firewall with Advanced Security MMC snap-in to create a temporary firewall rule. If the accounts of interest are domain accounts, you must run the snap-in on a computer that is joined to the domain with the accounts. Be sure to disable the rule so that it cannot interfere with any network traffic. On the Users and Computers tab, select Only allow connections from these computers, and then click the Add button to find the computer or machine group account of interest. You can also select the Only allow connections from these users, and then click the Add button to find the user or group account of interest. After creating the rule, you can use the command netsh advfirewall firewall show rule name=rulename verbose to view the SDDL string for that computer or group. Be sure to delete the temporary rule when you are finished.

The localport=teredo option is valid for protocol=udp only.

Examples
The following command creates an outbound rule to block all traffic from the local computer that originates on TCP port 80.

add rule name="Block Outbound Port 80" dir=out localport=80 protocol=TCP action=block

The following command creates a rule that blocks all inbound traffic from all WINS servers:

add rule name="Block WINS" dir=in action=block remoteip=wins

The following command creates an inbound rule that allows traffic for the Windows Messenger program only from computers on the same subnet as the local computer.

add rule name="Allow Messenger" dir=in program="c:\program files\messenger\msmsgs.exe" remoteip=localsubnet action=allow

The following command creates a rule that permits inbound Windows Messenger network traffic only if the connection from the remote computer is authenticated by using a separate connection security rule.

add rule name="Allow Authenticated Messenger" dir=in program="c:\program files\messenger\msmsgs.exe" security=authenticate action=allow

The following command creates a rule that allows all network traffic from computers that are members of a specific computer group, and only from users that are members of a specific user group. Both memberships must be confirmed by authentication using a separate connection security rule. The actual SDDL strings to use should be determined by referring to the SDDL documentation and steps identified in the Remarks section above.

add rule name="Allow Only Specific Computers and Users" dir=in rmtcomputergrp=D:(A;;CC;;;SIDforMachineGroupAccount) rmtusergrp= D:(A;;CC;;;SIDforUserGroupAccount) action=bypass security=authenticate

The following two commands creates rules that prevent all wireless network traffic:

add rule name="Block Wireless In" dir=in interface=wireless action=block

add rule name="Block Wireless Out" dir=out interface=wireless action=block

add rule name="Allow TCP 12345 and 5000-5020 over Teredo" dir=in action=allow edge=yes remoteip=any protocol=TCP localport=12345,5000-5020 program="c:\program files\TestIPv6App.exe"
Note
note
delete
In the netsh advfirewall firewall context, the Delete command only has one variation, the Delete Rule command.
delete rule
Deletes all connection security rules that match the specified criteria.
Syntax
delete rule
name = { all | RuleName }
[ dir = { in | out } ]
[ profile = { public | private | domain | any | [ ,... ] } ]
[ program = ProgramPath\FileName ]
[ service = { ServiceShortName | any } ]
[ localip = { Addresses } ]
[ remoteip = { Addresses } ]
[ localport = { any | Integer | rpc | rpc-epmap | teredo | [ ,... ] } ]
[ remoteport = { any | Integer | [ ,... ] } ]
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp }]
Parameters
name = { all | RuleName }
Required
The rule name of the connection security rule you want deleted.

all. Specifies that all rules matching the criteria in the other parameters are deleted. If no other parameters are included in the command then all connection security rules are deleted.

[ dir = { in | out } ]
in
out
[ profile = { public | private | domain | any | [ ,... ] } ]
[ program = ProgramPath\FileName ]
[ service = { ServiceShortName | any } ]
[ localip = { Addresses } ]
localip
The keyword any.

IPAddress. Specifies an IPv4 or IPv6 address.

IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.

localip
[ remoteip = { Addresses } ]
remoteip
One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.

IPAddress. Specifies an IPv4 or IPv6 address.

IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.

remoteip
[ localport = { any | Integer | rpc | rpc-epmap | teredo | [ ,... ] } ]
[ remoteport = { any | Integer | [ ,... ] } ]
5000-5020
Note
note
localport
remoteport
protocol
tcp
udp
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
Remarks
If multiple rules are found that match the specified criteria, then they are all deleted.

