Netsh AdvFirewall Firewall Commands

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Typing the command firewall at the netsh advfirewall context changes to the Netsh AdvFirewall Firewall context, where you can view, create, and modify firewall rules. This context is the command-line equivalent to the Inbound Rules and Outbound Rules nodes of the Windows Firewall with Advanced Security MMC snap-in.

Note

This context is different from the netsh firewall context. You can only run the command netsh advfirewall firewall, or apply policies created with that command on computers that are running Windows Vista or Windows Server 2008.
The netsh firewall context is backwards compatible with Windows XP and Windows Server 2003, but only enables you to configure a subset of what the advfirewall firewall context supports. For more information about the netsh firewall context, see Netsh Commands for Windows Firewall.

Important

The netsh firewall context is supplied only for backward compatibility. We recommend that you do not use this context on a computer that is running Windows Vista or a later version of Windows, because by using it you can create and modify firewall rules only for the domain and private profiles. Earlier versions of Windows only supported a domain and standard profile. On Windows Vista and later, the standard profile maps to the private profile and domain continues to map to the domain profile. Rules for the public profile can only be manipulated when the computer is actually attached to a public network and the command is run against the "current" profile.
Starting in Windows® 7 and Windows Server® 2008 R2, running any command in the firewall context produces the following message:
IMPORTANT: “netsh firewall” is deprecated; use “netsh advfirewall firewall” instead. For more information on using “netsh advfirewall firewall” commands instead of “netsh firewall”, see KB article 947709 at https://go.microsoft.com/fwlink?linkid=121488.

To view the syntax of commands available in the Firewall context, click a command:

  • add

  • delete

  • set

  • show

add

In the netsh advfirewall firewall context, the add command only has one variation, the add rule command.

add rule

Adds a new inbound or outbound firewall rule that filters traffic by allowing or blocking network packets that match the specified criteria.

Syntax

add rule

name = RuleName

dir = { in | out }

action = { allow | block | bypass }

program = ProgramPath**\**FileName ]

service = { ServiceShortName | any } ]

description = RuleDescription ]

enable = { yes |no } ]

profile = { public | private | domain | any | [ ,... ] } ]

localip = { Addresses } ]

remoteip = { Addresses } ]

localport = { any | Integer | rpc | rpc-epmap | iphttps | teredo | [ ,... ] } ]

remoteport = { any | Integer | [ ,... ] } ]

protocol = { any | Integer | icmpv4 | icmpv6 | **icmpv4:type,**code | **icmpv6:type,**code | tcp | udp } ]

interfacetype = { any | wireless | lan | ras } ]

rmtcomputergrp = SDDLString ]

rmtusrgrp = SDDLString ]

edge = { yes | deferapp | deferuser | no } ]

security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]

Parameters

  • name = RuleName
    Required. Specifies the name of this firewall rule. The name should be unique, and must not be "all".
  • dir = { in | out }
    Required. Specifies whether this rule matches inbound or outbound network traffic.

    dir can be any of the following values:

    • in. The rule matches only inbound network traffic that is arriving at the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Inbound Rules.

    • out. The rule matches only outbound network traffic that is sent by the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Outbound Rules.

  • ****action =allow | block | bypass }
    Required. Specifies what Windows Firewall with Advanced Security does to filter network packets that match the criteria specified in this rule.

    action can be one of the following:

    • allow. Network packets that match all criteria specified in this rule are permitted through the firewall.

    • block. Network packets that match all criteria specified in this rule are dropped by the firewall.

    • bypass. If dir=in, then this option is valid only for rules that have one or more accounts listed in rmtcomputergrp and optionally rmtusrgrp. Network packets that match this rule and that are successfully authenticated against a computer account specified in rmtcomputergrp and against a user account identified in rmtusrgrp are permitted through the firewall. If you specify this option, then you cannot set security=notrequired. This option is the equivalent to the Override block rules checkbox in the Windows Firewall with Advanced Security MMC snap-in.

      For computers that are running Windows 7 or Windows Server 2008 R2, action=bypass is permitted on an outbound rule. Selecting this option on an outbound rule causes matching traffic to be permitted though this rule even if other matching rules would block the traffic. No accounts are required in rmtcomputergrp or rmtusergrp for an outbound bypass rule, however, if authorized or excepted computers are listed in those groups they will be enforced.

      The action=bypass option on an outbound rule is not valid on computers that are running earlier versions of Windows.

  • program = ProgramPath\FileName ]
    Specifies that network traffic generated by the identified executable program matches this rule.

Warning

Creating firewall rules for hosting processes such as svchost.exe can lead to unpredictable behavior in Windows Firewall with Advanced Security. Starting in Windows Vista, the security of Windows network services was increased by using predefined, built-in firewall rules. Creating new rules referencing services that are already protected by the built-in rules might result in conflicts or undesired side-effects.

If **program** is not specified, then network traffic generated by any program matches this rule.
  • service = { ServiceShortName | any } ]
    Specifies that traffic generated by the identified service matches this rule. The ServiceShortName for a service can be found in Services MMC snap-in, by right-clicking the service, selecting Properties, and examining Service Name.

    If service is not specified then network traffic generated by any program or service matches this rule.

