To configure IPv6 Internet Connection Firewall

  • Article

Netsh is a command-line scripting tool that allows you to display or modify the network configuration of a computer running Windows XP. Netsh supports various networking components through a context, a series of commands that is specific to the component. To configure the IPv6 Internet Connection Firewall (ICF) provided with the Advanced Networking Pack for Windows XP, you must use commands in the netsh firewall context.

Note

  • IPv6 Internet Connection Firewall is only provided with the Advanced Networking Pack for Windows XP, a free download for computers running Windows XP with Service Pack 1. For computers running Windows XP with Service Pack 2, IPv6 Internet Connection Firewall has been replaced with the new Windows Firewall. For more information about Windows Firewall, see Manually Configuring Windows Firewall in Windows XP Service Pack 2.

    Computers running Windows XP with Service Pack 2 and Windows Firewall have a new netsh firewall context and a new set of commands to configure Windows Firewall. The set of commands in this article are only for IPv6 Internet Connection Firewall, not for Windows Firewall. For information about the netsh firewall commands for Windows Firewall, see Appendix B of Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2.

To enter the netsh firewall context, type netsh –c firewall at a Windows command prompt. From the netsh firewall> prompt. You can use the following commands for IPv6 ICF:

  • show

    Displays the IPv6 ICF configuration.

  • show globalport

    Displays the global ports. These are ports that are configured on all network adapters. It does not indicate whether any global ports are being ignored on any particular network adapter.

    Example:

    • 



netsh firewall> show globalport
Description      OpenPort        Protocol
------------------------------------------------------
IPv6 web server   80                TCP
P2P (Grouping)   3587         TCP
P2P (Grouping)   3587         UDP
P2P (PNRP)      3540         TCP
P2P (PNRP)      3540         UDP



    

  • show adapter
    

    Displays the IPv6 ICF configuration information for a single network adapter.
    

    Usage: netsh firewall>
    

    show adapter [name]
    

    When you type
    

    show adapter
    

    • 



, a list of all network adapters with IPv6 configured appears. Each item indicates whether filtering is enabled for that adapter.


Example:

<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">



netsh firewall> show adapter
------------------------------------------------------------
AdapterFriendlyName                  IPv6FilteringEnabled
------------------------------------------------------------
Local Area Network                   Yes
6to4 Pseudo-Interface             Yes
Teredo Tunneling Pseudo-Interface   Yes
------------------------------------------------------------



When the adapter name is added to the argument, you’ll see a list of all the ports that are open (containing the description, the port number, and the protocol) and a list of all the Internet Control Message Protocol (ICMP) options and their states (containing the description, ICMP type number, and state).

  - EffectivePort: This is a list of the actual ports that are open. This is a combination of global ports, per-adapter ports, and ignored ports.

  - OpenPort: This is a list of ports that are opened specifically for the network adapter.

  - IgnoredGlobalPort: This is a list of the global ports that are ignored on this network adapter.

Example:

<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">



netsh firewall> show adapter Local Area Network
Description      EffectivePort     Protocol
------------------------------------------------------
P2P (Grouping)   3587         TCP
P2P (Grouping)   3587         UDP
P2P (PNRP)      3540         TCP
P2P (PNRP)      3540         UDP
Messenger      13654         UDP
Messenger      13814         TCP
Description      OpenPort        Protocol
------------------------------------------------------
Messenger      13654         UDP
Messenger      13814         TCP
Description      IgnoredGlobalPort Protocol
------------------------------------------------------
IPv6 web server   80                TCP
Description                  ICMPTypeNo   Enabled
-------------------------------------------------------------
Allow Outbound Destination Unreachable   1      No
Allow Outbound Packet Too Big         2      No
Allow Outbound Time Exceeded         3      No
Allow Outbound Parameter Problem      4      No
Allow Incoming Echo Request         128      Yes
Allow Redirect               137      No



    

  • show logging
    

    Displays the logging configuration information, including which logging options are enabled, the location of the log file, and the log file size.
    