If you specify name=all and do not specify any other criteria, then all firewall rules are deleted.

Rules that specify port ranges can be created and modified by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

Examples
The following example deletes a rule based on its exact name:

Delete rule name="rule1"

The following example deletes all rules for TCP port 80:

delete rule name=all protocol=tcp localport=80

set
In the netsh advfirewall firewall context, the Set command only has one variation, the Set Rule command.
set rule
Modifies an existing firewall rule identified by name, or found by matching the specified criteria. Criteria that precede the keyword new identify the rule(s) to be modified. Criteria that follow the keyword new indicate properties that are modified or added.
Syntax
set rule
{ group = GroupName | name = { all | RuleName } }
[ dir = { in | out } ]
[ profile = { public | private | domain | any } [ ,... ] ]
[ program = ProgramPath\FileName ]
[ service = { ServiceShortName | any } ]
[ localip = Addresses ]
[ remoteip = Addresses ]
[ localport = { any | rpc | rpc-epmap | teredo | iphttps | Integer | [ ,... ] } ]
[ remoteport = { any | Integer | [ ,... ] } ]
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
new
[ name = NewRuleName ]
[ dir = { in |out } ]
[ program = ProgramPath\FileName ]
[ service = { ServiceShortName | any } ]
[ action = { allow | block | bypass } ]
[ description =RuleDescription ]
[ enable = { yes | no } ]
[ profile = { public | private | domain | any | [ ,... ] } ]
[ localip = Addresses ]
[ remoteip = Addresses ]
[ localport = { any | rpc | rpc-epmap | teredo | iphttps | Integer | [ ,... ] } ]
[ remoteport = { any | Integer | [,... ] }
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
[ interfacetype ={ any | wiresless | lan | ras } ]
[ rmtcomputergrp = SDDLString ]
[ rmtusrgrp = SDDLString ]
[ edge = { yes | deferapp | deferuser | no } ]
[ security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]
Parameters
{ group = GroupName | name = { all | RuleName } }
Required
name=all
name=all
new
[ dir = { in | out } ]
dir
in
out
[ profile = { public | private | domain | any } [ ,... ] ]
[ program = ProgramPath\FileName ]
[ service = { ServiceShortName | any } ]
service
[ localip = { Addresses } ]
localip
The keyword any.

IPAddress. Specifies an IPv4 or IPv6 address.

IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.

localip
[ remoteip = { Addresses } ]
remoteip
One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.

IPAddress. Specifies an IPv4 or IPv6 address.

IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.

remoteip
[ localport = { any | Integer | rpc | rpc-epmap | teredo | iphttps | [ ,... ] } ] [ remoteport = { any | Integer | [ ,... ] } ]
5000-5020
Note
note
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
new
[ name = NewRuleName ]
[ dir = { in | out } ]
Dir
in. The rule matches only inbound network traffic that is arriving at the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Inbound Rules.

out. The rule matches only outbound network traffic that is sent by the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Outbound Rules.

[ action = { allow | block | bypass } ]
action
allow. Network packets that match all criteria specified in this rule are permitted through the firewall.

block. Network packets that match all criteria specified in this rule are dropped by the firewall.

bypass. If dir=in, then this option is valid only for rules that have one or more accounts listed in rmtcomputergrp and optionally rmtusrgrp. Network packets that match this rule and that are successfully authenticated against a computer account specified in rmtcomputergrp and against a user account identified in rmtusrgrp are permitted through the firewall. If you specify this option, then you cannot set security = notrequired. This option is the equivalent to the Override block rules checkbox in the Windows Firewall with Advanced Security MMC snap-in.

For computers that are running Windows 7 or Windows Server 2008 R2, action=bypass is permitted on an outbound rule. Selecting this option on an outbound rule causes matching traffic to be permitted though this rule even if other matching rules would block the traffic. No accounts are required in rmtcomputergrp or rmtusergrp for an outbound bypass rule, however, if authorized or excepted computers are listed in those groups they will be enforced.

The action=bypass option on an outbound rule is not valid on computers that are running earlier versions of Windows. Those computers will not successfully process a rule with this option.