  • description = RuleDescription ]
    Provides information about the firewall rule.
  • enable = { yes | no } ]
    Specifies whether the rule is currently enabled.

    If enable is not specified, the default is yes.

  • profile = { public | private | domain | any | [ ,... ] } ]
    Specifies the profile(s) to which the firewall rule is assigned. The rule is active on the local computer only when the specified profile is currently active.

    You can include multiple entries for profile by separating them with a comma. Do not include any spaces.

    If profile is not specified, the default is any.

  • localip = { Addresses } ]
    Specifies that network packets with matching IP addresses match this rule. localip is compared to the Destination IP address field of an inbound network packet. It is compared to the Source IP address field of an outbound network packet.

    localip can be any of the following values:

    • any. Matches any IP address.

    • IPAddress. Matches only the exact IPv4 or IPv6 address.

    • IPSubnet. Matches any IPv4 or IPv6 address that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.

    Multiple entries can be specified for localip by separating them with a comma. Do not include any spaces.

    If localip is not specified, the default is any.

  • remoteip = { Addresses } ]
    Specifies that network packets with matching IP addresses match this rule. remoteip is compared to the Destination IP address field of an outbound network packet. It is compared to the Source IP address field of an inbound network packet.

    remoteip can be any of the following values:

    • any. Matches any IP address.

    • localsubnet. Matches any IP address that is on the same IP subnet as the local computer.

    • dns|dhcp|wins|defaultgateway. Matches the IP address of any computer that is configured as the identified server type on the local computer.

    • IPAddress. Matches only the exact IPv4 or IPv6 address specified.

    • IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.

    Multiple entries can be specified for remoteip by separating them with a comma.

    If remoteip is not specified, the default is any.

  • localport = { any | Integer | rpc | rpc-epmap | teredo | [ ,... ] } ]
    Specifies that network packets with matching IP port numbers matched by this rule. localport is compared to the Source Port field of an outbound network packet. It is compared to the Destination Port field of an inbound network packet.

    localport can be any of the following values:

    • any. Matches any value in the port field of the IP packet.

    • Integer. Specifies the exact port number that must be present for the packet to match the rule. The port values can be individual numbers from 0 through 65535, a range, such as 5000-5020, or a comma-separated list of numbers and ranges.

Note

Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.

  - **rpc**. Matches inbound TCP packets that are addressed to the listening socket of an application that correctly registers the port as an RPC listening port. A rule with this option must also specify **protocol = tcp**, and **dir = in**. We recommend that you also specify the appropriate **program = ***ProgramName* and/or **service = ***ServiceName* options to ensure that only the correct service can send or receive traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the application at when it starts.  
      
  - **rpc-epmap**. Matches inbound TCP packets that are addressed to the dynamic RPC endpoint mapper service. A rule with this option must also specify **protocol = tcp**, and **dir = in**. We recommend that you also specify **program = %windir%\\system32\\svchost.exe**, and **service = rpcss** to ensure that only the RPC service can send or receive network traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the service when it starts. If you have one or more rules that specify **localport = rpc**, then you must also create a rule with **localport = rpc-epmap** enabled. This allows both the incoming request to the mapper, and the subsequent packets to the ephemeral ports assigned by the RPC service.  
      
  - **Teredo**. Matches inbound UDP packets that contain Teredo packets. Teredo is an IPv4 to IPv6 transition technology that allows IPv4 computers to communicate with IPv6 computers.  
      
  - **iphttps**. Matches inbound TCP packets that contain HTTPS with embedded IPv6 packets. IP-HTTPS is a firewall traversal protocol that allows IPv6 packets that would otherwise be blocked if sent by using Teredo, 6to4, or native IPv6. HTTPS is almost universally permitted through a firewall, so IP over HTTPS is another mechanism that can be used when a firewall does not support other edge traversal protocols. The IP-HTTPS option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only, and is ignored if applied by Group Policy to computers that are running earlier versions of Windows,  
      

Multiple entries can be specified for **localport** by separating them with a comma. Do not include any spaces.

If **localport** is not specified, the default is **any**.
  • remoteport = { any | Integer | [ ,... ] } ]
    Specifies that network packets with matching IP port numbers match this rule. remoteport is compared to the Destination Port field of an outbound network packet. It is compared to the Source Port field of an inbound network packet.

    remoteport can be any of the following values:

    • any. Matches any value in the port field of the IP packet.

    • Integer. Specifies the exact port number that must be present for the packet to match the rule. The port values can be individual numbers, a range, such as 5000-5020, or a comma-separated list of numbers and ranges.

Note

Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.

Multiple entries can be specified for **remoteport** by separating them with a comma. Do not include any spaces.

If **remoteport** is not specified, the default is **any**.
  • **[ protocol = { any | Integer | icmpv4 | icmpv6 | **icmpv4:type,**code | **icmpv6:type,code | tcp | udp } ]
    Specifies that network packets with a matching IP protocol match this rule.

    protocol can be any of the following values:

    • any. Matches any value in the Protocol field of the IP packet.

    • Integer. Specifies the protocol by number that must be present for the packet to match the rule. The value can range from 0 through 255.

    • icmpv4. Specifies that all ICMP v4 packets match this rule.