    Example:
    

    • 



netsh firewall> show logging
Logging Configuration for IPv6 Internet Connection Firewall
Successful Connections:  Disabled
Dropped Packets:         Disabled
File location:           C:\WINDOWS\pfirewall-v6.log
File size:               4096 Kb



    

  • set globalport
    

    Allows you to configure ports on all network adapters. Creating a global port allows inbound traffic to that port on all network adapters, except those that are configured to ignore the global port. If you use the globalport command to open port numbers on all network adapters, you can then selectively close port numbers on one or more network adapters. For example, you may have a computer that acts as a Web server and has multiple network adapters to connect to the Internet and then one network adapter to connect to your private network. You could open port 80 on all of the network adapters using globalport, and then use the set adapter command to close port 80 on the network adapter that connects to your private network. For more information about the
    

    ignoreglobalport
    

    • 



parameter, see the set adapter command.


The following commands are used to support global port configuration:

<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">



set globalport [port#=enable|disable] [name=name]
[protocol=tcp|udp]



  - **port\#** Specifies the port number to be enabled or disabled.

  - **name** Allows the user to provide a description of what the filter exception is for (example: my Web server).

  - **protocol** Allows the user to specify whether TCP or UDP traffic is allowed. If no value is specified, TCP will be selected.

Examples:

<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">



set globalport 8080=enable
set globalport 80=enable name=my web server protocol=tcp
set globalport 80=disable



    

  • set adapter
    

    Allows you to configure changes for individual network adapters.
    

    • 



Usage:    set adapter [name] [icmp type#=enable|disable] [port port#=enable|disable [name=name] [protocol=tcp|udp]]
[ignoreglobalport port#=enable|disable] [name=name] [protocol=tcp|udp]] [filtering=enable|disable]



This command can set ICMP options, create or remove port policy, and enable or disable IPv6 filtering for a single connection.

  - **icmp** Makes changes to the adapters ICMP configuration.

  - **type\#** Specifies the ICMPv6 type number that is to be enabled/disabled.

  - **port** Makes changes to the adapter-specific list of open ports. Note that adapter-specific open ports are not affected by ignored global ports. For example, if TCP port 80 is set to enabled using the **port** command, subsequently using **ignoreglobalport** for TCP port 80 on the same adapter will have no effect. Inbound traffic to the adapter in question will continue to be allowed through TCP port 80).

  - **ignoreglobalport** Makes changes to the list of global ports that are to be ignored by this adapter. An ignored global port will override the global port setting, and disallow inbound traffic to the ignored port for the adapter in question.

  - **port\#** Specifies the port number to be enabled or disabled, or the number of the global port that is to be ignored or allowed.

  - **name** Allows the user to provide a description of what the filter exception is for. An example is my Web server.

  - **protocol** Allows the user to specify whether TCP or UDP traffic is allowed. If no value is specified, TCP will be selected.

  - **filtering** Makes changes to the state of filtering on this adapter, such as whether the firewall is enabled or disabled for the adapter.

Examples:

<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">



netsh firewall> set adapter Local Area Connection filtering=disable
netsh firewall> set adapter Local Area Connection port 80=enable protocol=tcp
netsh firewall> set adapter Local Area Connection icmp 129=enable port 80=disable
netsh firewall> set adapter Local Area Connection ignoreglobalport 80=enable name=no web server access protocol=tcp
netsh firewall> set adapter Local Area Connection ignoreglobalport 80=disable



    

  • set logging
    

    Allows you to configure logging options. Use this command to specify where the file is written to on your hard disk, the size of the log file, and if dropped packets and/or successful connections are logged. The file size has an upper limit of 32,767 KB. The log file name that is specified is for the IPv6 ICF log file; the IPv4 log file is separate.
    

    • 



Usage:  set logging [filelocation=<location>][filesize=integer] [droppedpackets=enable|disable] [successfulconnections=enable|disable]



Examples:

<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">



netsh firewall> set logging filelocation=c:\logfile.log filesize=4096
netsh firewall> set logging droppedpackets=enable
netsh firewall> set logging filesize=9068 successfulconnections=enable



For more information about configuring the IPv6 Internet Connection Firewall logging options, see Internet Protocol version 6 (IPv6) Internet Connection Firewall log file overview.


For more information about using netsh and IPv6, go to the Windows XP Help and Support Center.