[ program = ProgramPath\FileName ]
Caution
Caution
[ service = { ServiceShortName | any } ]
ServiceShortName
Properties
Service Name
[ description =RuleDescription ]
[ enable = { yes | no } ]
[ profile = { public | private | domain | any | [ ,... ] } ]
profile
[ localip = { Addresses } ]
localip
localip
any. Matches any IP address.

IPAddress. Matches only the exact IPv4 or IPv6 address.

IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.

localip
[ remoteip = { Addresses } ]
remoteip
remoteip
any. Matches any IP address.

localsubnet. Matches any IP address that is on the same IP subnet as the local computer.

dns|dhcp|wins|defaultgateway. Matches the IP address of any computer that is configured as the identified server type on the local computer.

IPAddress. Matches only the exact IPv4 or IPv6 address specified.

IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.

remoteip
[ localport = { any | Integer | rpc | rpc-epmap | teredo | iphttps | [ ,... ] } ]
localport
localport
any. Matches any value in the port field of the IP packet.

Integer
5000-5020
Note
note
rpc. Matches inbound TCP packets that are addressed to the listening socket of an application that correctly registers the port as an RPC listening port. A rule with this option must also specify protocol = tcp, dir = in. We recommend that you also specify the appropriate program = ProgramName and/or service = ServiceName options to ensure that only the correct service can send or receive traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the application at when it starts.

rpc-epmap. Matches inbound TCP packets that are addressed to the dynamic RPC endpoint mapper service. A rule with this option must also specify protocol = tcp, dir = in. We recommend that you also specify program = %windir%\system32\svchost.exe, and service = rpcss to ensure that only the RPC service can send or receive network traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the service when it starts. . If you have one or more rules that specify localport = rpc, then you must also create a rule with localport = rpc-epmap enabled. This allows both the incoming request to the mapper, and the subsequent packets to the ephemeral ports assigned by the RPC service.

teredo. Matches inbound UDP packets that contain Teredo packets. Teredo is an IPv4 to IPv6 transition technology that allows IPv4 computers to communicate with IPv6 computers.

iphttps. Matches inbound TCP packets that contain HTTPS with embedded IPv6 packets. IP-HTTPS is a firewall traversal protocol that allows IPv6 packets that would otherwise be blocked if sent by using Teredo, 6to4, or native IPv6. HTTPS is almost universally permitted through a firewall, so IP over HTTPS is another mechanism that can be used when a firewall does not support other edge traversal protocols. The IP-HTTPS option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only, and is ignored if applied by Group Policy to computers that are running earlier versions of Windows,

localport
[ remoteport = { any | Integer | [ ,... ] } ]
remoteport
remoteport
any. Matches any value in the port field of the IP packet.

Integer
5000-5020
Note
note
remoteport
[ protocol = { any | Integer | icmpv4 | icmpv6 | icmpv4:type,code | icmpv6:type,code | tcp | udp } ]
protocol
any. Matches any value in the Protocol field of the IP packet.

Integer. Specifies the protocol by number that must be present for the packet to match the rule.

icmpv4. Specifies that all ICMP v4 packets match this rule.

icmpv6. Specifies that all ICMP v6 packets match this rule.

icmpv4:type,code. Specifies that only ICMP v4 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.

icmpv6:type,code. Specifies that only ICMP v6 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.

tcp. Specifies that only TCP traffic addressed to or from the ports identified by localport and remoteport matches this rule.

udp. Specifies that only UDP traffic addressed to or from the ports identified by localport and remoteport matches this rule.

protocol
[ interfacetype = { any | wireless | lan | ras } ]
any. Network packets passing through any of the interface types match this rule.

wireless. Network packets that pass through a wireless network adapter match this rule.

lan. Network packets that pass through a wired LAN adapter match this rule.

ras. Network packets that pass through a RAS interface, such as a VPN or dial-up network connection match this rule.