    • icmpv6. Specifies that all ICMP v6 packets match this rule.

    • **icmpv4:type,**code. Specifies that only ICMP v4 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.

    • **icmpv6:type,**code. Specifies that only ICMP v6 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.

    • tcp. Specifies that only TCP traffic addressed to or from the ports identified by localport and remoteport matches this rule.

    • udp. Specifies that only UDP traffic addressed to or from the ports identified by localport and remoteport matches this rule.

    Multiple entries can be specified for protocol by separating them with a comma. Do not include any spaces.

    If protocol is not specified, the default is any.

  • interfacetype = { any | wireless | lan | ras } ]
    Specifies that only network packets passing through the indicated interface types match this rule. Using this parameter allows you to specify different firewall requirements for each of the three main network types. The value must be one of the following:

    • any. Network packets passing through any of the interface types match this rule.

    • wireless. Network packets that pass through a wireless network adapter match this rule.

    • lan. Network packets that pass through a wired LAN adapter match this rule.

    • ras. Network packets that pass through a RAS interface, such as a VPN or dial-up network connection match this rule.

    If interfacetype is not specified, the default is any.

  • rmtcomputergrp = SDDLString ]
    Specifies that only network packets that are authenticated as coming from or going to a computer identified in the list of computer and group accounts match this rule.

    If rmtcomputergrp is specified, then security must be set to either authenticate or authenc.

    If action=bypass, then at least one computer or computer group account must be specified in rmtcomputergrp.

    For rmtcomputergrp to match, the network traffic must be authenticated using a credential that carries computer account information.

  • rmtusrgrp = SDDLString ]
    Specifies that only network packets that are authenticated as coming from or going to a user identified in the list of user and group accounts match this rule.

    If rmtusrgrp is specified, then security must be set to either authenticate or authenc.

    For rmtusergrp to match, the network traffic must be authenticated using a credential that carries user account information.

  • edge = { yes | deferapp | deferuser | no } ]
    Valid only when dir=in. Specifies that traffic that traverses an edge device, such as a Network Address Translation (NAT) enabled router, between the local and remote computer matches this rule. The deferapp and deferuser options are valid on computers running Windows 7 and Windows Server 2008 R2 only. If set to deferapp or deferuser, then Windows allows the application or user to programmatically register with the firewall to receive inbound unsolicited application traffic from the edge device.

    This option is the equivalent of the Allow edge traversal checkbox in the Windows Firewall with Advanced Security MMC snap-in.

    If edge is not specified, the default is no.

  • security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]
    Specifies that only network packets protected with the specified type of IPsec options match this rule.

    security can be one of the following values:

    • authenticate. Network packets that are authenticated by IPsec match this rule. You must create a separate connection security rule to authenticate the traffic. This option is the equivalent of the Allow only secure connections in the Windows Firewall with Advanced Security MMC snap-in.

    • authenc. Network packets that are authenticated and encrypted by IPsec match this rule. You must create a separate connection security rule to authenticate and encrypt the traffic. This option is the equivalent of the Require encryption option in the Windows Firewall with Advanced Security MMC snap-in.

    • authdynenc. Network packets that are authenticated by IPsec match this rule, and if the initial packet is not already encrypted, then a new quick mode SA is negotiated with the remote host to encrypt the connection. All succeeding packets are authenticated and encrypted. If the negotiation of a quick mode encryption SA fails, then the firewall blocks the connection. You must create a separate connection security rule that requires authentication and encryption to permit negotiation of an appropriate encrypted SA. This option is the equivalent of the Allow systems to dynamically negotiate encryption in the Windows Firewall with Advanced Security MMC snap-in.

Note

This option is valid for inbound firewall rules only.
This option is available only on computers that are running Windows 7 or Windows Server 2008 R2. Group Policies created with this option are compatible with computers that are running Windows Vista or later versions of Windows.

  - **authnoencap**. Network connections that are authenticated, but not encapsulated by ESP or AH match this rule. This option is useful for connections that must be monitored by network equipment, such as intrusion detection systems (IDS), that are not compatible with ESP NULL-protected network packets. The initial connection is authenticated by IPsec by using AuthIP, but the quick mode SA permits cleartext traffic. To use this option, you must also configure a connection security rule that specifies **authnoencap** as a quick mode security method.  
      

Note

This option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only.

  - **notrequired**. Any network packet matches this rule, whether or not it is protected by IPsec. This option is the equivalent of not selecting the **Allow only secure connections** option in the Windows Firewall with Advanced Security MMC snap-in.  
      

If **security** is not specified, the default is **notrequired**.

Remarks

  • Rules that specify port ranges can be created by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

  • Do not create a firewall rule with the name all. Doing this creates a conflict with the netsh option to select all firewall rules (for example, delete rule name=all).

  • If rmtcomputergrp or rmtusergrp is specified, then the network traffic must also match a connection security rule that authenticates the connection. The authentication protocol used must include identification of a computer or user account, such as Kerberos v5, NTLM v2, or a computer certificate with account mapping enabled.

  • Do not set both edge=yes and remoteip=localsubnet. They are conflicting options and result in the firewall blocking all network traffic from outside the edge device.

  • For more information about SDDL strings and their format, see "Security Descriptor String Format" (https://go.microsoft.com/fwlink/?linkid=109950) on the Microsoft MSDN Web site.

    One way to find the SDDL strings for computer, user, or group accounts is to use the Windows Firewall with Advanced Security MMC snap-in to create a temporary firewall rule. If the accounts of interest are domain accounts, you must run the snap-in on a computer that is joined to the domain with the accounts. Be sure to disable the rule so that it cannot interfere with any network traffic. On the Users and Computers tab, select Only allow connections from these computers, and then click the Add button to find the computer or machine group account of interest. You can also select the Only allow connections from these users, and then click the Add button to find the user or group account of interest. After creating the rule, you can use the command **netsh advfirewall firewall show rule name=**rulename verbose to view the SDDL string for that computer or group. Be sure to delete the temporary rule when you are finished.

  • The localport=teredo option is valid for protocol=udp only.

Examples

  • The following command creates an outbound rule to block all traffic from the local computer that originates on TCP port 80.

    add rule name="Block Outbound Port 80" dir=out localport=80 protocol=TCP action=block

  • The following command creates a rule that blocks all inbound traffic from all WINS servers:

    add rule name="Block WINS" dir=in action=block remoteip=wins

  • The following command creates an inbound rule that allows traffic for the Windows Messenger program only from computers on the same subnet as the local computer.

    add rule name="Allow Messenger" dir=in program="c:\program files\messenger\msmsgs.exe" remoteip=localsubnet action=allow

  • The following command creates a rule that permits inbound Windows Messenger network traffic only if the connection from the remote computer is authenticated by using a separate connection security rule.

    add rule name="Allow Authenticated Messenger" dir=in program="c:\program files\messenger\msmsgs.exe" security=authenticate action=allow

  • The following command creates a rule that allows all network traffic from computers that are members of a specific computer group, and only from users that are members of a specific user group. Both memberships must be confirmed by authentication using a separate connection security rule. The actual SDDL strings to use should be determined by referring to the SDDL documentation and steps identified in the Remarks section above.

    add rule name="Allow Only Specific Computers and Users" dir=in rmtcomputergrp=D:(A;;CC;;;SIDforMachineGroupAccount) rmtusergrp= D:(A;;CC;;;SIDforUserGroupAccount) action=bypass security=authenticate

  • The following two commands creates rules that prevent all wireless network traffic:

    add rule name="Block Wireless In" dir=in interface=wireless action=block

    add rule name="Block Wireless Out" dir=out interface=wireless action=block

  • The following command creates a rule to allow TCP traffic addressed to port 12345 and the range of ports 5000-5020 to a specific application from computers on the remote side of an edge (NAT) device, using the Teredo IPv6 interface:

    add rule name="Allow TCP 12345 and 5000-5020 over Teredo" dir=in action=allow edge=yes remoteip=any protocol=TCP localport=12345,5000-5020 program="c:\program files\TestIPv6App.exe"

Note

Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.

delete

In the netsh advfirewall firewall context, the Delete command only has one variation, the Delete Rule command.

delete rule

Deletes all connection security rules that match the specified criteria.

Syntax

delete rule

name = { all | RuleName }

dir = { in | out } ]

profile = { public | private | domain | any | [ ,... ] } ]

program = ProgramPath**\**FileName ]

service = { ServiceShortName | any } ]

localip = { Addresses } ]

remoteip = { Addresses } ]

localport = { any | Integer | rpc | rpc-epmap | teredo | [ ,... ] } ]

remoteport = { any | Integer | [ ,... ] } ]

protocol = { any | Integer | icmpv4 | icmpv6 | **icmpv4:type,**code | **icmpv6:type,**code | tcp | udp }] 

Parameters

  • name = { all | RuleName }
    Required. You can specify one of the following values:

    • The rule name of the connection security rule you want deleted.

    • all. Specifies that all rules matching the criteria in the other parameters are deleted. If no other parameters are included in the command then all connection security rules are deleted.

  • dir = { in | out } ]
    Specifies that only rules of the selected direction are deleted. The value can be either in or out.
  • profile = { public | private | domain | any | [ ,... ] } ]
    Specifies that only rules assigned to the specified profile(s) are deleted. If you specify more than one profile, then only rules that include the exact same list of profiles match.
  • program = ProgramPath\FileName ]
    Specifies that only rules that match the identified program are deleted.
  • service = { ServiceShortName | any } ]
    Specifies that only rules that match the identified service name are deleted.
  • localip = { Addresses } ]
    Specifies that only rules that match the IP addresses, ranges, or subnets are deleted. If your rule includes multiple entries, then the rule only matches if it contains the exact same list of entries.

    localip can be any of the following values:

    • The keyword any.

    • IPAddress. Specifies an IPv4 or IPv6 address.

    • IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.

    You can specify multiple entries for localip by separating them with a comma. Do not include any spaces.

  • remoteip = { Addresses } ]
    Specifies that only rules that match the IP addresses, ranges, subnets, or server types are deleted. If your rule includes multiple entries, then the rule only matches if it contains the exact same list of entries.

    remoteip can be any of the following values:

    • One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.