[ rmtcomputergrp = SDDLString ]
rmtcomputergrp
security
authenticate
authenc
action = bypass
rmtcomputergrp
rmtcomputergrp
[ rmtusrgrp = SDDLString ]
rmtusrgrp
security
authenticate
authenc
rmtusergrp
[ edge = { yes | deferapp | deferuser | no } ]
dir = in
deferapp
deferuser
deferapp
deferuser
Allow edge traversal
[ security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]
security
authenticate. Network packets that are authenticated by IPsec match this rule. You must create a separate connection security rule to authenticate the traffic. This option is the equivalent of the Allow only secure connections in the Windows Firewall with Advanced Security MMC snap-in.

authenc. Network packets that are authenticated and encrypted by IPsec match this rule. You must create a separate connection security rule to authenticate and encrypt the traffic. This option is the equivalent of the Require encryption option in the Windows Firewall with Advanced Security MMC snap-in.

authdynenc
Allow systems to dynamically negotiate encryption
Note
note
authnoencap
authnoencap
Note
note
notrequired. Any network packet matches this rule, whether or not it is protected by IPsec. This option is the equivalent of not selecting the Allow only secure connections option in the Windows Firewall with Advanced Security MMC snap-in.

Remarks
Do not modify a firewall rule to use the name all. Doing this creates a conflict with the netsh option to select all firewall rules (for example, set rule name=all).If multiple rules match the criteria you specify, then all matching rules are modified with the changes included in the command.

Rules that specify port ranges can be created or modified by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

Any parameters that follow the new keyword that you do not include in the command are not modified, and maintain their previous value.

To see the group assignments for the predefined Windows Firewall rules, look in the Windows Firewall with Advanced Security MMC snap-in, under the Inbound Rules and Outbound Rules nodes. The Group column in the Details pane contains the group assignment for each rule. This version of Windows supports group names only for predefined rules included with Windows Firewall at installation. There is currently no supported way to create a group or assign your custom rules to a group.

If rmtcomputergrp or rmtusergrp is specified, then the network traffic must also match a connection security rule that authenticates the connection. The authentication protocol used must include identification of a computer or user account, such as Kerberos v5, NTLM v2, or a computer certificate with account mapping enabled.

Do not set both edge = yes and remoteip = localsubnet. They are conflicting options and result in the firewall blocking all network traffic from outside the edge device.

For more information about SDDL strings and their format, see "Security Descriptor String Format" (http://go.microsoft.com/fwlink/?linkid=109950) on the Microsoft MSDN Web site.

One way to find an SDDL string for a computer or group account is to use the Windows Firewall with Advanced Security MMC snap-in to create a temporary firewall rule. Be sure to disable the rule so that it cannot interfere with any network traffic. On the Users and Computers tab, select Only allow connections from these computers, and then use the Add button to find the computer or group account(s) of interest. After creating the rule, you can use the command netsh advfirewall firewall show rule name=rulename verbose to view the SDDL string for that computer or group. Be sure to delete the temporary rule when you are finished.

Examples
The following command changes a rule to match a different remote IP address of a Web server whose traffic is allowed by a rule:

set rule name="AllowWeb80" new remoteip=192.168.0.2

The following command enables all rules in a predefined group:

set rule group="windows firewall remote management" new enable=yes

The following command changes a rule to require authentication. A separate connection security rule must exist to perform the authentication:

set rule name="AllowMessenger" new security=authenticate

For more example of how to use the various parameters that can follow the new keyword, see the firewall add ruleExamples.

show
In the netsh advfirewall firewall context, the show command only has one variation, the Show Rule command.
show rule
Displays an existing connection security rule.
Syntax
show rule
name = { all | RuleName }
[ profile = { public | private | domain | any } [ ,... ] ]
[ type = { dynamic | static } ]
[ verbose ]
Parameters
name = { all | RuleName }
name=all
name=all
new
[ profile = { public | private | domain | any | [ ,... ] } ]
[ type = { dynamic | static } ]
Dynamic. Displays the rules currently active on your local computer.

Static. Displays rules defined in the current store, as defined by the set store command.

type
[verbose]
Examples
The following command displays all currently defined firewall rules:

show rule name=all

The following command displays all firewall rules that are for the domain profile:

show rule name=all profile=domain

This command does not show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain included in the rule.

Master Technician Technology Services