    • IPAddress. Specifies an IPv4 or IPv6 address.

    • IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.

    You can specify multiple entries for remoteip by separating them with a comma. Do not include any spaces.

  • localport = { any | Integer | rpc | rpc-epmap | teredo | [ ,... ] } ]
    remoteport = { any | Integer | [ ,... ] } ]

    Specifies that only rules that match the port numbers or keywords indicated are deleted. The port values can be individual numbers from 0 through 65535, a range, such as 5000-5020, or a comma-separated list of numbers and ranges.

Note

Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.

If you specify **localport** or **remoteport** then you must also specify **protocol**, and it must be set to either **tcp** or **udp**.
  • **[ protocol = { any | Integer | icmpv4 | icmpv6 | **icmpv4:type,**code | **icmpv6:type,code | tcp | udp } ]
    Specifies that only rules that match the indicated protocol value are deleted.

Remarks

  • If multiple rules are found that match the specified criteria, then they are all deleted.

  • If you specify name=all and do not specify any other criteria, then all firewall rules are deleted.

  • Rules that specify port ranges can be created and modified by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

Examples

  • The following example deletes a rule based on its exact name:

    Delete rule name="rule1"

  • The following example deletes all rules for TCP port 80:

    delete rule name=all protocol=tcp localport=80

set

In the netsh advfirewall firewall context, the Set command only has one variation, the Set Rule command.

set rule

Modifies an existing firewall rule identified by name, or found by matching the specified criteria. Criteria that precede the keyword new identify the rule(s) to be modified. Criteria that follow the keyword new indicate properties that are modified or added.

Syntax

set rule

group = GroupName | name = { all | RuleName } }

dir = { in | out } ]

profile = { public | private | domain | any } [ ,... ] ]

program = ProgramPath**\**FileName ]

service = { ServiceShortName | any } ]

localip = Addresses ]

remoteip = Addresses ]

localport = { any | rpc | rpc-epmap | teredo | iphttps | Integer | [ ,... ] } ]

remoteport = { any | Integer | [ ,... ] } ]

protocol = { any | Integer | icmpv4 | icmpv6 | **icmpv4:type,**code | **icmpv6:type,**code | tcp | udp } ]

new

name = NewRuleName ]

dir = { in |out } ]

program = ProgramPath**\**FileName ]

service = { ServiceShortName | any } ]

action = { allow | block | bypass } ]

[ **description =**RuleDescription ]

enable = { yes | no } ]

profile = { public | private | domain | any | [ ,... ] } ]

localip = Addresses ]

remoteip = Addresses ]

localport = { any | rpc | rpc-epmap | teredo | iphttps | Integer | [ ,... ] } ]

remoteport = { any | Integer | [,... ] }

protocol = { any | Integer | icmpv4 | icmpv6 | **icmpv4:type,**code | **icmpv6:type,**code | tcp | udp } ]

interfacetype =any | wiresless | lan | ras } ]

rmtcomputergrp = SDDLString ]

rmtusrgrp = SDDLString ]

edge = { yes | deferapp | deferuser | no } ]

security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]

Parameters

  • group = GroupName | name = { all | RuleName } }
    Required. Specifies either the group name for a set of rules to modify together, or a rule name assigned to an existing rule that you want to modify. If you specify the group name for a set of rules, then all of the rules in that group receive the same set of modifications.

    If name=all, then all rules that match the other criteria listed before the new keyword are modified.

    If name=all, and no other parameters are included before the new keyword, then all rules are modified as indicated.

  • dir = { in | out } ]
    Specifies that only matching rules of the indicated direction are modified. The value of dir can be either in or out.
  • profile = { public | private | domain | any } [ ,... ] ]
    Specifies that only matching rules that are assigned to the indicated profile are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.
  • program = ProgramPath\FileName ]
    Specifies that only rules that match the identified program are modified.
  • service = { ServiceShortName | any } ]
    Specifies that only rules that match the identified service name are modified.

    If service is not specified, then rules that specify any value, including no value, and that match all other criteria, are modified.

  • localip = { Addresses } ]
    Specifies that only rules that match the IP addresses, ranges, or subnets are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.

    localip can be any of the following values:

    • The keyword any.

    • IPAddress. Specifies an IPv4 or IPv6 address.

    • IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.

    You can specify multiple entries for localip by separating them with a comma.

  • remoteip = { Addresses } ]
    Specifies that only rules that match the IP addresses, ranges, subnets, or server types are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.

    remoteip can be any of the following values:

    • One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.

    • IPAddress. Specifies an IPv4 or IPv6 address.

    • IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.

    You can specify multiple entries for remoteip by separating them with a comma.

  • localport = { any | Integer | rpc | rpc-epmap | teredo | iphttps | [ ,... ] } ] [ remoteport = { any | Integer | [ ,... ] } ]
    Specifies that only rules that match the port numbers or keywords indicated are modified. The port values can be individual numbers, a range, such as 5000-5020, or a comma-separated list of numbers and ranges. If you specify a comma separated list, then only rules that contain the exact same list are modified.

Note

Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.

  • **[ protocol = { any | Integer | icmpv4 | icmpv6 | **icmpv4:type,**code | **icmpv6:type,code | tcp | udp } ]
    Specifies that only rules that match the indicated protocol value are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.
  • new
    Any parameter that precedes this keyword is used to find a match for the rules that are modified. Any parameter that follows this keyword indicates a value that is modified in the rules that match the specified criteria.
  • name = NewRuleName ]
    Specifies a new name for the connection security rule. The name should be unique, and must not be "all".
  • dir = { in | out } ]
    Specifies whether this rule matches inbound or outbound network traffic.

    Dir can be one of the following values:

    • in. The rule matches only inbound network traffic that is arriving at the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Inbound Rules.

    • out. The rule matches only outbound network traffic that is sent by the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Outbound Rules.

  • action = { allow | block | bypass } ]
    Specifies what Windows Firewall with Advanced Security does to filter network packets that match the criteria specified in this rule.

    action can be one of the following:

    • allow. Network packets that match all criteria specified in this rule are permitted through the firewall.

    • block. Network packets that match all criteria specified in this rule are dropped by the firewall.

    • bypass. If dir=in, then this option is valid only for rules that have one or more accounts listed in rmtcomputergrp and optionally rmtusrgrp. Network packets that match this rule and that are successfully authenticated against a computer account specified in rmtcomputergrp and against a user account identified in rmtusrgrp are permitted through the firewall. If you specify this option, then you cannot set security = notrequired. This option is the equivalent to the Override block rules checkbox in the Windows Firewall with Advanced Security MMC snap-in.

      For computers that are running Windows 7 or Windows Server 2008 R2, action=bypass is permitted on an outbound rule. Selecting this option on an outbound rule causes matching traffic to be permitted though this rule even if other matching rules would block the traffic. No accounts are required in rmtcomputergrp or rmtusergrp for an outbound bypass rule, however, if authorized or excepted computers are listed in those groups they will be enforced.

      The action=bypass option on an outbound rule is not valid on computers that are running earlier versions of Windows. Those computers will not successfully process a rule with this option.

  • program = ProgramPath\FileName ]
    Specifies that network traffic generated by the identified executable program matches this rule.

Warning

Creating firewall rules for hosting processes such as svchost.exe can lead to unpredictable behavior in Windows Firewall with Advanced Security. Starting in Windows Vista, the security of Windows network services was increased by using predefined, built-in firewall rules. Creating new rules referencing services that are already protected by the built-in rules might result in conflicts or undesired side-effects.

  • service = { ServiceShortName | any } ]
    Specifies that traffic generated by the identified service matches this rule. The ServiceShortName for a service can be found in Services MMC snap-in, by right-clicking the service, selecting Properties, and examining Service Name.
  • **[ **description =RuleDescription ]
    Provides information about the firewall rule.
  • enable = { yes | no } ]
    Specifies whether the rule is currently enabled.
  • profile = { public | private | domain | any | [ ,... ] } ]
    Specifies the profile(s) to which the firewall rule is assigned. The rule is active on the local computer only when the specified profile is currently active.

    You can include multiple entries for profile by separating them with a comma. Do not include any spaces.

  • localip = { Addresses } ]
    Specifies that network packets with matching IP addresses match this rule. localip is compared to the Destination IP address field of an inbound network packet. It is compared to the Source IP address field of an outbound network packet.

    localip can be any of the following values:

    • any. Matches any IP address.

    • IPAddress. Matches only the exact IPv4 or IPv6 address.

    • IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.

    Multiple entries can be specified for localip by separating them with a comma. Do not include any spaces.

  • remoteip = { Addresses } ]
    Specifies that network packets with matching IP addresses match this rule. remoteip is compared to the Destination IP address field of an outbound network packet. It is compared to the Source IP address field of an inbound network packet.

    remoteip can be any of the following values:

    • any. Matches any IP address.

    • localsubnet. Matches any IP address that is on the same IP subnet as the local computer.

    • dns|dhcp|wins|defaultgateway. Matches the IP address of any computer that is configured as the identified server type on the local computer.

    • IPAddress. Matches only the exact IPv4 or IPv6 address specified.

    • IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.

    Multiple entries can be specified for remoteip by separating them with a comma. Do not include any spaces.

  • localport = { any | Integer | rpc | rpc-epmap | teredo | iphttps | [ ,... ] } ]
    Specifies that network packets with matching IP port numbers match this rule. localport is compared to the Source Port field of an outbound network packet. It is compared to the Destination Port field of an inbound network packet.

    localport can be any of the following values:

    • any. Matches any value in the port field of the IP packet.

    • Integer. Specifies the exact port number that must be present for the packet to match the rule. The port values can be individual numbers, a range, such as 5000-5020, or a comma-separated list of numbers and ranges.

Note

Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.

  - **rpc**. Matches inbound TCP packets that are addressed to the listening socket of an application that correctly registers the port as an RPC listening port. A rule with this option must also specify **protocol = tcp**, **dir = in**. We recommend that you also specify the appropriate **program =** *ProgramName* and/or **service =** *ServiceName* options to ensure that only the correct service can send or receive traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the application at when it starts.  
      
  - **rpc-epmap**. Matches inbound TCP packets that are addressed to the dynamic RPC endpoint mapper service. A rule with this option must also specify **protocol = tcp**, **dir = in**. We recommend that you also specify **program = %windir%\\system32\\svchost.exe**, and **service = rpcss** to ensure that only the RPC service can send or receive network traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the service when it starts. . If you have one or more rules that specify **localport = rpc**, then you must also create a rule with **localport = rpc-epmap** enabled. This allows both the incoming request to the mapper, and the subsequent packets to the ephemeral ports assigned by the RPC service.  
      
  - **teredo**. Matches inbound UDP packets that contain Teredo packets. Teredo is an IPv4 to IPv6 transition technology that allows IPv4 computers to communicate with IPv6 computers.  
      
  - **iphttps**. Matches inbound TCP packets that contain HTTPS with embedded IPv6 packets. IP-HTTPS is a firewall traversal protocol that allows IPv6 packets that would otherwise be blocked if sent by using Teredo, 6to4, or native IPv6. HTTPS is almost universally permitted through a firewall, so IP over HTTPS is another mechanism that can be used when a firewall does not support other edge traversal protocols. The IP-HTTPS option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only, and is ignored if applied by Group Policy to computers that are running earlier versions of Windows,  
      

Multiple entries can be specified for **localport** by separating them with a comma. Do not include any spaces.
  • remoteport = { any | Integer | [ ,... ] } ]
    Specifies that network packets with matching IP port numbers match this rule. remoteport is compared to the Destination Port field of an outbound network packet. It is compared to the Source Port field of an inbound network packet.

    remoteport can be any of the following values:

    • any. Matches any value in the port field of the IP packet.

    • Integer. Specifies the exact port number that must be present for the packet to match the rule. The port values can be individual numbers, a range, such as 5000-5020, or a comma-separated list of numbers and ranges.

Note

Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.

Multiple entries can be specified for **remoteport** by separating them with a comma. Do not include any spaces.
  • **[ protocol = { any | Integer | icmpv4 | icmpv6 | **icmpv4:type,**code | **icmpv6:type,code | tcp | udp } ]
    Specifies that network packets with a matching IP protocol match this rule.

    protocol can be one of the following values:

    • any. Matches any value in the Protocol field of the IP packet.

    • Integer. Specifies the protocol by number that must be present for the packet to match the rule.

    • icmpv4. Specifies that all ICMP v4 packets match this rule.

    • icmpv6. Specifies that all ICMP v6 packets match this rule.

    • **icmpv4:type,**code. Specifies that only ICMP v4 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.

    • **icmpv6:type,**code. Specifies that only ICMP v6 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.

    • tcp. Specifies that only TCP traffic addressed to or from the ports identified by localport and remoteport matches this rule.

    • udp. Specifies that only UDP traffic addressed to or from the ports identified by localport and remoteport matches this rule.

    Multiple entries can be specified for protocol by separating them with a comma.

  • interfacetype = { any | wireless | lan | ras } ]
    Specifies that only network packets passing through the indicated interface types match this rule. Using this parameter allows you to specify different firewall requirements for each of the three main network types. The value must be one of the following:

    • any. Network packets passing through any of the interface types match this rule.

    • wireless. Network packets that pass through a wireless network adapter match this rule.

    • lan. Network packets that pass through a wired LAN adapter match this rule.

    • ras. Network packets that pass through a RAS interface, such as a VPN or dial-up network connection match this rule.

  • rmtcomputergrp = SDDLString ]
    Specifies that only network packets that are authenticated as coming from or going to a computer identified in the list of computer and group accounts are filtered by this rule.

    If rmtcomputergrp is specified, then security must be set to either authenticate or authenc.

    If action = bypass, then at least one computer or computer group account must be specified in rmtcomputergrp.

    For rmtcomputergrp to match, the network traffic must be authenticated using a credential that carries computer account information.

  • rmtusrgrp = SDDLString ]
    Specifies that only network packets that are authenticated as coming from or going to a user identified in the list of user and group accounts are filtered this rule.

    If rmtusrgrp is specified, then security must be set to either authenticate or authenc.

    For rmtusergrp to match, the network traffic must be authenticated using a credential that carries user account information.

  • edge = { yes | deferapp | deferuser | no } ]
    Valid only when dir = in. Specifies that traffic that traverses an edge device, such as a Network Address Translation (NAT) enabled router, between the local and remote computer matches this rule. The deferapp and deferuser options are valid on computers running Windows 7 and Windows Server 2008 R2 only. If set to deferapp or deferuser, then Windows allows the application or user to programmatically register with the firewall to receive inbound unsolicited application traffic from the edge device.

    This option is the equivalent of the Allow edge traversal checkbox in the Windows Firewall with Advanced Security MMC snap-in.

  • security = { authenticate | authenc | authdynenc | authnoencap | notrequired } ]
    Specifies that only network packets protected with the specified type of IPsec options match this rule.

    security can be one of the following values:

    • authenticate. Network packets that are authenticated by IPsec match this rule. You must create a separate connection security rule to authenticate the traffic. This option is the equivalent of the Allow only secure connections in the Windows Firewall with Advanced Security MMC snap-in.

    • authenc. Network packets that are authenticated and encrypted by IPsec match this rule. You must create a separate connection security rule to authenticate and encrypt the traffic. This option is the equivalent of the Require encryption option in the Windows Firewall with Advanced Security MMC snap-in.

    • authdynenc. Network packets are that are authenticated by IPsec match this rule, and if the initial packet is not already encrypted, then a new quick mode SA is negotiated with the remote host to encrypt the connection. All succeeding packets are authenticated and encrypted. If the negotiation of a quick mode encryption SA fails, then the firewall blocks the connection. You must create a separate connection security rule that requires authentication and encryption to permit negotiation of an appropriate encrypted SA. This option is the equivalent of the Allow systems to dynamically negotiate encryption in the Windows Firewall with Advanced Security MMC snap-in.

Note

This option is valid for inbound firewall rules only.
This option is available only on computers that are running Windows 7 or Windows Server 2008 R2. Group Policies created with this option are compatible with computers that are running Windows Vista or later versions of Windows.

  - **authnoencap**. Network connections that are authenticated, but not encapsulated by ESP or AH match this rule. This option is useful for connections that must be monitored by network equipment, such as intrusion detection systems (IDS), that are not compatible with ESP NULL-protected network packets. The initial connection is authenticated by IPsec by using AuthIP, but the quick mode SA permits cleartext traffic. To use this option, you must also configure a connection security rule that specifies **authnoencap** as a quick mode security method.  
      

Note

This option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only.

  - **notrequired**. Any network packet matches this rule, whether or not it is protected by IPsec. This option is the equivalent of not selecting the **Allow only secure connections** option in the Windows Firewall with Advanced Security MMC snap-in.  
      

Remarks

  • Do not modify a firewall rule to use the name all. Doing this creates a conflict with the netsh option to select all firewall rules (for example, set rule name=all).If multiple rules match the criteria you specify, then all matching rules are modified with the changes included in the command.

  • Rules that specify port ranges can be created or modified by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

  • Any parameters that follow the new keyword that you do not include in the command are not modified, and maintain their previous value.

  • To see the group assignments for the predefined Windows Firewall rules, look in the Windows Firewall with Advanced Security MMC snap-in, under the Inbound Rules and Outbound Rules nodes. The Group column in the Details pane contains the group assignment for each rule. This version of Windows supports group names only for predefined rules included with Windows Firewall at installation. There is currently no supported way to create a group or assign your custom rules to a group.

  • If rmtcomputergrp or rmtusergrp is specified, then the network traffic must also match a connection security rule that authenticates the connection. The authentication protocol used must include identification of a computer or user account, such as Kerberos v5, NTLM v2, or a computer certificate with account mapping enabled.

  • Do not set both edge = yes and remoteip = localsubnet. They are conflicting options and result in the firewall blocking all network traffic from outside the edge device.

  • For more information about SDDL strings and their format, see "Security Descriptor String Format" (https://go.microsoft.com/fwlink/?linkid=109950) on the Microsoft MSDN Web site.

  • One way to find an SDDL string for a computer or group account is to use the Windows Firewall with Advanced Security MMC snap-in to create a temporary firewall rule. Be sure to disable the rule so that it cannot interfere with any network traffic. On the Users and Computers tab, select Only allow connections from these computers, and then use the Add button to find the computer or group account(s) of interest. After creating the rule, you can use the command **netsh advfirewall firewall show rule name=**rulename verbose to view the SDDL string for that computer or group. Be sure to delete the temporary rule when you are finished.

Examples

  • The following command changes a rule to match a different remote IP address of a Web server whose traffic is allowed by a rule:

    set rule name="AllowWeb80" new remoteip=192.168.0.2

  • The following command enables all rules in a predefined group:

    set rule group="windows firewall remote management" new enable=yes

  • The following command changes a rule to require authentication. A separate connection security rule must exist to perform the authentication:

    set rule name="AllowMessenger" new security=authenticate

  • For more example of how to use the various parameters that can follow the new keyword, see the firewall add ruleExamples.

show

In the netsh advfirewall firewall context, the show command only has one variation, the Show Rule command.

show rule

Displays an existing connection security rule.

Syntax

show rule

name = { all | RuleName }

profile = { public | private | domain | any } [ ,... ] ]

type = { dynamic | static } ]

verbose ]

Parameters

  • name = { all | RuleName }
    Required. Specifies the rule name assigned to the rule that you want to display. If name=all, then all rules that match the other criteria listed before the new keyword are displayed.

    If name=all, and no other parameters are included before the new keyword, then all rules are displayed.

  • profile = { public | private | domain | any | [ ,... ] } ]
    Specifies that only matching rules that are assigned to the indicated profile are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.
  • **[ type = { dynamic | static } ] **
    Specifies that you only want those rules of the selected type displayed.

    Type can be one of the following values:

    • Dynamic. Displays the rules currently active on your local computer.

    • Static. Displays rules defined in the current store, as defined by the set store command.

    If type is not specified, then both types of rules are displayed.

  • [verbose]
    Specifies that you want additional details for each rule displayed.

Examples

  • The following command displays all currently defined firewall rules:

    show rule name=all

  • The following command displays all firewall rules that are for the domain profile:

    show rule name=all profile=domain

    This command does not show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain included in the rule.